Recently in Botnets Category

Analysis of Conficker worm

April 14, 2009 8:14 PM | | Comments (0) | TrackBacks (0)

Saw this on the Arbor networks blog and thought I would post it as a link, excellent analysis of the conficker worm.

http://mtc.sri.com/Conficker/


Below is the abstract....

Continue reading Analysis of Conficker worm.

BotHunter Software Distribution Page

November 9, 2008 1:41 PM |
BotHunter is a passive network monitoring tool designed to recognize the communication patterns of malware-infected computers within your network perimeter.  Using an advanced infection-dialog-based event correlation engine (patent pending), BotHunter represents the most in-depth network-based malware infection diagnosis system available today.

Link to Bothunter software


storm resources and pdfs

May 2, 2008 1:24 PM |
For my documentation, here are some good sites relative to storm and its analysis:

1.  http://offensivecomputing.net/
2.  http://trustedsource.net/
3.  http://asert.arbornetworks.com/
4.  http://asert.arbornetworks.com/
5.  http://honeyblog.org/
6.  http://www.darkreading.com/document.asp?doc_id=151862&f_src=drdaily
7.  http://www.usenix.org/events/leet08/tech/full_papers/holz/holz_html/
8.  http://noh.ucsd.edu/~bmenrigh/exposing_storm.ppt
9.  http://noh.ucsd.edu/~bmenrigh/storm_data.tar.bz2
10.   http://www.cs.ucsd.edu/~voelker/pubs/stormspam-leet08.pdf
11.  http://sudosecure.net/storm.php
12. http://www.eecs.harvard.edu/~mema/courses/cs264/papers/eclipse-infocom06.pdf
13.  http://dsd.lbl.gov/Net-Mon/TALKS/SCNM1-17-02.pdf
14.  https://opensvn.csie.org/mlnet/trunk/docs/overnet.txt
15.  http://www.tml.tkk.fi/Publications/C/25/papers/Nummipuro_final.pdf
16.  http://planete.inrialpes.fr/~perito/
17.  http://www.offensivecomputing.net/papers/js-StormWorm-3-23-2008.pdf
18.  http://mtc.sri.com/
19.  http://www.cyber-ta.org/pubs/StormWorm/SRITechnical-Report-10-01-Storm-Analysis.pdf
20.  http://www.secureworks.com/research/threats/view.html?threat=storm-worm
21.  http://blogs.technet.com/antimalware/archive/2007/09/20/storm-drain.aspx
22.  http://spamtrackers.eu/wiki/index.php?title=Storm
23.  http://malwaredomains.com/
24.  http://www.honeynet.org/papers/ff/fast-flux.html
25.  http://spamtrackers.eu/wiki/index.php?title=Fast-flux


- just to name a few....I am sure there have been many more but thought I would list a few I have been to...

whoa, lemme at those spam templates

April 30, 2008 5:16 PM |
Captured about an hours worth of pcap traffic and decided to pull out those notorious spam templates being sent to and from my infected bot.  Will write a quick parser to pick through based on From, To, subject, User-agent,  message-id - all of which are assembled within the spam template and then spoofed out using your infected bot as the spamming engine.    Listed below are those spam templates from my infected vm bot, here is just one to give you an idea of what it looks like:
template1.txt

Here are the rest if you are interested in seeing all the data: 
spamtemplates.tar.gz

pcaplistener-v0.2.pl

April 28, 2008 9:24 PM |
I added some more functionality to my homemade sniffer which now grabs all the outbound DNS packets from my infected bot.  The variant I am running I grabbed from sudosecure.net, 681554faf60a96ad2fcebcee4a8e0b53  StormCodec8.exe.  Some quick stats, in thirty minutes of sniffing, I grabbed 6781 unique DNS hostnames and 12383 ip address ( unique 6748 unique) going across the wire.  Here is a file with the latest printout of IPs => GeoIP lookup: 
042808_latest_run.txt


Here is a snippet of what hostnames I found coming from my box once infected, the file lists the hostname => # of ips it resolves to and all the IP addresses: 
dnsoutputfile.txt

I have some more data but will put it up later...

sniffer to pull out storm ips on the wire

April 27, 2008 7:59 PM |
Wrote a a sniffer written in perl to pull out all the unique IP addresses from my infected honeypot based on the stormcodec.exe variant.  From there, I stuff them into a mysql table for later analysis.  Script checks for duplicates beforing adding a row to the table.  Will start parsing UDPObj and TCPObj ->{data} for URLS so I can start potentially keeping track of FF domains.  I need to add some more functionlity to log first and last seen which should not be that hard.  I am using the Net::Pcap package to do all the heavy lifting here as I don't have to substring through the packets picking through the  TCP/UDP/ICMP header structure.  For specific cases, that might be necessary but this works for me now.  The code is version 0.1 so that should speak for itself.  DB schema is not listed but can be figured out very easily.  Alas, here it is: 
pcaplistener_pl.txt

Captured unique IP addresses and which is listed below:
storm_sniffer_geo.txt

More FFSNs?

April 23, 2008 8:59 PM |
During a 25 minute network traffic capture of on of my infected storm bots, I grabbed hundreds of IP addresses, either from spam propagation or found within the payload of the pcap.  Listed below is the file of urls.
domains.txt

Of those 58 URLs that were parsed out, I noticed 7 that came back with 20 unique A records, those were the following:

Hostname => Number of A records
didstill.com => 20
enoughfraction.com => 20
gladgave.com => 20
motherdry.com => 20
thinbring.com => 20
verbcase.com => 20
winghit.com => 20

Listed below are the IP's associated with those hostnames:
042308_ffoutput.txt and the ugly ass script that produced it:
ffcheck_pl.txt


Doing a GEOIP lookup on all of those IP addresses got me the following:
042308_ff_geooutput.txt

Perl script to parse tcpflow results

April 21, 2008 2:18 PM |
Below is a perl script I used to pull out all the URL and email addresses out of tcpflow results from network traffic of an infected storm bot.  The script can be run using the following:

perl stormextraction -dir /data/tcpflowresults/

Here is the script:

#!/usr/bin/perl

# simple little hack to pull URL's out of tcpflow results from captured storm data
# JD Durick <jd@labgeek.net>
# runs on a directory after you have run:  tcpflow -r <storm pcap file>, this mainly contains email header information
# email address, subjects, and html links that you are asked to visit.
# version 0.1

# format of data: (really can be anything with a URL in the file)
#----------------
#To: <sms5672@daum.net>
#Subject: Holidays are near, but u know how not to give hangover a chance
#Date: Sat, 19 Apr 2008 12:13:18 -0400
#MIME-Version: 1.0
#Content-Type: text/plain;
#        format=flowed;
#        charset="windows-1250";
#        reply-type=original
#Content-Transfer-Encoding: 7bit
#X-Priority: 3
#X-MSMail-Priority: Normal
#X-Mailer: Microsoft Outlook Express 5.50.4133.2499
#X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2499
#
#Make your housewife happy with our original blue colored-tab!is http://starfoxguide.com

#TODO
# parse even more with URI to get just unique hostnames, something like $url->host()
# DNS resolver for each of URLS
# email domain breakdown

use Getopt::Long;
use MIME::Parser;                              # for later
use Digest::MD5 qw(md5 md5_hex md5_base64);    # for later
use URI::Find;
use warnings;
use strict;
my ( $dir, $output, $fullpathname,, $file, $fsize ) = "";
my ( @dir_contents, %url, %emails ) = ();
my $counter = 0;

GetOptions(
        "dir:s"    => \$dir,
        "output:s" => \$output
);

# get all the http:// urls that are found in all the emails sent out.
if ($dir) {
        opendir( DIR, $dir ) || die("Cannot open directory !\n");

        # Get contents of directory
        @dir_contents = readdir(DIR);

        # Close the directory
        closedir(DIR);
        foreach $file (@dir_contents) {
                if ( !( ( $file eq "." ) || ( $file eq ".." ) ) ) {
                        $counter++;
                        $fullpathname = $dir . $file;
                        open( FILE, "<$fullpathname" );

                        $fsize = ( stat($fullpathname) )[7];
                        #print "[$counter]:  Processing  $fullpathname and size = $fsize\n";
                        if ( $fsize < 90000 ) {
                                while (<FILE>) {
                                        find_uris(
                                                $_,
                                                sub {
                                                        my ( $uri, $orig_uri ) = @_;
                                                        $url{$orig_uri} = 1;
                                                }
                                        );
                                }
                                close FILE;
                        }
                        else {
                                next;
                        }

                        # lets get a list of all those email addresses we see

                        getEmail($fullpathname);
                }
        }
        open( OUT, ">httpfile.txt" );
        foreach my $u ( sort keys %url ) {

                # lets get rid of those http://
                        #       $u =~ s/http\:\/\///g;
                        #       $u =~ s/https\:\/\///g;
                print OUT "$u\n";
        }
        close OUT;
}

sub getEmail {
        my $filename = shift;

        open( FILE, "<$filename" );
        while (<FILE>) {
                next if ( $_ =~ /^\s*$/ );
                if ( $_ =~ /\b([A-Za-z_%+0-9]+@[A-Z0-9a-z._]+\.[A-Za-z]{2,4})\b/ ) {
                        $emails{$1} = 1;
                }
        }
        close FILE;
        open( EMAIL, ">email.txt" );
        foreach my $email ( keys %emails ) {
                print EMAIL "$email\n";
        }
        close(OUT);
}
__END__

motherdry.com

April 20, 2008 6:13 PM |
Just like winghit.com, motherdry.com is a canadian pharmacy that resolves to many different IP addresses:

root@redbox:/data# nslookup motherdry.com

Non-authoritative answer:
Name:   motherdry.com
Address: 61.223.224.199
Name:   motherdry.com
Address: 67.166.150.21
Name:   motherdry.com
Address: 69.14.247.212
Name:   motherdry.com
Address: 70.224.192.172
Name:   motherdry.com
Address: 77.238.231.111
Name:   motherdry.com
Address: 78.94.107.58
Name:   motherdry.com
Address: 78.151.98.51
Name:   motherdry.com
Address: 82.83.192.46
Name:   motherdry.com
Address: 84.51.82.231
Name:   motherdry.com
Address: 84.62.229.251
Name:   motherdry.com
Address: 85.29.230.115
Name:   motherdry.com
Address: 85.30.194.164
Name:   motherdry.com
Address: 85.180.178.189
Name:   motherdry.com
Address: 88.66.199.9
Name:   motherdry.com
Address: 89.169.103.188
Name:   motherdry.com
Address: 89.173.21.202
Name:   motherdry.com
Address: 91.66.83.97
Name:   motherdry.com
Address: 125.232.100.18
Name:   motherdry.com
Address: 220.75.199.72
Name:   motherdry.com
Address: 220.208.7.115

Breaking down the IP's once again gives me the following:
61.10.122.23,HK,Hong Kong,00,Central District,22.2833,114.15,,,HK Cable TV Ltd,hkcable.com.hk
61.223.224.199,TW,Taiwan,04,Kaohsiung,22.6333,120.35,,,Chunghwa Telecom Data communication Business Group,hinet.net
62.24.81.195,CZ,Czech Republic,52,Prague,50.0833,14.4667,,,UPC Internet CATV,upc.cz
67.166.150.21,US,United States,CA,Sacramento,38.5765,-121.4445,916,,Comcast Cable,comcast.net
69.14.247.212,US,United States,MI,Sterling Heights,42.5829,-83.0341,586,,WideOpenWest,wideopenwest.com
70.224.192.172,US,United States,MI,Ralph,46.1085,-87.7844,906,,SBC Internet Services,ameritech.net
77.238.231.111,RU,Russian Federation,48,Moscow,55.7522,37.6156,,,P2P block,teleru.net
78.94.107.58,DE,Germany,07,N�rvenich,50.8,6.65000000000001,,,ISH GMBH & CO. KG,
78.151.98.51,GB,United Kingdom,,,54,-2,,,Opal Telecom,
84.62.229.251,DE,Germany,07,Korschenbroich,51.1833,6.51669999999999,,,Arcor AG,arcor-ip.net
85.29.230.115,EE,Estonia,08,Tudu,59.1772,26.8581,,,VIRUNET,vnet.ee
85.180.178.189,DE,Germany,05,Frankfurt Am Main,50.1167,8.6833,,,Alice DSL,alicedsl.de
89.169.103.188,RU,Russian Federation,48,Moscow,55.7522,37.6156,,,ZAO Infoline,
89.173.21.202,SK,Slovakia,02,Bratislava,48.15,17.1167,,,UPC Slovakia s.r.o,chello.sk
91.66.83.97,DE,Germany,09,Marpingen,49.45,7.05000000000001,,,Kabel Deutschland,
118.167.174.98,TW,Taiwan,03,Taipei,25.0392,121.525,,,CHTD, Chunghwa Telecom Co., Ltd.,hinet.net
212.15.149.153,JSK DCS,9.153,UA,Ukraine,17,Odessa,46.4667,30.7333,,A
220.75.199.72,Korea Telecom,R,Korea, Republic of,11,Seoul,37.5664,126.9997,,A
220.208.7.115,CATV tokushima Co.,Inc.,tcn.ne.jpa,34.0667,134.5666,,A
221.127.232.41,Hutchison Global Communications,ntral District,22.2833,114.15,,A






winghit.com

April 19, 2008 6:20 PM |
Seeing this puppy more and more when looking at my storm infected network traffic:

root@honeybot:/data/tmp# nslookup winghit.com
Server:         x.x.x.x
Address:        x.x.x.x#53

Non-authoritative answer:
Name:   winghit.com
Address: 70.224.192.172
Name:   winghit.com
Address: 79.165.178.14
Name:   winghit.com
Address: 82.83.191.144
Name:   winghit.com
Address: 84.51.81.163
Name:   winghit.com
Address: 87.122.179.188
Name:   winghit.com
Address: 88.134.64.90
Name:   winghit.com
Address: 89.208.204.25
Name:   winghit.com
Address: 89.235.8.21
Name:   winghit.com
Address: 89.252.10.154
Name:   winghit.com
Address: 91.66.83.97
Name:   winghit.com
Address: 99.165.15.89
Name:   winghit.com
Address: 118.167.174.98
Name:   winghit.com
Address: 123.203.138.59
Name:   winghit.com
Address: 220.75.199.72
Name:   winghit.com
Address: 220.143.59.129
Name:   winghit.com
Address: 221.126.156.226
Name:   winghit.com
Address: 222.93.161.44
Name:   winghit.com
Address: 61.10.122.23
Name:   winghit.com
Address: 61.18.221.154
Name:   winghit.com
Address: 67.166.150.21

Taking each of the IPs and doing a geoip lookup yields the following:

70.224.192.172,US,United States,MI,Ralph,46.1085,-87.7844,906,,SBC Internet Services,ameritech.net
79.165.178.14,RU,Russian Federation,48,Moscow,55.7522,37.6156,,,Russian Central Telegraph, Moscow,
82.83.191.144,DE,Germany,06,Kirchlinteln,52.95,9.3167,,,Arcor AG,arcor-ip.net
84.51.81.163,RU,Russian Federation,47,Marfino,55.7047,37.3644,,,TRC Odintsovo,
87.122.179.188,DE,Germany,10,Neum�nster,54.0667,9.98320000000001,,,Versatel Deutschland Dynamic Pool,versanet.de
88.134.64.90,DE,Germany,09,Bexbach,49.3333,7.26669999999999,,,Kabel Deutschland Breitband Services GmbH,superkabel.de
89.208.204.25,RU,Russian Federation,48,Moscow,55.7522,37.6156,,,Hosting and Colocation Services,thatcondensed.net
89.235.8.21,CZ,Czech Republic,88,Rudn�,50.0333,14.2167,,,Brunet o.s.,
89.252.10.154,UA,Ukraine,13,Kiev,50.4333,30.5167,,,for Freenet customers and infrastructure,freenet.com.ua
91.66.83.97,DE,Germany,09,Marpingen,49.45,7.05000000000001,,,Kabel Deutschland,
99.165.15.89,US,United States,CA,Los Angeles,34.0416,-118.2988,323,,SBC Internet Services,
118.167.174.98,TW,Taiwan,03,Taipei,25.0392,121.525,,,CHTD, Chunghwa Telecom Co., Ltd.,hinet.net
123.203.138.59,HK,Hong Kong,00,Central District,22.2833,114.15,,,City Telecom (H.K.) Ltd.,ctinets.com
,Korea Telecom,R,Korea, Republic of,11,Seoul,37.5664,126.9997,,A
,Chunghwa Telecom Data communication Business Group,hinet.net
,Hutchison Global Communications,entral District,22.2833,114.15,,A
,CHINANET jiangsu province network,163data.com.cn3,,A
61.10.122.23,HK,Hong Kong,00,Central District,22.2833,114.15,,,HK Cable TV Ltd,hkcable.com.hk
61.18.221.154,HK,Hong Kong,00,Central District,22.2833,114.15,,,HK Cable TV Ltd,hkcable.com.hk
67.166.150.21,US,United States,CA,Sacramento,38.5765,-121.4445,916,,Comcast Cable,comcast.net

Gee, maybe part of the fastflux network???
Main Index | Archives | C# »

Search

About this Archive

This page is a archive of recent entries in the Botnets category.

C# is the next category.

Find recent content on the main index or look in the archives to find all content.