Barcardi, Botnet and Lime

By Tom on 23 December 2008

To me, a virtual machine represents what a petri dish does to a Scientist... welcome to my lab! :o)

Lets slice up some botnets!

Specimen 41b9df60db731805fe22413dfb0806ee.exe
Captured via Nepenthes from http://217.***.***.122:15040/ObzgIA== via its attempted RFI exploit of one of my honeypots.  Thursday 27th November 2.47am GMT.

NETWORK BASED ACTIVITY

Connects to ns.ircstyle.net TCP 1867 (irc), joins IRC channel #ns.

Connects to zonetech.info TCP 80 (www), downloads lb3.exe.

Connects to alwayssam.com TCP 80 (www), downloads lal222.exe.

Botnet master (nicknamed "EH") issues following command: * ipscan s.s.s.s dcom2 -s

Infected machine starts scanning class C for TCP 135, starting from its own IP address, increases source port with each host.

IRC is *completely* locked down, unable to do /list, /lusers, /links, /mode, /map, etc.  Possibly M0dded R0Xnet, fatalz or UNK IRCD.

HOST BASED ACTIVITY

Creates:

C:\Windows\system32\ws2_32.dll
C:\Windows\system32\ws2help.dll
C:\Windows\system32\imm32.dll
C:\Windows\system32\shell32.dll
C:\Windows\system32\pstorec.dll
C:\Windows\system32\atl.dll
C:\Windows\system32\psapi.dll
C:\Windows\system32\rsaenh.dll
C:\Windows\system32\crypt32.dll

Changes Registry key in:

HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed

Creates:

C:\Windows\system32\firewall.exe

Which spawns and then creates:

%currentdir%\celibzeg.bat
C:\Windows\system32\rpcss.dll
C:\Windows\system32\uxtheme.dll
C:\Windows\system32\MSCTF.dll
C:\Windows\system32\ieframe.dll
C:\Windows\system32\clbcatq.dll
C:\Windows\system32\COMRes.dll
C:\Windows\Registration\R000000000007.clb

Queries registry for hostname, makes modifications to TCPIP properties and parameters to maximise sockets, etc.

Creates:

C:\Windows\system32\rasadhlp.dll
C:\Windows\system32\hnetcfg.dll
C:\Windows\system32\wshtcpip.dll
C:\Windows\system32\webcl32.dll

Firewall.exe then sends a TCP SYN packet from source port 1054 to 67.43.232.35:1867 which correspondes to the network activity; IRC connection to ns.ircstyle.net.

Cleans itself up, removes initial binary and other .bat files.  Adds "firewall.exe" to Registry under "...\Current Version\Run" so that it is run on startup.

Do you want ice with that?

Categories:

Tags:

Tag Cloud

Other Posts

Introducing Ncrack, a Network Brute Forcer on Crack
"Ncrack is an open source tool for network authentication cracking. It was designed for high-speed parallel cracking using a dynamic…
Hash Me Up (Mac OS X Styleee)
On a good day you'll catch me on my MacBook Pro like any other Apple fanboy.  However, I was on…
Kneber Botnet - The End is Nigh! Not Quite!
Just a quick one this morning...  A botnet has been discovered that has apparently hijacked more than 75,000 boxes across…
Web 2.0 + People = New Challenges
This article originally appeared on Verizon Business' ThinkForward blog.  It is written by me with a different audience in mind…
Nmap 5.20 released
More than 150 significant improvements,30+ new Nmap Scripting Engine (NSE) scriptsEnhanced Performance and Reduced Memory ConsumptionProtocol-specific Payloads for more Effective…
BackTrack Final 4 released
BackTrack 4 (Final) is officially released. If you didn't already know, "BackTrack is a Linux-based penetration testing arsenal that aids…
Second GSM Cipher Fail - A5/3
The GSM encryption algorithm A5/1 has been known to be broken for some time now... about 10 years to be…
Attack on PHP sessions and random numbers
PHP random numbers and session IDs weaker than thought.  Proof of concept code and further information at http://samy.pl/phpwn/…
Friend or foe? Automated Malware Analysis and Identification
I am doing a PhD on the subject so it's only right I post something up related to it.  Whether…
Give us a flash! Introducing SWFScan, the Flash Security Scanner
The nice people at the Web Security Research Group over at HP have created a bit of goodness that will…