Ramblings & ephemera

What bots do and how they work

From The Honeynet Project & Research Alliance’s “Know your Enemy: Tracking Botnets” (13 March 2005):

After successful exploitation, a bot uses Trivial File Transfer Protocol (TFTP), File Transfer Protocol (FTP), HyperText Transfer Protocol (HTTP), or CSend (an IRC extension to send files to other users, comparable to DCC) to transfer itself to the compromised host. The binary is started, and tries to connect to the hard-coded master IRC server. Often a dynamic DNS name is provided … rather than a hard coded IP address, so the bot can be easily relocated. … Using a special crafted nickname like USA|743634 or [UrX]-98439854 the bot tries to join the master’s channel, sometimes using a password to keep strangers out of the channel. …

Afterwards, the server accepts the bot as a client and sends him RPL_ISUPPORT, RPL_MOTDSTART, RPL_MOTD, RPL_ENDOFMOTD or ERR_NOMOTD. Replies starting with RPL_ contain information for the client, for example RPL_ISUPPORT tells the client which features the server understands and RPL_MOTD indicates the Message Of The Day (MOTD). …

On RPL_ENDOFMOTD or ERR_NOMOTD, the bot will try to join his master’s channel with the provided password …

The bot receives the topic of the channel and interprets it as a command: …

The first topic tells the bot to spread further with the help of the LSASS vulnerability. … the second example of a possible topic instructs the bot to download a binary from the web and execute it … And if the topic does not contain any instructions for the bot, then it does nothing but idling in the channel, awaiting commands. That is fundamental for most current bots: They do not spread if they are not told to spread in their master’s channel.
Upon successful exploitation the bot will message the owner about it, if it has been advised to do so. …

Then the IRC server (also called IRC daemon, abbreviated IRCd) will provide the channels userlist. But most botnet owners have modified the IRCd to just send the channel operators to save traffic and disguise the number of bots in the channel. …

The controller of a botnet has to authenticate himself to take control over the bots. …

… the “-s” switch in the last example tells the bots to be silent when authenticating their master. …

… Once an attacker is authenticated, they can do whatever they want with the bots … The IRC server that is used to connect all bots is in most cases a compromised box. … Only beginners start a botnet on a normal IRCd. It is just too obvious you are doing something nasty if you got 1.200 clients named as rbot-<6-digits> reporting scanning results in a channel. Two different IRC servers software implementation are commonly used to run a botnet: Unreal IRCd and ConferenceRoom:

  • Unreal IRCd (http://www.unrealircd.com/) is cross-platform and can thus be used to easily link machines running Windows and Linux. The IRC server software is stripped down and modified to fit the botnet owners needs. Common modifications we have noticed are stripping “JOIN”, “PART” and “QUIT” messages on channels to avoid unnecessary traffic. … able to serve 80.000 bots …
  • ConferenceRoom (http://www.webmaster.com/) is a commercial IRCd solution, but people who run botnets typically use a cracked version. …

Comments are closed.