Inside a botnet - part 2

Alex, December 16, 2015 08:31
Yesterday my server joined a botnet. Somebody attacked a server and "guessed" the user credentials. After logging on, a script was installed that acts like a IRC-bot and connects to a remote IRC server. After analyzing the bot (see people from 1994, creating IRC bots is NOT a waste of time) I tried connecting to the Command & Control server.

My server has friends

I was not alone. There were 170 other clients logged on to the server at ███.███.███.███ From the code analysis I learned all clients would have predictable nick names: [██████]12345, where 12345 is a random number between 1 and 99999. I created a bot of my own that queries the IRC-server for all possible usernames to see if a nick name was in use and if so, from which IP address the client is connecting from. It took a while to scan all 100,000 nicknames.

Great Power

If found a couple of clients, connecting from all over the world. To make sure I did not do anything illegal I set up my own IRC-server and modified the client to connect to my server. I was able to send commands to the client via IRC private messages. I could execute an arbitrary program in a shell, and run a httpflood, udpflood or sqlflood command from the client.
If you are new to botnets and DDoS attacks, the associated clients provide a quick HELP page. How nice of them. Sending a @help message will show you a list of available commands:

More commands:
Command Description
socks5 Installs SOCKS5 proxy server. If successful the hacked server can be used as a proxy for everyone on the internet.
portscan Scans for open ports on a given host.
sendmail Sends an e-mail with fake from fields to anyone on the internet from the hacked machine.
rootme Tries several known vulnerabilities to get root access to the server.
nmap Scans a remote host for open ports.
back Connect to another server and start a shell. The attacker can then execute commands on the hacked server.
packetstorm Reads and prints the headlines from packetstorm.org, a information security news website.
udpflood Sends random UDP packets to a given host. The time to repeat this can be set in seconds.
udp Sends random UDP packets to a given host. The time to repeat this can be set in seconds.
tcpflood
httpflood Connects and disconnects to a given host. The time to repeat this can be set in seconds.
sqlflood Sends random packets to the local MySQL server. The time to repeat this can be set in seconds.

All your base belong to us

After we have read the documentation, time to flood someone! A simple UDP flood to start with.
As far as I could see the flood code is not that sophisticated and one client will never bring down a server but using 170 or even more clients in a DDOS attack will cause serious issues.

Boooooring

Being part of a botnet is very boring. My server has not yet received a command to attack another server. I have modified the code so I would report back it did 'something', but it would not really do anything bad. So far I have not seen a command. I will leave my client connected to the IRC-server for as long as I can and as long as it is up. If there is news to report - I will write up a part 3. Check back later or follow my tweet-account @hackpending.

Full Disclosure & Disclaimer

Before publishing this article, I have contacted the ISP of the ███.███.███.███ server where the command and control server (IRC server) is running to let them know what they are hosting. It is up to them, the local police, the federal police and who else might chip in to decide if this server is to taken down. I also contacted the ISPs of all the clients I found that were connected to this IRC server. I have not executed a DDoS attack. I have not executed a command on a remote server. If your server went down it is a pure coincidence. Yes, I'm just a soul whose intentions are good. Oh Lord, please don't let me be misunderstood. I was able to connect to the IRC-server without a password. Please do not try this at home.