|
LockDown Security Bulletin - 09/23/2001
Internet Explorer BrowserVulnerability Test http://www.lockdowncorp.com/bots/testyourbrowser.html
Bots, Drones, Zombies, Worms and other things that go bump in the night.
1. What Is A Bot and What
Is A Bot Not. 2. Chronology of IRC Bots IRC Bots have existed for many years now and are certainly
by any means a new discovery. Eggdrop Bot for all flavors of Unix
have been around several years and were usually used to protect
IRC channels in the owner's absence. Generally these Bots are used
for valid and useful purposes but as you can create your own TCL
scripts, they have much scope to also be used for malicious purposes.
Versions of Eggdrop Bot for Windows also exist under the name of
Win Eggdrop. I have seen several versions for Windows that have
been patched so that they run as an invisible process (as a Trojan).
More information on Eggdrop Bots along with a full range of scripts
can be found at www.eggheads.org
Malicious Trojan Bots for Windows have existed
for at least four years with early know versions being Bots such
as, AttackBot, 3. The Distinct Types of Bots. IRC Bots come in several different flavors and for
several different operating systems. For Windows, there are three
specific types of Bots, 4. The Stages Of Bot Distribution and Infection. (a.) Contrary to popular belief Email attachments are not the most popular or effective way to spread Trojans. How many Trojans do you get in your Email account each day? Join any popular IRC server and you will recieve a whole plethora of DCC filesends or adverts for web sites with infectious downloads or even infectious HTML using the Active-X exploit for Microsoft Internet Explorer. If your browser is not patched against these exploits it is very easy to drop a small Trojan onto the machine that visits the web page. This exploit is limited and only files less than 34 kb can be dropped. IRC Bots of less than 10 kb compressed do exist and can easily be dropped (EvilBot is a mere 7kb when compressed with UPX). We have put together a demonstration of the browser exploit here and you can safely test your browser to see if you are affected by visiting this link that we have created. URL If you are affected you will need to install the Microsoft critical update immediately. A lot of the dropped files are Web Download Trojans which are a one shot deal. Once executed they invisibly get a predetermined file from the web and execute it. This is how larger Bots or Trojans are installed onto machines. Simply the best way to infect a machine is to use an exploit or existing exploit so the user does not see or suspect anything. If you were sent a file that when you ran it nothing appeared to happen you would very likely be suspicious or know you most likely just ran a Trojan. A great many Bots scan for victims of other Trojans such as SubSeven. This has two distinct advantages for the hacker. Firstly they can scan a lot of class C blocks without scanning themselves or wasting their own bandwidth to do so and secondly they can get their Bot onto already Trojan infected machines on the premise that if the owner did not know they had one Trojan that is detectable by nearly all Anti Trojan/Virus applications then they certainly won't know they have another that is undetectable by signature by all of these applications. This to a large degree is why we use Generics as a second layer of defense against unknown Trojans. The SubSeven scan yields victims on default ports and also exploits the old SubSeven master password which works on all SubSeven 2.* versions upto and not including SubSeven 2.1.3 Bonus. Once a victim has been found and logged into using the command (UFUhttp://downloadlocation.com/filetodownload.exe) to update from the web is sent. Once received SubSeven will download the new file and run it and then remove itself. The Leave Trojan/Worm was a recent specimen that exploited this loophole. URL Another common trick lately has been to scan for Exploitable Windows 2000 IIS (Internet Information Server) machines and use Unicode exploits to Spawn an FTP server that can be uploaded with a Trojan of choice. We recently discovered a Botnet with just over 1800 of these machines active and online at any time, again these were Windows 2000 machines with the IIS vulnerability. Considering that all the infected hosts are not likely to all be online at the same time this makes for a rather large Botnet. The binary they were running was quite crude but could generate a lot of malicious traffic especially as a lot of the hosts had broadband connections or were *.EDU (University Hosts). These particular Bots were used effectively against EFNET (Eris Free Network) which is a group of linked IRC Chat Servers in a recent DDOS (Distributed Denial Of Service) generating huge amounts of malicious traffic to down the IRC Servers. Bots are also configured to generate clones (Multiple incidences of themselves) that join other IRC Servers and mass spam message users with URL's for infectious downloads. These most commonly come in the form of fake warning alerting the user they have an autosending Worm, Trojan or Virus infection or as an advert for a free sex site along with a few other disguises. We recently witnessed a Botnet of just over 7000 infected machines all infected with not one but two different Bots, both GT Bot and Litmus Bot which were spread by spamming IRC users and by autosends. Once infected with the Web Download Trojan the infected machine would download a packaged executable created by a program called PaquetBuilder32 and execute it. This would install a GT Bot that connects to IRC.Dal.Net and joins target channels and autosends by DCC (Direct Client To Client Protocol) a copy of the Web Downloader Trojan which infects more machines. This works in two parts with one Bot infecting other users to create more Bots and the other logging onto a different IRC server to report for duty for DDoS attacks. Over the course of our studies we have collected and assimilated a lot of information and IRC channel logs and screen captures showing alsorts of different Bot activity including DDoS attacks. (b.) Once the Trojan is run it secretly installs itself and creates a method to restart itself. Commonly used is the WIN.INI run = or load= lines or the SYSTEM.INI under shell= after explorer.exe eg. (shell=explorer.exe ,trojanbot.exe) or loads from the Registry or Start Up folder. (c.) When installed and running the Bot will attempt to connect to an IRC Server on a pre designated port. The most common connection port to attempt connection to is the default Port 6667. It should also be considered that IRC Servers usually listen on several other ports by default including 6660, 6661, 6662, 6663, 6664, 6665, 6666, 6668, 6669 and 7000. These other ports are often used so that the more commonly known Port 6667 is not shown in Netstat as a remote port that the computer is connected to. Another thing that should be noted is that an IRC Server is not limited to the ports listed above an in fact can be set to listen on any port for connections. IRCD versions for Windows are often configured to run on Port 80 or othe similar ports which wont arouse too much suspicion as a remote port connection. Some BotNets run Trojanized Windows IRCDs such as Unreal IRCD 3.0 for Windows which has been adapted to run as a hidden task under the process name Coresrv.exe and it loads Coresrv.dat as the IRCD configuration file. This enables BotNets to be hidden on non public providers machines which are a lot harder to have removed than a simple complaint to a shell host provider. The user must first be contacted which is no easy task especially when having to do it through the ISP which often has little or no conception of what this stuff is or how it works. They most probably think email of complaint are the ravings of some mad man with an overactive imagination and who could blame them as a lot of it sounds too fantastic to be true. Most BotNets are however forced to join public or private IRC Servers hosted by commercial shell hosting companies operating on a Unix flavoured operating platform. Once connected to IRC the Bot will log into the predetermined rendezvous channel to await further instructions from it's Master. (d.) Often as these Bots join the IRC channel the Master will log into them with a special and sometimes encrypted access password. This ensures that the Bots cannot be controlled by other people and makes it harder for someone to hijack the BotNet. After the login has been accepted if indeed it was required the Bots are now ready to be put to work. Our screen capture archive which we obtained from undercover surveillance shows much activity going on in these Bot channels with lots of DDoS attacks and IRC floods being invoked. Even as I write I am witnessing channels being heavily flooded on DALnet by floods of GT Bots which hardly display any of the traits of sluggish and lifeless Zombies. As I sit here so far over 50 different channels have been brought to a stand still by huge floods of data where the Bot connects, sends a message to the channel and immediately disconnects and then reconnects and performs the action repeatedly in a loop until ordered to stop on the remote server. As this is of extra added interest I have decided to also include screenshots of both the remote IRC channel where the orders are given and one of the channels which were attacked. The attack being launched here and the results of the attack and what the victims saw here. The screen captures from when I joined the channel to observe the BotNet. here and here show the number of GT Bots in each of the channels. The channel modes should be also noted which appear in the title bar of the channel window as +mnprtu which is set that way to hide the nicknames of the Bots in the channel from the user list on the right hand side of the image. We will be covering channel moding and what these modes mean and do in section 4 (f.) of this article. (e.) An idea of how Bots are used to spam becomes obvious when you look at this image here showing GT Bots being commanded to spam a remote IRC Network with fake virus warnings urging people to go and download a fake cure which will make them become infected with a GT Bot. This is a common and effective strategy amongst BotNet owners to play on normal users fears and concerns. These Bots are normally joined into popular channels with several hundred people in them and message everybody as they join with a spam message such as the one in the above image. They are able to generate huge amounts of spam per session and infect many users that increase the head count of the BotNet and of course make any attacks launched more devastating. (f.) BotNets often draw attention to themselves by traffic patterns which are soon picked up on by vigilant IRC Administrators or Shell Providers and the channels they join closed or the shell account removed due to abuse complaint. If they joined a fixed IRC Server name or IP address the likelihood is that they would all be lost from some basic action on the part of the service providers. This is why BotNets often follow dynamic hosts which are quick and easy to edit to repoint the entire army elsewhere if accidently stumbled upon or banned from an IRC Server or channel. If the dynamic address that the Bots follow can be identified then it is not too hard to complain to the provider of the dynamic account and request that it be null routed. The smart money is always on going after the dynamic DNS if you can recover the information as to which dynamic it is using. A common provider of free dynamic accounts is dyndns.org . These accounts can be and are used for many legitimate purposes but are also unfortunately prone to misuse by some users. Dyndns has strong terms of service governing these accounts and abuse of them. In our experiences with dyndns the abuse department rigidly enforces their policies and terminates abused accounts promptly when proof of abuse is provided. You will find here one example of how abuse was handled without a report even being made to the abuse department. here When the Bots are connected to the IRC Server the channel they join is usually set with various channel modes to restrict access or help stealth the fact that the channel or the occupants of the channel are there. Unreal IRCD which is a popular choice with BotNet Masters covers the channel modes in it's own commands document so I will refer to that rather than do a complete rewrite. here You may notice from the images in the gallery here the modes the channel is set at and be able to quickly reference them from the Unreal IRCD document about halfway down. Typically the channels will be set with these modes at least. +s (secret : cannot be seen in channels list) +u (userlist is hidden) +m (moderated : a user cannot send text to that channel unless they have operator @ access or +v voice) +k (cannot enter the channel unless you know the correct key) 5. Conclusions. (a.) People should be reasonably paranoid about accepting any files over the Internet from chatrooms or visiting web sites that they do not know without at least checking that their web browser is updated with the latest critical updates if they use Microsoft Internet Explorer. Test the security of your Internet Explorer here. Many files are spread on IRC as *.MPEG.zip or *.MPEG.exe and other similar names to fool people into accepting them. Even scanning files with Anti Virus scanners is not always good enough defense as unknown Trojans would not be identified. Additional references here , here and here. You can also download our Totally FREE Trojan, Bot, Zombie and Worm Scanner Swat It from here (b.) It is very important
to remember that no matter what Anti Virus or Trojan software that
you use that you keep it regularly updated as new Trojans
appear on a daily basis. A check for file signature updates should
be done on a daily basis unless you are using our software which
negates the need to check as it auto updates automatically when
new file signatures are available.
To add a friend to this list:
Notice: A NEW security bulletin is due out by the end of |
|
E-mail Web master: www@lockdowncorp.com
Copyright © 2001 by LockDown Corp. All rights reserved.
Site is optimized for 800x600 resolution or greater.