Penetration Testing mailing list archives

Re: Botnets

From: Aarón Mizrachi <unmanarc () gmail com>
Date: Thu, 26 Mar 2009 22:45:35 -0430

On Miércoles 25 Marzo 2009 01:22:14 M.D.Mufambisi escribió:

Hi Guys.

Can someone please explain to me how botnets use IRC? I want to make a
presentation to my group demonstrating this in my lab which comprises
of 4 winxp boxes. Unpatched. How are commands issued via IRC?

Hi, i recopiled some info of botnets on my forensics... botnets are a new name 
to a old technique: TROJANS

More specific: wide spredeable trojans that can act as zombies or use your 
computer on non-legitim pourporses... 

A popular method (SINCE SUB7 INCLUSIVE), is make a reverse connection to an a 
public IRC server who believe that you are a legitim user of chatrooms.

Why botnets?

1th motivation: Useful way to bypass firewalls, when a bot/trojan make a 
connection to an IRC server, it connects like a normal user do it, in the 
past, firewalling only protected you against incomming connections, but, 
outcomming connections is allowed by default. 

2nd motivation: Hide attacker ip address. An attacker could connect to IRC 
server, and make directly connections to the client. Therefore an attacker 
does not show any ip address. (IRC server could log the attacker ip address, 
but... also an attacker could use a proxy)

3rd motivation: Agregation. An attacker could connect to a only one IRC server 
to control thousands of computers. There is no need to connect to every hacked 
computer to do an specific action (ex. attack and shutdown a website by flooding 
or send spam accross a distributed network).

How (How it works on IRC)?

A bot, computer infected, or what do you like to name it, emit a outgoing 
connection to a public or private IRC server (Its well known that users always 
click yes, permit outgoing connection also...).

Generally its a public IRC server. this client authenticate, and open a common 
channel (or a set of...), then, a irc bot can chat with random or AI engine to 
prevent drop's, also responce to PING PONG irc protocol, and listen for a 
keyword. This keyword/password generally acts as "ignitor", and allow the 
attacker to send command.

An attacker join to the bot channel, and send the password, and then, send 
commands in plaintext (like a bash), all these commands are delivered over IRC 
protocol to every bot in the channel. Therefore, every bot check, interpret 
and execute the command.

IRCS?

IRC over SSL are a specific technique used by specific sofisticated trojans to 
circumvent IDS/IPS that cann't look into SSL.


--------------------------------------------------------------------------------------
More on edge...

We usually think that a botnet act like a .exe running on my machine, comming 
from an USB infected unit, or by phishing.

But botnets are spreading over systems that i never thinked before... 

_Botnets over php_

This is a relative new method used by some people to extend a botnet scope 
over webservers that commonly have more bandwidth that a simple home computer. 

How it works?

In a recent forensic that i did, i discovered a php botnet injected by an RFI 
attack. This was a excellent cover:

The attacker used a page celebrating a baby born. If you take a look over this 
page, there was only a baby born page... but if you look inside deeply, you 
will get an obfuscated and self-crypted php code. 

That php code have a fsockopen php command to a set of IRC Servers (With 
failovers and random functions...). 

i remark, that php code was injected with RFI method. make a connection over 
IRC server and let the attacker to deface many sites centralized from an IRC.

------------------------
Then what i concluded in my forensic investigation?

This method allowed an attacker to control a server without infect him 
directly, and also without leave hard traces on the hard-drive... It was a 
luck that the page still there when i did the forensic. And it was a luck that 
i didn't believed that this page was real.

Kind regards,

Munyaradzi

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Tired of using other people's tools? Why not learn how to write your own
exploits? InfoSec Institute's Advanced Ethical Hacking class teaches you
how to write stack and heap buffer overflow exploits for Windows and Linux.
Gain your Certified Expert Penetration Tester (CEPT) cert as well.

http://www.infosecinstitute.com/courses/advanced_ethical_hacking_training.h
tml ------------------------------------------------------------------------



------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

No time or budget for traveling to a training course in this fiscal year? Check out the online penetration testing 
courses available at InfoSec Institute. More than a boring "talking head", train in our virtual labs for a total 
hands-on training experience. Get the certs you need as well: CEH, CPT, CEPT, ECSA, LPT.

http://www.infosecinstitute.com/request_online_training.html
------------------------------------------------------------------------

Current thread:

Botnets M.D.Mufambisi (Mar 26)
- Re: Botnets Aarón Mizrachi (Mar 30)
- Re: Botnets sr. (Mar 30)
- Re: Botnets Laurens Vets (Mar 30)
- Re: Botnets the.soylent (Mar 30)
- Re: Botnets Wasim Halani (Mar 30)
- RE: Botnets Dishman, James L (Mar 30)
  - Re: Botnets M.D.Mufambisi (Mar 30)