CME711-Track Beta
Several people are interested in learning more about CME711 and generally how to track botnets. I fully respect and encourage that curiosity with one caveat - you will get attacked and storm may not be the best starter botnet.
If the bad guys are half as good as I suspect they are, they already know how I am downloading their binaries, and they don't care or there is nothing they can do about it. Furthermore, its easier to hide in plain sight, so I've made a decision to open some code up to everyone. It really isn't all that special and others are probably using similar code. For someone new to this fight, it may be the jump start you need. Good botnet monitoring skills are in high demand.
Originally we ran FakeSMTP (an email honeypot) and forced the Storm binaries to communicate with that SMTP server instead of using public relays. FakeSMTP would capture the body of the message, which had the download link. I had a script automatically parse and download the binaries, but that was slow and clunky. It also relied on my node being used as a spam proxy, which was happening less frequently.
Additionally that meant I had to run the binary. Running the binary is risky. For example, you could participate in denial of service attacks. Even with rate limiting, you still run the risk of doing harm. Its certainly not recommended for those who are new to the arena.
CME711-Track is a PERL script I hacked together for tracking the Peacomm/Storm/Peed/Nuwar trojans. Similar code has been used by DISOG since July 2007. While I modified the code slightly for public release, the general function is the same. The script is very simple, it contacts CME711's servers and tries to download a binary. If successful, it saves the file and adds a time-stamp to the log. Such logs can be used as blocklists, or to track infected hosts.
I overly commented the code on purpose. I had hoped those new to PERL and the world of botnet tracking would download it and learn how things work. Plain text readable comments and code encourage additional research.
There are zero license restrictions on this script. Anyone is welcome to run it, for as long as you wish. I hope you would consider mentioning DISOG in any research/postings; however if you don't, my feelings aren't likely to be hurt.
Script requirements: see "readme.txt" for more information. The code will not run if you don't follow the directions included in the readme. I did that on purpose - I believe if you can't read, you shouldn't be tracking botnets.
WARNING: This script will attempt to download live malware and no support is provided. You assume all risks associated with downloading malware, or pissing off the botnet operators. This includes denial of service attacks. I tried to comment the code as much as possible, and you're welcome to send questions via email. I will do my best to answer them in a timely manor.
If the bad guys are half as good as I suspect they are, they already know how I am downloading their binaries, and they don't care or there is nothing they can do about it. Furthermore, its easier to hide in plain sight, so I've made a decision to open some code up to everyone. It really isn't all that special and others are probably using similar code. For someone new to this fight, it may be the jump start you need. Good botnet monitoring skills are in high demand.
Originally we ran FakeSMTP (an email honeypot) and forced the Storm binaries to communicate with that SMTP server instead of using public relays. FakeSMTP would capture the body of the message, which had the download link. I had a script automatically parse and download the binaries, but that was slow and clunky. It also relied on my node being used as a spam proxy, which was happening less frequently.
Additionally that meant I had to run the binary. Running the binary is risky. For example, you could participate in denial of service attacks. Even with rate limiting, you still run the risk of doing harm. Its certainly not recommended for those who are new to the arena.
CME711-Track is a PERL script I hacked together for tracking the Peacomm/Storm/Peed/Nuwar trojans. Similar code has been used by DISOG since July 2007. While I modified the code slightly for public release, the general function is the same. The script is very simple, it contacts CME711's servers and tries to download a binary. If successful, it saves the file and adds a time-stamp to the log. Such logs can be used as blocklists, or to track infected hosts.
I overly commented the code on purpose. I had hoped those new to PERL and the world of botnet tracking would download it and learn how things work. Plain text readable comments and code encourage additional research.
There are zero license restrictions on this script. Anyone is welcome to run it, for as long as you wish. I hope you would consider mentioning DISOG in any research/postings; however if you don't, my feelings aren't likely to be hurt.
Script requirements: see "readme.txt" for more information. The code will not run if you don't follow the directions included in the readme. I did that on purpose - I believe if you can't read, you shouldn't be tracking botnets.
WARNING: This script will attempt to download live malware and no support is provided. You assume all risks associated with downloading malware, or pissing off the botnet operators. This includes denial of service attacks. I tried to comment the code as much as possible, and you're welcome to send questions via email. I will do my best to answer them in a timely manor.
http://www.disog.org/public/CME711-Track.zip
(MD5: ac85bf1b06be2653c6e647b839c5a9b9 ) (SHA1: b4c93d489693616a8150e607d4b7e98ca1b2ec61)
(MD5: ac85bf1b06be2653c6e647b839c5a9b9 ) (SHA1: b4c93d489693616a8150e607d4b7e98ca1b2ec61)
Be smart! This code should run on any operating system with a PERL interpreter, which includes Windows. How ever it will download real malware. The risk of accidentally running this code on a Windows machine is high. I don't recommend it. Run it on Linux, Mac, or a virtual windows machine. You'll be wasting a lot of time cleaning up your machine - not to mention looking like an idiot - if you don't follow this simple warning.
Labels: malware research, nuwar, peacomm, peed, Storm, tools
posted by Nicholas at
05:42
4 Comments:
I read the script but I was wondering if there is a way easier to monitor the computers of botnet.
I created a small script file in autoit.This test dont download malware dangerous but runs a whois cyclical for example over tibeam.com.
Saving a file with 500 whois over tibeam.com and write a report that shows the distribution of computers that are part of the network botnet becouse whois show me location, providers ip and others data.
It seems very simple but works
These are the results without having to download files that are dangerous and the risk of having computer problems.
This is my test reports
http://edetools.blogspot.com/2007/10/elenco-di-ip-computers-collegati-ad-una.html
and also this
http://edetools.blogspot.com/2007/09/aggiornamenti-malware-via-fast-flux.html
Edgar from bangkok.
Edgar,
The script is great! For those who want to do that in linux, comment out the download portion of the CME711-Track.pl. One word of warning though, there has been a fair number of bad IP's included in the DNS entries. Either machines that are cleaned before the author can remove them from the DNS database, or non-infected machines added to throw off researchers.
We've also seen a good number of public NATs that may have infected machines behind them, but we are unable to download a binary to be sure.
Downloading the binaries is risky, and anyone who does not want to assume that risk should use an automated dns query tool - just understand without downloading an actual binary, or at least watching for status code 200 replies on an attempted download, you can't be positive the IP you've obtained is infected.
Keep writing and posting those tools!
I put the zip my script at this address
http://www.mediafire.com/?7vzlwezr4dd
The script is set for scan ptowl.exe
See in the bat file for set different domain
See readme.txt for others notes.
Edgar
The scan of ptowl now show me many different IP countries ,
most of them i saw other times
Edgar
Thank you Nicholas, for all you're doing here! Running the backtrack-2 live cd with no hard drive and a USB drive for storage seems to work very well.
I'm only getting 'sony'.exe now and no more 'dancer' since this morning...
I edited the script to check specific IP's in spam I receive, and sure enough... stormspam it is.
Now you've made me want to learn perl, and do whatever I can to assist-
Curious George
Post a Comment
<< Home