Hak5
Save 10% at GoDaddy.com with coupon code HAK

Analog5:003 Article 002

From Hak5

Jump to: navigation, search

Botnet Hunting

By: gameman73
Published: April 20th, 2007


Famicoman says he wants an article so here we go....

I'm going to go over a brief description of how botnets work (at least how the 2 popular bots work), and how to find some. I guess ill get my warning out now.

***WARNING*** botnet owners typically don't like it when people come snooping around their servers. If you don't want to potentially risk being hacked, or DDoS'ed, I would avoid actually doing this. ***END WARNING***.

Now that that is out of the way, lets continue. According to vnu.co.uk, the two most popular bots are sdbot and gaobot. Typically they spread via unpatched vulnerabilitys in windows. These bots are controlled through an IRC server. When the bots are active, they connect to the server and join whatever room they were programmed to join. Often times, there will be a topic with a command. The bot starts executing this command. The commands could tell the bot to start spreading, print system information, start a DDoS attack on a server, clone flood another irc server/channel, etc.

When a computer is exploited, it sends a batch file to the newly infected computer that tells it to connect to a certain port on the zombie and download the bot. This is done over FTP in Active mode.

So a simple to find random botnets is to just put a windows XP SP0 install out on the internet and let it catch things. From there, you can get the actual exe and figure out where it connects back to (either via wireshark, or netstat.) But what if you're attempting to trace back a zombie to its owner. That is also possible, provided you know the zombie's ip address.

To do this, I use nmap, netcat, and telnet. Theres no technical reason why a proper ftp client couldn't work, however there are some oddities about the ftp server hidden away on the bots that will confuse most ftp clients. I use nmap to find the ftp server's port (typically its a 5 digit port number, randomly generated when the bot is run), then telnet into it. From there, you can type in.. 

USER *something random*
PASS *something random*

Yes, the bots by default don't have actual usernames or passwords. I'm not sure if this is a configurable option on the bots or not, but I guess whatever works. After that, you need to issue a PORT command. Now, this is tricky if your not familar with the ftp protocol. If your ip address is w.x.y.z, your going to type in PORT w,x,y,z,G,H . G and H is the port number... however there are some calculations to be done to know which values you put in. The formula for calculating the port number is ((G*256) + H), where H is under 256. So to find G, you would do integer division on the port that you want open, divide by 256. The remainder of that would then be H. Let me use an example.

You want port 35366... 35366\256 (note the \, that's integer division, this is different from /, proper division). That gives you 138, G. From here, you can do 35366%256 (modulous operator, returns just the remainder). We get 38. So the actual port command would be 'PORT w,x,y,z,138,38'. Hopefully thats understandable, if not, this is all ftp specifications so google will be of help.

Now we need to open up the port of your choosing. Make sure ports are fowarded and such. Netcat is a very handy tool for listening on a connection and just dumping output to a file. Run nc -l -p *port number* > file.bleh . This tells netcat to listen on whatever port you tell it and dump it to file.bleh.

Now our problem is that we don't know the file name. So what do we do? Pick something! Turns out that while a proper user/pass isn't needed, it also isn't picky about a filename and just returns the file anyway. So type in GET blehbleh.bleh and watch netcat print out the exe. (Note: if you have antivirus software on the computer with the netcat server, it may go off. Use at your own risk.)

Now you have a copy of the bot. What you do from here should be obvious, and in the interests of time, I won't go over it. I would like to make a final important note. Read the warning above, and remember, in order to help control the botnet population, please scan and disinfect your computer. :)

  • Sources

http://www.vnu.co.uk/vnunet/news/2187626/evil-trojans-twins-control

http://slacksite.com/other/ftp.html

Mad props to Manuel and Moonlit for proofreading again.


-gameman73
gameman733@alltel.net


Analog5 Index


Retrieved from "http://wiki.hak5.org/wiki/Analog5:003_Article_002"