Analysis of litmus backdoor trojan

["John C. Hennessy" <johnh () charm net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Analysis of litmus backdoor trojan
by John C. Hennessy <johnh () charm net>

A few weeks ago I noticed a large number of clients showing up on an irc
server I run.
The connections were almost all diferent IP's and had nickname's such as
0wn3d[#], hOt-# and cheap-# in the channel #hellz-net
Upon closer inspection I found that all these "clients" were in fact
computers with the litmus backdoor trojan

A CTCP version request to the clients returned this:
Litmus 2.03 (C)2001 The Litmus Group :(random quote)

I kept an eye on the bots until the "owner" of them came online and issued a
few commands and moved them.

chazza!elite () 210-55-38-7 dialup xtra co nz
<Chazza> .ident pure-l33t
<Chazza> .reload

All the bots then signed off and went to another irc network. Two bots
remained connected to my server however, in
#hellz-net1 and #hellz-net2. After some server config changes I masked a
client onto my server as the same nick!user@host
as the "owner" of the botnet.

20:57 | Chazza (elite () 210-55-38-7 dialup xtra co nz) (New Zealand)
20:57 20: server   : TrendPimp.US.AfterNET.Org (Baltimore, MD [You must
listen])
20:59 Chazza [elite () 210-55-38-7 dialup xtra co nz] has joined #hellz-net2
20:59 Topic (#hellz-net2): Eddie lives somwhere in time!
20:59 Topic (#hellz-net2): set by hOt-4736 at Mon Feb 25 17:57:11 2002
20:59 [Users(#hellz-net2:2)]
20:59 [ Chazza    ] [ VitaPup   ] [@hOt-4736  ]
20:59 ùíù Channel #hellz-net2 was created at Mon Feb 25 17:59:54 2002
20:59 <Chazza> .ident pure-l33t

The clients return the following if authentication is sucessful:

20:59 -hOt-4736(Dots () lsanca2-ar29-4-62-162-006 lsanca2 vz dsl gtei net)-
Nice try lamer... Your ip (4.62.162.6) is being
automatically sent to the admin and you will be band of this server


Here are a list of the commands I was able to discover from the 2 bots left
on my server. I also obtained a binary
infected with the trojans and did a strings on it.

public(in channel commands):
.ident <password>
.raw <raw output to irc server>
.reload
.pwd (gives cached passwords)
.download (unsure)
.ping (unsure, ping's something I guess)
.die
.del <file> (delete a file)
.regdelval <value> (delete registy value i think)
.exec
.killchat
.sockclose
.link <ip> (link to a hub or something. It seems these trojans can all be
linked together somehow)
.hub (Not sure)
.invite (Not sure)

Additionaly commands can be access via DCC chat to the trojan'ed client:
21:09 [dcc(CHAT)] Cheap-30243
21:09 ùíù DCC CHAT with Cheap-30243[66.130.77.50:1311] established
21:09 [Cheap-30243(dcc)] DrGreen was here...

[dcc(Cheap-30243)] dir
[Cheap-30243(dcc)]   0b    .
[Cheap-30243(dcc)]   0b    ..
[Cheap-30243(dcc)] FJEAR32.EXE  36384b    fjear32.exe    <----- this is the
trojan's exe

Files can be sent to the trojan via DCC send and then executed with the exec
command in dcc or channel.

DCC Commands:

pwd (working directory, usualy the dir of the trojan which is
c:\windows\litmus in this case)
dir (dir list)
path (trojan's working path)

There are more commands but I didn't get a chance to play around with them
as much as I'd have liked to.

Here is the strings output from the trojan exe:

PONG %s
PING
USER %s 127.0.0.1 127.0.0.1 %s
NICK %s
120 %s %u %s
Accept: */*
(Download Thread): File %s downloaded in %u seconds
(Download Thread): InternetReadFile() failed
file creation failed
(Download Thread): InternetOpenUrl() failed
(Download Thread): InternetOpen() failed
Microsoft Virii Downloader
(Download Thread): Local File :%s
(Download Thread): Remote Url :%s
http://
(Download Thread): Thread Has Started...


S
Litmus 2.03
             .
NICK
PING
JOIN
DrGreen was here...
S
%s %s%d %s
VERSION
TIME
PING
FINGER


debug.txt
quit :
0,1LITMUS
File not found
Error Changing Directory
%s : USERID : UNIX :%s
QUIT :Litmus II - Dead Server
PING :bleh
path
%s %s%s %s
Unable to delete %s
%s Deleted
%s  %sb    %s
[%.2d:%.2d:%.2d]: %s
(SERVEROUT): Caught SOCKET_ERROR, reconnecting
(SERVEROUT): %s
TOPIC %s :^errOr^ should be JAILED LOL!
MODE %s +smk %s
USER %s localhost localhost :%s
%s %s%d
PART %s
part
JOIN %s
.clones
PRIVMSG %s :take out the http://
http//
.download
QUIT :Boom ya got me!
.die
PRIVMSG %s :Error Deleting %s
PRIVMSG %s :%s removed
.del
.ping
NOTICE %s :unable to delete vaule
NOTICE %s :value deleted
.regdelval
PRIVMSG %s :negative houston
QUIT :Brb
.reload
PRIVMSG %s :(HUB): ERROR PORT IN USE!
PRIVMSG %s :(HUB): Listing on %u ; Sockid: %u
.hub
LINK TO: %s:%u
.link
NOTICE %s :RegDeleteKey() failed
NOTICE %s :key deleted
.regdelkey
%s %s %s %s
.raw
PRIVMSG %s :Error Running %s
PRIVMSG %s :File Not Found
PRIVMSG %s :%s ran ok
open
.exec
.killchat
.sockclose
INVITE %s %s
.invite
NOTICE %s :Non Resovable host
NOTICE %s :quit the other oj first
load
nick %s
nick
quit
join %s
join
NOTICE %s :Stopped sending file
file
clear
NOTICE %s :On Connect: %s
NOTICE %s : (OJ Msg): %s
NOTICE %s :Files sent: %u
PRIVMSG %s :Files sent: %u
sent
stain
.pwd
(PARSE): %s!%s@%s is now a master
NOTICE %s :Nice try lamer... Your ip (%s) is being automatically sent to the
admin and you will be band of this server
.ident
PRIVMSG
PRIVMSG %s :%s %u
LITMUS
MODE %s -o+b %s *!*@%s
KICK %s %s
NOTICE %s :Asshole
MODE %s -b *!LITMUS@%u
MODE %s +k %s
MODE
JOIN
NICK
JOIN %s %s
PRIVMSG %s :HELP! I AM possesed!
PART
PRIVMSG %s :Thanks alot asshole...
JOIN %s %s
KICK
QUIT
NOTICE %s: error: INVALID_HANDLE_VALUE
SEND
NOTICE %s :resume requests are not supported!
RESUME
NOTICE %s :Try .killchat
CHAT
NOTICE %s :
FINGER WINDOWS %s %u.%u %s BUILD#: %u Uptime: %u seconds
MODE %s +o %s
NOTICE %s :
VERSION %s (C)2001 The Litmus Group :%s
NOTICE %s :%s %s
NOTICE %s :
TIME %s
MODE %s +i
MODE %s -kw
%s %s %s
PONG
PONG%s
PONG :SERVER
(CONNECTBOT): Computer is in offline mode
(CONNECTBOT): Non resolvable host
(CONNECTBOT): Resolved %s to %s
(CONNECTBOT): Were online, Connecting...
Server socket closed... success
(BOT): Undefined Connect Error: %s
(BOT): Connection Attempt Timed out
(BOT): Connection Refused
%s %s%d%s
USER %s 127.0.0.1 127.0.0.1 :%s
PASS %s
(BOT): Connection Established
unknown
wishing
LTM-II
Error!
Window Registration Failed!
PRIVMSG %s :%s
(INSTALL): finished installing...
(INSTALL): Regkey Failed
(INSTALL): [Key Set Failed] %s Size+1: %u
(INSTALL): [Key Set Ok] %s Size+1: %u
LTM2
(INSTALL): RegKey Generated Ok
Software\Microsoft\Windows\CurrentVersion\Run
(INSTALL): File Copy Failed
(INSTALL): File Copy Success
(INSTALL) Source File: %s
(INSTALL) Target Exe: %s
Installing...
(COMMAND LINE): %s
(WndProc): [WM_CREATE] Bot Started....
%s%s
RegisterServiceProcess
kernel32.dll
\litmus
mypic.exe
Barbara
NOTICE DrGreen :Help me liam
(WndProc): WM_CLOSE *Poof*
QUIT :(WndProc): WM_ENDSESSION
(WndProc): WM_ENDSESSION *slam*!
I think I heard a shot
The only thing worse than not knowing the truth is ruining the bliss of
ignorance.
Server owners, admins, and IRCops are not responsible for anything found on
this network
Fuck a cadilliac, Survive
All my life I wanted a computer, now all I want is my life back. -async
Where ignorance rains, life is lost
Fight the war, FUCK the norm!
names MacGuyver
Empty your pockets son
One mind, Brute Force, and full of money
come and play, come and play - forget about the movement
Anger is a gift
For great justice...
I don't wanna hassle with making linux partitions. I want it done
automagically -ColdFyre
Even a broken watch is right twice a day
Fuck the G-Ride i want the machines that are making them
You need to drop this "Dont give a shit" attitude
What a peice of shit
The world is yours...
We dont need the key we will break it
Damn Straight
nah fuck it, turn it off
my isp takes it rather seriously actually
im talking about the massive amount of emails you guys sent me
this should be fun
i love lamers who play stupid dont you barb
means someones did a bit of exploiting
so what are we gonna do about this?
i plan on taking a bit of action
speak of the devil
All eyes never on a floppy disk
They rally round your family with a pocket full of shells
Get the fuck out the commode with the sure shot, sure to make your body drop
YOU GOT A BULLET IN YOUR FUCKING HEAD
Your brain dead... you got a fucking bullet in your head
Buying all the products that there selling you
Play it again and again and rewind the tape
No Escape from the Mass Crime Rate
Just Victims of the in house drive-by, they say "jump", you say "how high?"
They dont gotta burn the books, they just remove them
**NOTICE** If you cannot get your IRCD to work, please ask us in the
channel... while waiting for a reply please sit down
and read the book we included: it is a spanish story about a guy named
"Manual" -devdev
I give a shot out to the living dead
A yellow Ribbon instead of a swastika
Eddie lives somewhere in time
InternetGetConnectedState(); TerminateThread();
it was like "do not use this product because it will probably kill
you" -Butter
"i have a fast computer, my computer can complete an infinate loop in 5
minutes" -Cyrix employee from M$
Sorry this ones taken!
(HUB): Dead Socket
(link): Error!
(link): Connected
(LINK): Connected!
(LINK): lost link
(link): FD_CLOSE
(LINK): %s
PRIVMSG %s :%s
n %s
i %s
%s %s %s
NOTICE %s :%s
(OJ): JOINS: %s!%s
JOIN
:~@
PONG :bleh
PING
USER %s localhost localhost %s
NICK %s
notice %s :No Passes Found =(
notice %s :Function doesnt exist!
WNetEnumCachedPasswords
NOTICE %s :Couldnt load mpr.dll!


- ------------------------------------------------------------------
After tracking the botnet to undernet, and then dalnet I found that the
hostmask for the botnet "master" was set to
*!*elite@* meaning anyone with the ident of elite and the proper password
could authenticate.

I joined the channel with the bots in it on dalnet and authenticated with
them:

22:07 ùíù chazza [elite () dhcp197 sfca1 dawg net] has joined #hellz-net
22:07 ùíù Topic (#hellz-net): Eddie lives somwhere in time!
22:07 ùíù Topic (#hellz-net): set by Cheap-23689 at Tue Feb 26 03:11:02 2002
22:07 ùíù [Users(#hellz-net:25)]
22:07 [ chazza    ] [@Cheap-6548] [@hOt-7405  ] [@Cheap-3092] [@Cheap-2550]
22:07 [@Cheap-1103] [@Cheap-2452] [@Cheap-2960] [@Cheap-3226] [@Cheap-2256]
22:07 [@Cheap-429 ] [@Cheap-3111] [@Cheap-1079] [@Cheap-2990] [@Cheap-2114]
22:07 [@Cheap-8177] [@Cheap-8888] [@Cheap-2007] [@Cheap-2676] [@Cheap-7131]
22:07 [@Cheap-6838] [@Cheap-1151] [@Cheap-2055] [@Cheap-2810] [@Cheap-1317]
22:07 ùíù Channel #hellz-net was created at Tue Feb 26 03:10:57 2002
22:07 ùíù BitchX: Join to #hellz-net was synched in 1.122 secs!!
22:07 <chazza> .ident pure-l33t
22:07 -Cheap-25508(~1911 () calnet4-116 gtecablemodem com)- Nice try lamer...
Your ip (207.175.227.116) is being
automatically sent to the admin and you will be band of this server
22:07 -Cheap-8888(Tyke () 24-127-123-40 we client2 attbi com)- Nice try
lamer... Your ip (24.127.123.40) is being
automatically sent to the admin and you will be band of this server
22:07 -Cheap-21142(~IAN@138.234.186.46)- Nice try lamer... Your ip
(138.234.186.46) is being automatically sent to the
admin and you will be band of this server
22:07 -hOt-7405(~sesh () net206-162-107 xu edu)- Nice try lamer... Your ip
(206.21.162.107) is being automatically sent to
the admin and you will be band of this server
22:07 -Cheap-8177(~jake@216.207.95.31)- Nice try lamer... Your ip
(216.207.95.31) is being automatically sent to the admin
and you will be band of this server
22:07 -Cheap-6548(~oOPonyOBo@24.64.42.137)- Nice try lamer... Your ip
(24.64.42.137) is being automatically sent to the
admin and you will be band of this server
22:07 -Cheap-28105(Alex () pcp01358160pcs benslm01 pa comcast net)- Nice try
lamer... Your ip (68.80.92.72) is being
automatically
sent to the admin and you will be band of this server
22:07 -Cheap-10791(~Shane () pcp827765pcs nrockv01 md comcast net)- Nice try
lamer... Your ip (192.168.0.2) is being
automatically
sent to the admin and you will be band of this server
22:07 -Cheap-1151(jsweetphar () h00b0d017f634 ne mediaone net)- Nice try
lamer... Your ip (24.218.156.167) is being
automatically sent to the admin and you will be band of this server
22:07 -Cheap-32260(~Default@24.30.131.152)- Nice try lamer... Your ip
(192.168.1.100) is being automatically sent to the
admin and you will be band of this server
22:07 -Cheap-13175(Christophe () ool-18bc5f-184 dyn optonline net)- Nice try
lamer... Your ip (24.188.95.184) is being
automatically sent to the admin and you will be band of this server
22:07 -Cheap-20556(Default () gso163-4-129 triad rr com)- Nice try lamer...
Your ip (24.163.4.129) is being automatically
sent to the admin and you will be band of this server
22:07 -Cheap-22562(jsweetphar@24.218.156.167)- Nice try lamer... Your ip
(24.218.156.167) is being automatically sent to
the admin and you will be band of this server
22:07 -Cheap-29903(~Bryan () CPE00045ae033f0 cpe net cable rogers com)- Nice
try lamer... Your ip (192.168.1.101) is being
automatically sent to the admin and you will be band of this server
22:07 -Cheap-7131(Osiris () Exo cableamos com)- Nice try lamer... Your ip
(24.212.25.120) is being automatically sent to the
admin
and you will be band of this server
22:07 -Cheap-11035(~Soloman74 () adsl-20-68-219 mem bellsouth net)- Nice try
lamer... Your ip (192.168.1.102) is being
automatically sent to the admin and you will be band of this server
22:07 -Cheap-29609(~Murphy@64.175.39.132)- Nice try lamer... Your ip
(172.16.1.36) is being automatically sent to the
admin and
you will be band of this server
22:07 -Cheap-2452(~Mike () millikin-124109 millikin edu)- Nice try lamer...
Your ip (172.16.150.247) is being automatically
sent to the admin and you will be band of this server
22:07 -Cheap-20073(Pier-Luc () adsl-66-110-156-196 globetrotter net)- Nice try
lamer... Your ip (66.110.156.196) is being
automatically sent to the admin and you will be band of this server
22:07 -Cheap-30923(~James () CPE-144-137-120-80 nsw bigpond net au)- Nice try
lamer... Your ip (192.168.1.12) is being
automatically sent to the admin and you will be band of this server
22:07 -Cheap-31116(~mra () adsl-175-218 cybernet ch)- Nice try lamer... Your ip
(192.168.35.33) is being automatically sent
to the
admin and you will be band of this server
22:07 -Cheap-26767(hb () brook150 brook usd edu)- Nice try lamer... Your ip
(192.236.53.150) is being automatically sent to
the admin and you will be band of this server
22:07 -Cheap-429(~Brice@65.71.243.44)- Nice try lamer... Your ip
(10.1.130.37) is being automatically sent to the admin
and you
will be band of this server
22:07 -Cheap-6838(Administra@128.123.125.200)- Nice try lamer... Your ip
(128.123.125.200) is being automatically sent to
the admin and you will be band of this server
22:07 ùíù Cheap-1530 [Whoozer () h24-78-3-198 tb shawcable net] has joined
#hellz-net

I attempted to delete and or ove the trojan exe called fjear32.exe on the
cheap-# bots and hOt32.exe on the hOt-# ones.
It was sucessful on most but 3 of them failed for some reason. I issued the
public .die command aftwards which killed the
trojan and on the machines the EXE was deleted should have removed it.

I havn't seen any of them back on dalnet or any other network in #hellz-net.

I still have a little more information to sort through that I can put into
this document. If anyone has anything they wish
to add please let me know.


John C. Hennessy
Information security analyst


-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBPI4LWjfHYhhTZOYaEQIgcgCfVsuJyWwyyfjypcMDbB3rVpc4HXkAoISP
GDNXJjhuPq7CQC4mFugUY35Y
=nRRl
-----END PGP SIGNATURE-----



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com