Case study #siwa Botnet Panel
Feb 22, 2016
Case study #siwa
Botnet Panel
The #siwa botnet
• IRC Botnet monitored for 5 months (+/-)
• The name “#siwa” comes from the irc channel used by the involved malwares
Some IRC backround
• IRC channels are moderated by channel operators• Chan OPs (@nick) have the rights to – give the @ to other users– change the channel topic– kick/ban people from the channel– etc
• The command +M (moderated) stands for only registered nicks (or @operatos) may talk in that channel.
The Dorothy-Drone Log file
0.2 cents Investigation
• Only operators can chage channel settings by use the MODE command. – lets grep “MODE” to see who are the operators
• Ok now we have the Operators (OPs), lets grep them to see what they said
• 72.10.169.26:2293 --> :[email protected] MODE #siwa +o abc• 72.10.169.26:2293 --> :[email protected] MODE #siwa –M• 72.10.169.26:2293 --> :[email protected] MODE #siwa +o Burimi• 72.10.169.26:2293 --> :[email protected] PRIVMSG #siwa :u seee us eee• 72.10.169.26:2293 --> :[email protected] PRIVMSG #siwa :lol !• 72.10.169.26:2293 --> :[email protected] PRIVMSG #siwa :bots joining• 72.10.169.26:2293 --> :[email protected] PRIVMSG #siwa :.oper• 72.10.169.26:2293 --> :[email protected] PRIVMSG #siwa :i cant se bots• 72.10.169.26:2293 --> :[email protected] PRIVMSG #siwa :oper• 72.10.169.26:2293 --> :[email protected] PRIVMSG #siwa :d• 72.10.169.26:2293 --> :[email protected] PRIVMSG #siwa :d• 72.10.169.26:2293 --> :[email protected] MODE #siwa +o resit• 72.10.169.26:2293 --> :[email protected] MODE #siwa +o Burimi• 72.10.169.26:2293 --> :[email protected] PRIVMSG #siwa :4% join
#testing• 72.10.169.26:2293 --> :[email protected] PRIVMSG #siwa :4% join
#testing• 72.10.169.26:2293 --> :[email protected] MODE #siwa +M
• 72.10.169.26:2293 --> :[email protected] MODE #siwa +o abc• 72.10.169.26:2293 --> :[email protected] MODE #siwa –M
• 72.10.169.26:2293 --> :[email protected] MODE #siwa +o Burimi• 72.10.169.26:2293 --> :[email protected] PRIVMSG #siwa :u seee us eee
• 72.10.169.26:2293 --> :[email protected] PRIVMSG #siwa :lol !
• 72.10.169.26:2293 --> :[email protected] PRIVMSG #siwa :bots joining• 72.10.169.26:2293 --> :[email protected] PRIVMSG #siwa :.oper• 72.10.169.26:2293 --> :[email protected] PRIVMSG #siwa :i cant se bots• 72.10.169.26:2293 --> :[email protected] PRIVMSG #siwa :oper• 72.10.169.26:2293 --> :[email protected] PRIVMSG #siwa :d
• 72.10.169.26:2293 --> :[email protected] PRIVMSG #siwa :d
• 72.10.169.26:2293 --> :[email protected] MODE #siwa +o resit• 72.10.169.26:2293 --> :[email protected] MODE #siwa +o Burimi• 72.10.169.26:2293 --> :[email protected] PRIVMSG #siwa :4% join #testing• 72.10.169.26:2293 --> :[email protected] PRIVMSG #siwa :4% join #testing• 72.10.169.26:2293 --> :[email protected] MODE #siwa +M
• 72.10.169.26:2293 --> :[email protected] MODE #siwa +o abc• 72.10.169.26:2293 --> :[email protected] MODE #siwa –M• 72.10.169.26:2293 --> :[email protected] MODE #siwa +o Burimi
• 72.10.169.26:2293 --> :[email protected] PRIVMSG #siwa :u seee us eee• 72.10.169.26:2293 --> :[email protected] PRIVMSG #siwa :lol !• 72.10.169.26:2293 --> :[email protected] PRIVMSG #siwa :bots
joining• 72.10.169.26:2293 --> :[email protected] PRIVMSG #siwa :.oper• 72.10.169.26:2293 --> :[email protected] PRIVMSG #siwa :i cant
se bots• 72.10.169.26:2293 --> :[email protected] PRIVMSG #siwa :oper• 72.10.169.26:2293 --> :[email protected] PRIVMSG #siwa :d• 72.10.169.26:2293 --> :[email protected] PRIVMSG #siwa :d• 72.10.169.26:2293 --> :[email protected] MODE #siwa +o resit• 72.10.169.26:2293 --> :[email protected] MODE #siwa +o Burimi• 72.10.169.26:2293 --> :[email protected] PRIVMSG #siwa :4% join #testing• 72.10.169.26:2293 --> :[email protected] PRIVMSG #siwa :4% join #testing• 72.10.169.26:2293 --> :[email protected] MODE #siwa +M
:abc: u seee us eee:Burimi: lol !:Burimi: bots joining:Burimi!: .oper:Burimi!: i cant se bots:Burimi!: oper:Burimi!: d
speculations
• It sounds like a customer service.....doesn’t it?
something more?
• Lets see what happens when the moderation was removed ( MODE –M)
Lets say...
• The string look likes :– ({IRCHOST} PRIVMSG #siwa :-04dcom2.04c- 3.
Raw transfer to {IPADDRESS} )• Buffer Overrun In RPC Interface Could Allow
Code Execution (MS03-026)• So in human gergon, it could mean that – {IRCHOST} has infected {IPADDRESS}
Lets say...
• So in human gergon, it could mean that – {IRCHOST} has infected {IPADDRESS}– {IRCHOST} = :[email protected]
{NICK} ! ~ {USERHOST} @{HOSTNAME}
• By RFC, every irc userhost has to be UNIQUE– We could enumerate how many UNIQUE host are
infected
Bonus (!?)
• Take a look at this line:• :[email protected] PRIVMSG #siwa :4%
join #testing– resit is the nickname of the Operator– admin.siwatech.com is its host name– ....SIWAtech.com !
• yes, the label that I used for this botnet! curious
– The timestamp of this command is “06/02/2009-20:53:54”– ...and the website is still reachable! (02/2011)
The #siwa botnet
#siwa C&C on the map
Conclusions
• Botnet masters were conscious that someone was “spying” into their botnet.
Conclusions
• Botnet masters were conscious that someone was “spying” into their botnet.– botmasters are not stupid.
Conclusions
• Botnet masters were conscious that someone was “spying” into their botnet.– botmasters are not stupid.
• We saw only what they wanted to show us
Conclusions
• Botnet masters were conscious that someone was “spying” into their botnet.– botmasters are not stupid.
• We saw only what they wanted to show us– could this information be reliable?
Conclusions
• Botnet masters were conscious that someone was “spying” into their botnet.– botmasters are not stupid.
• We saw only what they wanted to show us– could this information be reliable? – Why they chose to show their botnet populations?• to show us their p0w3r?
Conclusions
• Botnet masters were conscious that someone was “spying” into their botnet.– botmasters are not stupid.
• We saw only what they wanted to show us– could this information be reliable? – Why they chose to show their botnet populations?• to show us their p0w4h?• ...or just to deceive us?
Conclusions
• Botnet masters were conscious that someone was “spying” into their botnet.– botmasters are not stupid.
• We saw only what they wanted to show us– could this information be reliable? – Why they chose to show their botnet populations?
• to show us their p0w3r?• ...or just to deceive us?
• We should be careful with conclusions...
References
• My Bachelor Thesis –Pg. 89– http://www.honeynet.it/wp-content/uploads/
Dorothy/The_Dorothy_Project.pdf
• All the data are still available and are accessible to the Dorothy WGUI– send me an email for an account– [email protected]