1 / 24

Case study #siwa

Case study #siwa. Botnet Panel. The #siwa botnet. IRC Botnet monitored for 5 months (+/-) The name “#siwa” comes from the irc channel used by the involved malwares. Some IRC backround. IRC channels are moderated by channel operators Chan OPs (@nick) have the rights to

dorothyj
Download Presentation

Case study #siwa

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Case study #siwa Botnet Panel

  2. The #siwa botnet • IRC Botnet monitored for 5 months (+/-) • The name “#siwa” comes from the irc channel used by the involved malwares

  3. Some IRC backround • IRC channels are moderated by channel operators • Chan OPs (@nick) have the rights to • give the @ to other users • change the channel topic • kick/ban people from the channel • etc • The command +M (moderated) stands for only registered nicks (or @operatos) may talk in that channel.

  4. The Dorothy-Drone Log file

  5. 0.2 cents Investigation • Only operators can chage channel settings by use the MODE command. • lets grep “MODE” to see who are the operators • Ok now we have the Operators (OPs), lets grep them to see what they said

  6. 72.10.169.26:2293 --> :abc!~abc@116.71.172.204 MODE #siwa +o abc • 72.10.169.26:2293 --> :abc!~abc@116.71.172.204 MODE #siwa –M • 72.10.169.26:2293 --> :abc!~abc@116.71.172.204 MODE #siwa +o Burimi • 72.10.169.26:2293 --> :abc!~abc@116.71.172.204 PRIVMSG #siwa :u seee us eee • 72.10.169.26:2293 --> :Burimi!~Burimi@79.126.177.232 PRIVMSG #siwa :lol ! • 72.10.169.26:2293 --> :Burimi!~Burimi@79.126.177.232 PRIVMSG #siwa :bots joining • 72.10.169.26:2293 --> :Burimi!~Burimi@79.126.177.232 PRIVMSG #siwa :.oper • 72.10.169.26:2293 --> :Burimi!~Burimi@79.126.177.232 PRIVMSG #siwa :i cant se bots • 72.10.169.26:2293 --> :Burimi!~Burimi@79.126.177.232 PRIVMSG #siwa :oper • 72.10.169.26:2293 --> :Burimi!~Burimi@79.126.177.232 PRIVMSG #siwa :d • 72.10.169.26:2293 --> :resit!~tr@58-27-163-244.wateen.net PRIVMSG #siwa :d • 72.10.169.26:2293 --> :resit!~tr@58-27-163-244.wateen.net MODE #siwa +o resit • 72.10.169.26:2293 --> :resit!~tr@58-27-163-244.wateen.net MODE #siwa +o Burimi • 72.10.169.26:2293 --> :resit!~tr@58-27-163-244.wateen.net PRIVMSG #siwa :4% join #testing • 72.10.169.26:2293 --> :resit!~tr@admin.siwatech.com PRIVMSG #siwa :4% join #testing • 72.10.169.26:2293 --> :resit!~tr@admin.siwatech.com MODE #siwa +M

  7. 72.10.169.26:2293 --> :abc!~abc@116.71.172.204 MODE #siwa +o abc • 72.10.169.26:2293 --> :abc!~abc@116.71.172.204 MODE #siwa –M • 72.10.169.26:2293 --> :abc!~abc@116.71.172.204 MODE #siwa +o Burimi • 72.10.169.26:2293 --> :abc!~abc@116.71.172.204 PRIVMSG #siwa :u seee us eee • 72.10.169.26:2293 --> :Burimi!~Burimi@79.126.177.232 PRIVMSG #siwa :lol ! • 72.10.169.26:2293 --> :Burimi!~Burimi@79.126.177.232 PRIVMSG #siwa :bots joining • 72.10.169.26:2293 --> :Burimi!~Burimi@79.126.177.232 PRIVMSG #siwa :.oper • 72.10.169.26:2293 --> :Burimi!~Burimi@79.126.177.232 PRIVMSG #siwa :i cant se bots • 72.10.169.26:2293 --> :Burimi!~Burimi@79.126.177.232 PRIVMSG #siwa :oper • 72.10.169.26:2293 --> :Burimi!~Burimi@79.126.177.232 PRIVMSG #siwa :d • 72.10.169.26:2293 --> :resit!~tr@58-27-163-244.wateen.net PRIVMSG #siwa :d • 72.10.169.26:2293 --> :resit!~tr@58-27-163-244.wateen.net MODE #siwa +o resit • 72.10.169.26:2293 --> :resit!~tr@58-27-163-244.wateen.net MODE #siwa +o Burimi • 72.10.169.26:2293 --> :resit!~tr@58-27-163-244.wateen.net PRIVMSG #siwa :4% join #testing • 72.10.169.26:2293 --> :resit!~tr@admin.siwatech.com PRIVMSG #siwa :4% join #testing • 72.10.169.26:2293 --> :resit!~tr@admin.siwatech.com MODE #siwa +M

  8. 72.10.169.26:2293 --> :abc!~abc@116.71.172.204 MODE #siwa +o abc • 72.10.169.26:2293 --> :abc!~abc@116.71.172.204 MODE #siwa –M • 72.10.169.26:2293 --> :abc!~abc@116.71.172.204 MODE #siwa +o Burimi • 72.10.169.26:2293 --> :abc!~abc@116.71.172.204 PRIVMSG #siwa :u seee us eee • 72.10.169.26:2293 --> :Burimi!~Burimi@79.126.177.232 PRIVMSG #siwa :lol ! • 72.10.169.26:2293 --> :Burimi!~Burimi@79.126.177.232 PRIVMSG #siwa :bots joining • 72.10.169.26:2293 --> :Burimi!~Burimi@79.126.177.232 PRIVMSG #siwa :.oper • 72.10.169.26:2293 --> :Burimi!~Burimi@79.126.177.232 PRIVMSG #siwa :i cant se bots • 72.10.169.26:2293 --> :Burimi!~Burimi@79.126.177.232 PRIVMSG #siwa :oper • 72.10.169.26:2293 --> :Burimi!~Burimi@79.126.177.232 PRIVMSG #siwa :d • 72.10.169.26:2293 --> :resit!~tr@58-27-163-244.wateen.net PRIVMSG #siwa :d • 72.10.169.26:2293 --> :resit!~tr@58-27-163-244.wateen.net MODE #siwa +o resit • 72.10.169.26:2293 --> :resit!~tr@58-27-163-244.wateen.net MODE #siwa +o Burimi • 72.10.169.26:2293 --> :resit!~tr@58-27-163-244.wateen.net PRIVMSG #siwa :4% join #testing • 72.10.169.26:2293 --> :resit!~tr@admin.siwatech.com PRIVMSG #siwa :4% join #testing • 72.10.169.26:2293 --> :resit!~tr@admin.siwatech.com MODE #siwa +M

  9. :abc: u seee us eee :Burimi: lol ! :Burimi: bots joining :Burimi!: .oper :Burimi!: i cant se bots :Burimi!: oper :Burimi!: d

  10. speculations • It sounds like a customer service.....doesn’t it?

  11. something more? • Lets see what happens when the moderation was removed ( MODE –M)

  12. Lets say... • The string look likes : • ({IRCHOST} PRIVMSG #siwa :-04dcom2.04c- 3. Raw transfer to {IPADDRESS} ) • Buffer Overrun In RPC Interface Could Allow Code Execution (MS03-026) • So in human gergon, it could mean that • {IRCHOST} has infected {IPADDRESS}

  13. Lets say... • So in human gergon, it could mean that • {IRCHOST} has infected {IPADDRESS} • {IRCHOST} = :IsGGoMJY!~apufsc@e178216081.adsl.alicedsl.de {NICK} ! ~ {USERHOST} @{HOSTNAME} • By RFC, every irc userhost has to be UNIQUE • We could enumerate how many UNIQUE host are infected

  14. Bonus (!?) • Take a look at this line: • :resit!~tr@admin.siwatech.com PRIVMSG #siwa :4% join #testing • resit is the nickname of the Operator • admin.siwatech.com is its host name • ....SIWAtech.com ! • yes, the label that I used for this botnet! curious • The timestamp of this command is “06/02/2009-20:53:54” • ...and the website is still reachable! (02/2011)

  15. The #siwa botnet

  16. #siwa C&C on the map

  17. Conclusions • Botnet masters were conscious that someone was “spying” into their botnet.

  18. Conclusions • Botnet masters were conscious that someone was “spying” into their botnet. • botmasters are not stupid.

  19. Conclusions • Botnet masters were conscious that someone was “spying” into their botnet. • botmasters are not stupid. • We saw only what they wanted to show us

  20. Conclusions • Botnet masters were conscious that someone was “spying” into their botnet. • botmasters are not stupid. • We saw only what they wanted to show us • could this information be reliable?

  21. Conclusions • Botnet masters were conscious that someone was “spying” into their botnet. • botmasters are not stupid. • We saw only what they wanted to show us • could this information be reliable? • Why they chose to show their botnet populations? • to show us their p0w3r?

  22. Conclusions • Botnet masters were conscious that someone was “spying” into their botnet. • botmasters are not stupid. • We saw only what they wanted to show us • could this information be reliable? • Why they chose to show their botnet populations? • to show us their p0w4h? • ...or just to deceive us?

  23. Conclusions • Botnet masters were conscious that someone was “spying” into their botnet. • botmasters are not stupid. • We saw only what they wanted to show us • could this information be reliable? • Why they chose to show their botnet populations? • to show us their p0w3r? • ...or just to deceive us? • We should be careful with conclusions...

  24. References • My Bachelor Thesis –Pg. 89 • http://www.honeynet.it/wp-content/uploads/Dorothy/The_Dorothy_Project.pdf • All the data are still available and are accessible to the Dorothy WGUI • send me an email for an account • marco.riccardi@honeynet.it

More Related