MW-Blog

Let’s take a look at yet another bot originating from the Mother Russia. It’s called Illusion, and it has a nice and clear GUI tool for configuration that even an idiot (you could argue that only idiots use malware anyway) can use.

So, let’s take a look at the interface:

So, we can see that is has at least the following features:

• C&C can be managed over IRC and HTTP
• Proxy functionality (Socks4, Socks5)
• FTP service
• MD5 support for passwords
• Rootkit
• Code injection
• Colored IRC messages
• XP SP2 Firewall bypass
• DDOS capabilities

Here’s the command list for the bot:

login

log onto the bot

logout

log out

echo [text]

echoes the [text] back to the IRC

|

Displays a message box to the computer user

set

Set a variable to a certain value

sinfo

Show system information

vinfo

Show variable information

dinfo

Show disk information

status

Show current tasks(socks, ftpd, flood etc)

get [noexec]

Download a file to the computer and possibly execute it

getstop

Stop downloading a file

irc

Send a raw IRC command

op [nick]

Give channel operator status to a user

deop [nick]

Take away channel operator status from a user

icmpflood [nospoof]

Start an ICMP flood against a target. Spoofed if wished so

icmpfloodstop

Stop the ICMP flood

shutdown

Turn off the bot

reconnect

Make the bot reconnect to the IRC

nick [nick]

Change the bots nickname to

ver

Show bot version string

dccsend [port]

Transmit a file to the attacker

screenshot

Save a screenshot of the current monitorview to the harddisk

dccsendstop

Abort the DCC send

dccshell [port]

Start a connect-back DCC shell

dccshellstop

Stop the DCC shell

processes [highlight_process]

List processes that are currently running on the host

socks4 [port]

Start up a Socks4 daemon

socks5 [port]

Start up a Socks5 daemon

socks4stop

Stop the Socks4 daemon

socks5stop

Stop the Socks5 daemon

stopall

Stop all current tasks

ftpd [port]

Start up an FTP daemon

ftpdstop

Stop the FTP daemon

beep [freq] [time]

Make the host computer emit a beep

httpflood [port] [url]

Start an HTTP flood against a target

httpfloodstop

Stop the HTTP flooding

killall

Kill all processes that match the name

getpid

Get the Process IDentifier of the process that matches the name

kill

Kill the process that matches the PID

synflood

Start a SYN flood against a target

synfloodstop

Stop the SYN flood

udpflood [port]

Start an UDP flood against a target

udpfloodstop

Stop the UDP flood

email

Email a file to the given recipient

client

Show information about IRC and HTTP administration

bindport [port]

Start up a bindshell on the given port

bindportstop

Stop the bindshell

config

Show the bot configuration

igmpexploit

IGMP exploit against WinXP SP all & Win2003 all. It hangs the remote system.

ircadmin [password]

Change the configuration of the main IRC C&C

webadmin

Change the configuration of the main HTTP C&C

ircradmin [password]

Change the configuration of the secondary IRC C&C

webradmin

Change the configuration of the secondary HTTP C&C

So, most of the things you can do with this it steal data from the infected machine and DDOS someone. Below are the variables that are used in the various DDOS functions:

Variables for SET

i_freq, i_threads, i_datasize, hf_freq, hf_threads, s_freq, s_threads, u_freq, u_threads, u_datasize, spoof_ip, tsrcport, usrcport

Now, lets focus on the interesting parts.

The Rootkit :

The rootkit component is small, only 4864 bytes long. The malware drops it to C:\\WINDOWS\\system32\\drivers\\ntndis.sys, and activates it immediatly afterwards. The driver code hooks the following functions from the SSDT: ZwEnumerateKey, ZwOpenProcess, ZwQueryDirectoryFile, ZwQuerySystemInformation. This file effectively hide the bot and it’s components from directory views and registry as well as denying access to the bot process, though since it hooks the SSDT directly any proper rootkit detector will be able to see the hidden files and processes.

The Bot:

When the bot is starting up it checks the Operating System version. If it detects Win98, it will call the RegisterServiceProcess API to hide the process from the taskmanager. Afterwards it checks whether it is the only running copy by creating the mutex 21853768232324616. Thebot will then proceed to install the rootkit component. If the installation fails, the bot will try to inject it’s code inside the explorer.exe process.

And now some tidbits:

The HTTP flooding component uses the following User-Agent fields when performing the DDOS:

Mozilla/5.0 (Slurp/cat; vaginamook@inktomi.com; http://www.supercocklol.com/slurp.html)
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5) Gecko/2003100
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; ODI3 Navigator)
Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.5) Gecko/20031021
Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5a) Gecko/20030718
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q312461)
Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90; H010818; AT&T CSM6.0)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; DigExt)
Mozilla/5.0 (Slurp/si; slurp@inktomi.com; http://www.inktomi.com/slurp.html)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Avast Browser [avastye.com]; .NET CLR 1.1.4322)
Googlebot/2.1 (+http://www.googlebawt.com/bot.html)
Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)
FAST-WebCrawler/3.8 (atw-crawler at fast dot no; http://i.love.teh.cock/support/crawler.asp)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.0.3705; .NET CLR 1.1.4322)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Hotbar 4.3.1.0)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 1.0.3705)
Microsoft-WebDAV-MiniRedir/5.1.2600
Mozilla/4.75 [en]
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; FunWebProducts-MyWay; (R1 1.3); .NET CLR 1.1.4322)
Mozilla/4.0 compatible ZyBorg/1.0 (wn.zyborg@looksmart.net; http://www.lolyousuck.com)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q312461)
Lynx/2.8.4rel.1 libwww-FM/2.14 SSL-MM/1.4.1 GNUTLS/0.8.6

Also, the flooder has a list of targets it will request from the target:

forum/config.php
cgi-bin/index2.pl
cgi-bin/index.pl
index2.pl
index.pl
game.php
1.php
list.php
old.php
right.php
left.php
footer.php
bottom.php
top.php
header.php
script.php
qwerty.php
index2.php
db.php
config.php
test.php
phpBB2/
chat/
forum/
index.cgi
cgi-bin/index.cgi
index.php3
index.html
index.htm
index.phtml
index.dhtml
index.php
/~/~/~/~/~/

Rest of the bot is pretty basic stuff that can be seen in most of the bots in the wild. It employs xor- and caesarciphers to mask some of the strings inside the bot.

Penetration Testing
Fitsec Ltd - The Evil Eye Penetration Testing Service
http://www.fitsec.com/en

This entry was posted on Tuesday, October 16th, 2007 at 8:59 am and is filed under Malware FreakShow. You can follow any responses to this entry through the RSS 2.0 feed. Responses are currently closed, but you can trackback from your own site.