CME711-Track Beta
Several people are interested in learning more about CME711 and generally how to track botnets. I fully respect and encourage that curiosity with one caveat - you will get attacked and storm may not be the best starter botnet.
If the bad guys are half as good as I suspect they are, they already know how I am downloading their binaries, and they don't care or there is nothing they can do about it. Furthermore, its easier to hide in plain sight, so I've made a decision to open some code up to everyone. It really isn't all that special and others are probably using similar code. For someone new to this fight, it may be the jump start you need. Good botnet monitoring skills are in high demand.
Originally we ran FakeSMTP (an email honeypot) and forced the Storm binaries to communicate with that SMTP server instead of using public relays. FakeSMTP would capture the body of the message, which had the download link. I had a script automatically parse and download the binaries, but that was slow and clunky. It also relied on my node being used as a spam proxy, which was happening less frequently.
Additionally that meant I had to run the binary. Running the binary is risky. For example, you could participate in denial of service attacks. Even with rate limiting, you still run the risk of doing harm. Its certainly not recommended for those who are new to the arena.
CME711-Track is a PERL script I hacked together for tracking the Peacomm/Storm/Peed/Nuwar trojans. Similar code has been used by DISOG since July 2007. While I modified the code slightly for public release, the general function is the same. The script is very simple, it contacts CME711's servers and tries to download a binary. If successful, it saves the file and adds a time-stamp to the log. Such logs can be used as blocklists, or to track infected hosts.
I overly commented the code on purpose. I had hoped those new to PERL and the world of botnet tracking would download it and learn how things work. Plain text readable comments and code encourage additional research.
There are zero license restrictions on this script. Anyone is welcome to run it, for as long as you wish. I hope you would consider mentioning DISOG in any research/postings; however if you don't, my feelings aren't likely to be hurt.
Script requirements: see "readme.txt" for more information. The code will not run if you don't follow the directions included in the readme. I did that on purpose - I believe if you can't read, you shouldn't be tracking botnets.
WARNING: This script will attempt to download live malware and no support is provided. You assume all risks associated with downloading malware, or pissing off the botnet operators. This includes denial of service attacks. I tried to comment the code as much as possible, and you're welcome to send questions via email. I will do my best to answer them in a timely manor.
If the bad guys are half as good as I suspect they are, they already know how I am downloading their binaries, and they don't care or there is nothing they can do about it. Furthermore, its easier to hide in plain sight, so I've made a decision to open some code up to everyone. It really isn't all that special and others are probably using similar code. For someone new to this fight, it may be the jump start you need. Good botnet monitoring skills are in high demand.
Originally we ran FakeSMTP (an email honeypot) and forced the Storm binaries to communicate with that SMTP server instead of using public relays. FakeSMTP would capture the body of the message, which had the download link. I had a script automatically parse and download the binaries, but that was slow and clunky. It also relied on my node being used as a spam proxy, which was happening less frequently.
Additionally that meant I had to run the binary. Running the binary is risky. For example, you could participate in denial of service attacks. Even with rate limiting, you still run the risk of doing harm. Its certainly not recommended for those who are new to the arena.
CME711-Track is a PERL script I hacked together for tracking the Peacomm/Storm/Peed/Nuwar trojans. Similar code has been used by DISOG since July 2007. While I modified the code slightly for public release, the general function is the same. The script is very simple, it contacts CME711's servers and tries to download a binary. If successful, it saves the file and adds a time-stamp to the log. Such logs can be used as blocklists, or to track infected hosts.
I overly commented the code on purpose. I had hoped those new to PERL and the world of botnet tracking would download it and learn how things work. Plain text readable comments and code encourage additional research.
There are zero license restrictions on this script. Anyone is welcome to run it, for as long as you wish. I hope you would consider mentioning DISOG in any research/postings; however if you don't, my feelings aren't likely to be hurt.
Script requirements: see "readme.txt" for more information. The code will not run if you don't follow the directions included in the readme. I did that on purpose - I believe if you can't read, you shouldn't be tracking botnets.
WARNING: This script will attempt to download live malware and no support is provided. You assume all risks associated with downloading malware, or pissing off the botnet operators. This includes denial of service attacks. I tried to comment the code as much as possible, and you're welcome to send questions via email. I will do my best to answer them in a timely manor.
http://www.disog.org/public/CME711-Track.zip
(MD5: ac85bf1b06be2653c6e647b839c5a9b9 ) (SHA1: b4c93d489693616a8150e607d4b7e98ca1b2ec61)
(MD5: ac85bf1b06be2653c6e647b839c5a9b9 ) (SHA1: b4c93d489693616a8150e607d4b7e98ca1b2ec61)
Be smart! This code should run on any operating system with a PERL interpreter, which includes Windows. How ever it will download real malware. The risk of accidentally running this code on a Windows machine is high. I don't recommend it. Run it on Linux, Mac, or a virtual windows machine. You'll be wasting a lot of time cleaning up your machine - not to mention looking like an idiot - if you don't follow this simple warning.
Labels: malware research, nuwar, peacomm, peed, Storm, tools
posted by Nicholas at
05:42
4 Comments
