Network Security & Hardware - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Botnet Eavesdropping: Inside the Mocbot (MS06-040) Attack



 By: Ryan Naraine
2006-08-17
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


  Table of Contents:
  1. Botnet Eavesdropping: Inside the Mocbot (MS06-040) Attack
  2. ' Spam Proxy '

Rate This Article:
Poor Best
Botnet Eavesdropping: Inside the Mocbot (MS06-040) Attack
( Page 1 of 2 )

A well-known security researcher eavesdrops on a botnet linked to the recent MS06-040 Windows attack and confirms that for-profit spammers are winning the cat-and-mouse game against anti-virus scanners.

When Joe Stewart spotted a variant of the Mocbot Trojan hijacking unpatched Windows machines for use in IRC-controlled botnets, he immediately went to work trying to pinpoint the motive for the attacks.

Stewart, a senior security researcher with LURHQs Threat Intelligence Group, set up a way to silently spy on the botnets command-and-control infrastructure, and his findings suggest that for-profit spammers are clearly winning the cat-and-mouse game against entrenched anti-virus providers.

"The lesson here is once you get infected, you are completely under the control of the botmaster. He can put whatever he wants on your machine, and theres no way to be 100 percent sure that the machine is clean," Stewart said in an interview with eWEEK.

Stewart, a well-respected researcher who specializes in reverse-engineering malware files, echoed a warning issued earlier this year by Microsoft.

"The only way to be [completely] sure the system is malware-free is to completely wipe the hard drive and reinstall the operating system," he said.

Resource Library:

Stewart arrived at that conclusion after eavesdropping on Mocbot for a few hours.

"I have two machines here running in an isolated network. I infect one with the malware, and I have the other machine pretending to be the entire Internet," he explained.

The second machine, known as a sandnet, is a custom-made tool for analyzing malware in an environment that is isolated, yet provides a virtual Internet for the malware to interact with.

"I can sit back and see all the interaction up to point where it [the infected machine] joins botnets control channel. Then I can take that information, go outside and replicate it. I can see what the real server is doing to get an entire picture of the operation," Stewart said.

Read more here about the ongoing battle to shut down botnet command-and-control infrastructure.

With Mocbot, which was targeting the Windows vulnerability patched with Microsofts MS06-040 patch, Stewart was able to figure out that the infected drones were connecting to two hard-coded command and control servers at "bniu.househot.com" and "ypgw.wallloan.com."

He was able to capture the IRC (Internet Relay Chat) login sequence generated by the bot. This included a user, a nickname, the channel name and the first bit of instructions to the infected machine.

The command schemes were all encrypted, forcing Stewart to create a custom Perl script to decode the algorithms.

"Theyre using trivial encryption, so a bit of reverse-engineering had to be done. You can see some of it in the code of Mocbot, and I wrote a little script to do the decoding. When I visit the channel and he gives a command, I can easily decrypt it to see the instructions hes sending to the bot," Stewart said.

Using telnet to connect to the command-and-control server on Port 18067 (the port number for the IRC server), Stewart successfully started spying on the control channel, but there was not much to see.

"The IRC server code was stripped down to give almost no information to the client, except the channel topic line, which was encrypted," he said.

Once decoded, he found that the botmaster was telling the infected machines to join another control channel to receive another encrypted message.

When decoded, the command simply served up a URL hosted at PixPond.com, a free image hosting service.

"The command is an instruction to download and execute [a second] file in the provided URL," Stewart said, noting that the mission of the botmaster was to get the second file into the infected system.

Digg this story! » Del.icio.us Post to Slashdot!

Next Page: Spam proxy.





  Reader Comments: Botnet Eavesdropping: Inside the Mocbot (MS06-040) Attack
>>> Be the FIRST to comment on this article!
 


 
 
>>> More Network Security & Hardware Articles          >>> More By Ryan Naraine
 


xr80VӮc]mT!rYӶT婎PP"$M{%Ο 7I$_ϖ˖0Ld&D?;;~$riOȅc-Jvg1ȣw&w$5wv~]4i* dx@FԲ|W軫F]̉(P?`᳑(,Q  tjGt0]2d4;s6!7jLP_ƾQ81ǻMLbhq *N0,!\ZI`^<e6O) |@ɠ#ӱCԣFr ˺Q49h#m#PS+}(Ziνoĩq#gvh[\(Uu7Z} fжD^׵Cq9}r>?'7;A:7@o&3`ZLTQRpd" ԆNWP u.kzQҏZ-Kj%٥~8Jr ])21,#uGҾ췯;6鷏ώ;Sd̲1<ZMӀ Zvb#?ޙ#V7'77˓MvISCV=BgCj`BmiueUo~91?o!af; dP{pHze_R ~:?_4>wIAұ,Oȿ۾Bd}Y З7ReQ o(n>@|Ӡd 2Tc]vjXѬ[cW) rƒ t$y(7>hr Q@e)#p?S݃IhJq䰉c<ذ 1"%̛ hJyO{ "}ВEtBAͩOW%ތE z%K5bϑe-CzlNVڒ1Wb{g(eށؓix>!e.ڽ^C8^%g 5F8 ,heݴ%!8WG5MGVݏMW*P\?,Ëʾb(7Z`Lm,5,Ltϭy0`hvz3Ϩagnۉ9~t$AG66^lzK $ ,70}HOQI 4qp{ڭ-%_ >< FA=H:]6(Zχ`˦Mf@B9{ǻޚA"QС4}a qjQ]*~s=w= H X.s6G~>4-0%6N\IQ ' dQJJd$@!-i]R@Az< -8,rrl++~'~zGBj+6Os@PGҹ3qjP)τrZ z)0ٜʬ$5M힟GѪń(VFN|(0Vn)T*7vrgNP/h|WY 3EDVhdF!Z! = v(V֌f;NrBuOSj,H@fmdz?Ѝ;Oq)2:3f$,4tOݡ~u_r4YVkCZfv/:A']օVP+=o@xC X{K}͙0pŗZ"rB`}.E6Gh?40OSw]86pc>{S+%UVOLYZf<[)ZPrY;l ʸaHi ij>ȃX`O 618{y4!%6$N?& ҧV XO Mڊ(zG/ű`a{62rt\X:5u{qa?_ZTNkʮtْoxOvpv*:1f&6XcӢ>oZYk# RL3H 1`s@M$ knV2 &G-cY}>euEm׏$ci.: 0y4hS̢©9j1|jj0&B$Vř8l^;ɜV4:E80Ge9Cb+[eL,*I b]Rj)SLZ06Aa5_/-c1$/P+0!P\Q0.#_L_LU1(TOnƻhAz-X]>L,7,@Уpϟ  sFWyYF濛?O~kR^'VUJj5h]1*(Si|Ɂ3S΁Ew꾿gi4ZPz;ܮ[CG~g^l^Lcv"O`)Ǧ?r2HU>Cy`/cҧjMqѡ,u`늦 pn`{E~t=GhCxZ `i@%MmWq=[JzJw J` Z7~eGk8'ԿE X{IMzʮO9"Qevoqe@^5??QžnJm^R+k9i`7f/mC[$ zTÈ i{qĆZ J' ~tqߎ3XA mRFxޜ9"yea@WIlJhLwh_/Qm(}nLԼ*WGc<M`%g\U4=_@HpjGi}ϼ!܏p/*騫VIǂe0&30ʃϣ ek&wf9*<l:sݿyWj=z{Gv'2Adc􁯌C-sZc dK0]sKdvZPn3i`$ezP._͛>lv'GwDF$۝'W?~F85 zS(j :Hį 3Fˁ#_.QXz[VUe@5ỵV3C e 4v=.EZЋ's}c<]c>/i)Ձ",߸X̡֪g^`.JJ]lz |ѝxAc#&a\kY<1{Hү}Z2ZRܴJZVz7Ϣ C.'%- veN6qab;?eR3ڛ5^@M|KOTK0u%hzGSqza\/;Cn/$h ^1Mu0@mlJw޺ Lzu$I<+ojMn@uztCʪ+> 2.izIRϢsG&:Lpz]Qd:)nQ==Mn@h#&w}A |(U˚V*jȅi#gD)Wje<ʢ'r ]N6[_VZiva *s>PV9k۷BlpH74mCXp| ^_HXXD>DQkf\{e"nxR*fٽ ~%bn |J~Zg^pRF|YtW%p9O}u9| 8q~_8UwA;QA^qvԸ]`>&u.O: C_?\w?^Hև6?eB&{fB, '8oIŸ}vjt.?Hm}#4-odhD4|w/Υq{Oe[J:^9$ ;.XF>9>oÏOM1Bk3d4)(3uX#h^6"BZBe\'k,SVXKr!}'=C٠:f: ?wV!94|㿜yQ$ !r2c.A-H7ԾN9 S0qJh":Q%;?m[ħ{, /䎱=;SN$SQ(iQtKb.rJ<:ϣgԢᬖ^}+Y^N,~xR=Na0O3)WYQ/;QĶ3=ұGEr?{'q?I8t2Ti 'sX6 w{ѺB ?݁M5g[f1vifw ݷP/b{~cIU~(TR.fO"J骇\v%(c]MT,^\RK>^k@" bY_ IKwvzY2YXdbQWٞgo ? '|ȞF8^j[DcxSyg,d_a}30[)=)Ι2F'` ܍)³$`GDAR3}ig6A j(l N XW+Oi_BWc#ZT=9bw2@mSÍ婩V 0,R9's$B'|/~f/n!YYaȠB<5i32Pq <*9) +M]1(ot{oGO{2LLɛ~nOӚ+2I2V){Gjb;\ 3(Yz%.Φ|S}q'N_(a_@L&Q:6i׉x┍]6;rknRk+"b֩S+ʷVRXT 3|l!B'jֈ31foO⇱nnnn/櫔|z o_;=#]FS:ؘg69F\7@;!"A$=-(YԘP HQ H7!+-ӾJ*@@Ǯ0m+3oq2\F+2T/387p@x [  [aH#oנYD S%lȉ/\: "/]P<5׆/|]?~iihois} ż,;t9Z[Ǻ=J9XшxnIL7`u8LxZ.7<H 0x$dz x[ ,'PW7k-ںb3n9F~˴- 22ͬ,I#yzzzz]z.{0 RVp|dIצ3ƌ/gD!<{Bc01BȞ6=B{S\|}G㪀ʈlt,gKǏC?nXEoao|}"!r5JCOm /.~p2.6x_-oJj̐oO<#*_ٵ1sb@ҥ>^E,JnQX$E` ‚E(N? `޸? !-B^z}UM_FLanStE3paav̛ o`4$@& U7fh\ƁQVwD8R`/MKCnx⡍~6ƎY=S}(tc|k|mY_nsԼtK$|;;8*[O3,]{ gVhl~G|;Lb`9gPf y'AShLfER o Z!ߤ`m_mau^=j/{*ZZۈYѣ3.ezW0ZZI n81|6tzl^Ji&2DF"$t86o g3&e<-~f"=|I3b98X"Oх\:]ݽ]|MsLEM~Po]"68Kpu`2fYNړ͛iİOnwHb%1Y~GjOQ5O.*F PCկř>!^8<¼+cT"y| [Dz 1pS/W\x?*<ǝ@ 5v T{.~~UݵZ/3dυB7o7c.qH e _M Ba{D0‡rqaQ  BX?D7}8ѵ@Dq@v1Pr@Ym2}v41v1h}PR #%1⤛(z=c8gc8V5Śx K1>j=9"@Ÿ Rxc) +hWxB,t$/)_Z6`;LP3m.MEfIȢiw\sI ojʾZr^:XuZ˘xf@]3&ޭME*ނ0HuPdE UP+$svMQ5:@ 6 y^ŠX@&kJk&Zkݟu3Oi<1E7Zz9Z<hfUj"ja0tv<t4cn':ƒw'vv=Э% s"Xiec=Hmy9^yKj Y<.B)z O?I>HP)$6cz` }>ķd0m˖C0Ÿn44&ȱrQ홠AH+~ +^Qc"26&˙}rBg+vl"mknnBzTB}F}gzW'b^o90b,9+#viZ`3+nsl+ZKȶ8+ilwAQg)q8 @ən붩epH#Si ?R)!l$Z9`Vݏ1li,BGLm،ijBǛh-=e(qqvixMy\+pS C7R<6$AeЃ5T?0нG )U0kȚXt "J m-@+>N b&}&`Cq :rt&7%eZS["8G֣/|T0/b3-񸔤#^ >xA1K= o~{@\gr q,-D||z['AU}H?Km1+62 jDl//ulߴۿ"?:};ozxX2d9k`ECߑ7HG}sof1c}& '< 8~lp'y»";ԁيG"C^!&  ,Px-r9G}8Q}eOWJƈ\氟aH9p=S1-1Șh MQ VHxDɹcMN퓄pxX0!<RA~9 26mDRRactkȚ1;mGBӋ#őOcZ|"{X#&3(- y&߀$ FK1tQ:..( oI[Pk,(ωB5DSJTmn$|s k60ƌS,0AuA"\2,GA~2 :bn3Ù`\ovN5j' P=:ς؝z)s!aZ; M꺂OJBveX &zbr褾<>3fUUo VH+^@0Q3:%H#&O=lFLn1D39^9nIQst/Q{G} ZOGݪ;Gݓݫϧu_h^/ yj5e MjV}QuxS+SS~ -VNyʻ9I;ʏO>9cvYv͋/ry9\"?/?/re2OP) r)r˜̑K˜B9.n~+x*k{/>_?e_S^9)O@O9rߛorڿ\'I9ru S)Jy/*苼k Oy射<)߇}VU<_`kW9t _r ̭L:WݓBX\jzr+^gieq 6 t𞫫i@Lw<ߔ[nNJ>s\ȜHd3-FD.r{D4½q'eybARG4YQv-&&%n 䭁xLNR Okr>u"[~|^@O盌ÙZCgHY&58W!Z7cUݡQ'M1<:,9J鮠W M&Dr&ߢ)tO= T/ADd23 `V{9 [2FlX jXJr 9;_t\$ǖ]`>soJ:=fՇ^" (luy9M"r"N\Fp5 }q؆`/:N=X v;i\Œk,%f]cٵ1+Of@L VƠ}=fN45RX#P<Ս٧Sg-3B=/aoA+_aK@ʞ*}q A#}qf+6`meW-{'/Հm'"Pl-׵vckؕz b0OZ>ಓH_`[/-3/DBlK=cM{2w] p79=;UÄLYZcm%^#%aBc M= ow\ ɡ=$>}T.q ""H "s{B|%njP%n2!L'KYcӄ2\8oX9VX#e \1SSFӹ"=ǚ X?]7& 6LG4 (OP"cq}(!3t(,Ma-ăW v,='IDπjUMf@gQl(VxRBNszlo%()%y+L9(نln{Զ'x*DwTsޛMAm'{&ٛٲs1cbV!qmefzEz?_.;+C&:bz:SAW (|x@loM5\c *|?Oe Lt8?B&s`ܐ}olI CO?Fu:h/Asl+ 6-  `⎈Me֘9DR*,Dl'f , ~93N 稅mWv:kmlQ/>yGW=Q'na|ht%+^FHu`WH؂{Xi[1RpCV)tO苰AVt3BW5`/=H]{8ǩ3bhwq#b uu+e!.1:3OTXg{*.vf96r!*l XGڢ~&N?3^mg9g¶"yXFbS,_'Il=9V0|>,lp/>:Ǹ:1F`]ccƫ ɤ{%̅FdagZ-*?҂g' Q aavXf0 'Ɣ ϰ"- s=rϢq9vGg2~/'[]r*gA-~{e75wSF \L"Us3=v=ǘ mr?u,r?],M c|Rc9ಫ=փ W=`#hxj"nh1)d'kI'R&la,:r3 Ej F.t3R04xqBaʩȩ(v}_|JѬd;j +sGO{ |>":xqeaVt*Nzvf?Pv/isTO3t[?; o:ˌhT*.㉋oڝgu >G_?\w?^HaE e鑢%!tOi B"Ew:9\~HVzvC&ȕ/2F#xoUAtMjUz'1l5mEg,3lW'J^R۝wߺ"f/Oa6%c|NVKI+^ͦG(D +q>tgLp -ͱeRZ`l/Z6w?57'