Here is an interesting article sent to me to be approved for the exploit section
this artice was wrote by ara2..at present a trial member giving his detailed account of a Honeypot attack on his system....please leave your comments below...
---------------------------------
Honeypot report - ddos botnet+fxp pubstro
In the last day I setup a honeypot on my computer. It has now been running for 5 hours.
Here are some notes on how i set it up, what i came across, and my conclusions. The ips have been masked with 'xxx'.
I would appreciate any tips regarding the vmware/windows config, and suggestions on tools i could use.
Setup
Host: Windows 2000 pro - turned off ports 135, 139, 445 - installed vmware
VMware workstation 4, 30 day trial - 1 gig virtual drive - 128mb ram - nat port forwarding on tcp 135/139/445/1025/1027 - nat port forwarding on udp 135/137/138/445/500/1026
Windows 2000 professional - sp3 - turned off dcom so i wouldnt get blaster - default configuration... administrator/blank pass, shares, the total. - installed some tools to see whats going on
netbios scans a lot of netbios scans, as expected. hard to say how many cause i have not been packet sniffing all the time. a tool to count how many, anyone?
services.exe services.exe crashed about 10 times... hehehe
sdbot / french pubstro Sdbot install Within the first 5 minutes of it being connected via nat, what i assume to be a drone spreader takes the bait.
the bot drops a file called ec.exe, which one run, expands into 2 files, - bagc.exe - suspected backdoor - bagd.exe - sdbot and then runs the two files. the bagd.exe bot copies itself to fqeccq.exe
fqeccq.exe connects to irc ( webhost2.xxx.com:32684 ) with a random nick/ident, and joins #afk, key 'findnow'. A little under 3000 other sdbots in the channel.
the bot owner decides to play with some of his bots:
i manually download and run winnts.exe, to see what its all about. it installed a servu pubstro and nc type backdoor. it also tried to secure the comp: - deleting shares ( net use /delete ) - disabling null netbios session with regedit - disabling telnet with regedit
files:
c:\winnt\enter.txt - servu login file
c:\winnt\root.bat - secure / run servu on startup
c:\winnt\servudaemon.exe - ... how subtle
c:\winnt\servudaemon.ini - no comment
c:\winnt\system32\os2\dll\enter - creates subfolder hiearchy to display who scanned the pubstro, etc
c:\winnt\system32\os2\dll\hd.exe - to display free space, i assume
c:\winnt\system32\os2\dll\porte-arriere\tlist.exe - to see processes (note: porte-arriere means backdoor)
c:\winnt\system32\os2\dll\porte-arriere\sbd.exe - the actual backdoor
Observing the attacker Not knowing the bot's command responses, i dont reply anything to the botmaster's commands. he wants his edu ftp and starts wondering whats wrong.
notice the sympatico.ca... montreal, land of french canadians. i try to connect to that ip, on the port of the backdoor installed earlier. no connection. this leads me to believe hes using his real ip... tsk tsk
i then realise he doesnt talk english, ask him same thing in french. he says hes not that stupid, yet SYNPACKET quits a few minutes after i ask why hes on my computer, he replies that he likes warez, and edu connections are well lovedConclusions
the attacker: i would classify this as evolved script kiddie. merits:
managed to setup an irc on webhost2.xxx.com (assuming its not a shell he bought...)
enough knowledge to edit the sdbot.c and spread it around.
uses fport and kill to detect concurrent rootkits
flaws:
doesnt know how to conceal his apps very good -servudaemon.exe -servudaemon.ini -obvious virus/worm filenames like fqeccq.exe -bad registry key names
uses standard startup techniques
no clean up of the install files
didnt catch the recursive filename append bug in the sdbot source.
i by no mean pretend to be more or less knowledgable than this person, as i wasnt even able to set back the shares correctly on my honeypot, and needed to reinstall that windows afterwards. note to self: make backups
the attack: ntpass is not dead... 3000 ddos drones! i assume he first spreaded manually to easy targets, dsl/cable ranges. once he has enough bots, he can then scan for more appealing ranges, edus and coms. in approx. 2 hours on his network, i saw over 5 edus being announced as scan result, and then join the channel.
scary: his 2nd nick was SYNPACKET, and had 3000 dsl/cable ddos bots at his disposition. at 15k upload each, thats a lot of ddos
Man, 3000 bots really is not very much. There are guys with 300,000+ ! I've seen a botnet like that in person, was on a dedicated 9gb machine colocated directly on an isp's backbone. Now that would be ddos;) Though, this beeing an evolved scriptkiddie is quite probably correct, anyone a bit more advanced would have incorporated a rootkit into the package, and probably also had a lot more security on the ircd.
andydis
Jan 7 2004, 03:06 PM
excellent read.
mrBob
Jan 7 2004, 03:35 PM
hmm, thanx for the info excellent read indeed
ssj4conejo
Jan 7 2004, 04:18 PM
great stuff, goes to show that not every admin is stupid. There are many many intelligent admins out there who know your every move
Kuhl
Jan 7 2004, 05:31 PM
nice nice
Nightdemon
Jan 7 2004, 07:11 PM
wow nice tutorial, and funny to see that you're already getting scanned within 5 hours
GhostCow
Jan 7 2004, 07:35 PM
cool, nice read... very very intresting...
Yorn
Jan 7 2004, 07:59 PM
QUOTE
There are guys with 300,000+ !
I used to be extremely active and the most I ever personally saw was still under 30K. I find this 300,000 number very hard to believe, cause rm's will buy bots and cards at a buck per. And if so, this guy would have cashed in long, long, before. But you have to know how to find them, so maybe this guy is only using them for filesharing bots on IRC.
iLLuSioN
Jan 7 2004, 08:10 PM
lol smart guy (the admin) ... pretty dumb of that guy to use his real ip if he is going to have a botnet imo ..
Train25
Jan 7 2004, 08:17 PM
Nice details on his attack of your honeypot. Very informative. Definately didnt take him long to tag it thats 4 sure.
My question is how long did it take him to complete the whole process from start to finish? I would venture to guess a couple mins?
vnet576
Jan 7 2004, 09:09 PM
Well this was a very interesting read
I think that we should have a honeypot/IDS section where we can post our experiances and techniques with honeypots. I'm sure that many people at one point have setup a honeypot and have come up with interestint or surprising results.
Yorn
Jan 7 2004, 09:18 PM
QUOTE
I think that we should have a honeypot/IDS section where we can post our experiances and techniques with honeypots. I'm sure that many people at one point have setup a honeypot and have come up with interestint or surprising results.
Sometimes though, talking about your honeypot kind of defeats the purpose of having it. I mean, we're basically sitting amongst the exact kind of people we would want to be infecting it. And besides, once you've seen one, you've seen them all.
The trick is to build an application that will steal their bots. Think it can't be done? Wrong, it soooooo can. You'd be amazed at how easy it is using the knowledge we use and expresson these boards every day, but I'm not going to reveal my tactic for getting a guy to lose all of his bots in a channel at once.
vnet576
Jan 7 2004, 09:23 PM
don't think that technique is pretty hard. Generally people have the same login password on all of there bots..especially if they are spread via autospreading techniques. If he infects you..get the password that he sends to you to login and then you can easily take over the botnet...Maybe your talking about a different technique though...but that one is easiest of all.
Yorn
Jan 7 2004, 09:37 PM
QUOTE (vnet576 @ Jan 7 2004, 03:23 PM)
don't think that technique is pretty hard. Generally people have the same login password on all of there bots..especially if they are spread via autospreading techniques. If he infects you..get the password that he sends to you to login and then you can easily take over the botnet...Maybe your talking about a different technique though...but that one is easiest of all.
Well, yeah. You used to be able to do that. Now though, the owner will +m the channel and use his op status to talk. Since you cannot talk, then you cannot directly control the bots.
Or, they will set the bots so that they will not activate/respond unless the person talking is an op. So what are your options?
Simple, just wait till he pulls your set of bots into a new room or send him a message saying, "http://sec.gravito.com/hta/?exploit.exe" where exploit.exe is an application that opens up a backdoor on *HIS* computer, and downloads a file and runs a vbs script that runs the commands *FROM* his mIRC or directly from his IP address and botherds his botfarm into your control.
Boy do they get pissed off when you do that to all of their 5,000+ bots. Wiping them all to oblivion in just one fell swoop.
ara2
Jan 7 2004, 09:39 PM
I went and checked the host for his irc server... shell :\ no merit to paying 30 bucks a month to store his ddos bots!
QUOTE
There are guys with 300,000+ !
well if find that hard to believe, but its possible. this one was the biggest i had seen live, and i rounded the number up to 3000 ( it was at 2700+ when i joined )
this paper talks about 25k size botnets, but i dont see where he got that number.
what you will see though, is for flooding attacks on irc, they will use 2 or 3 clones of the same bot, which can make you think its quite larger than it actually is.
i just hope the 300k were not all in the same chan
QUOTE
My question is how long did it take him to complete the whole process from start to finish? I would venture to guess a couple mins?
scan for netbios shares and password + install i would estimate to about a minute, depending on the upload speed for the files (130k or so)
then when i logged on his net with an edu bnc, it took him about 30 secs to send me an update command so the whole process would be like 2 minutes, from scan to pubstro installed.
then he has to manually log onto the pubstro to check with fport if theres any competitors. 2 mins top to kill them.
QUOTE
cause rm's will buy bots and cards at a buck per
what are rm's and cards?
//For all the botnet stealing talk If you do steal a botnet, just make sure the owner doesnt see the command you use to update their files, or he can download your pack, and then do just what you did
I know theres some botnets where the password will depend on your nick and hostmask. ie make a md5 of your current nick!ident@host, and this is your password. have fun decompiling the source to steal his net
Hexboy
Jan 8 2004, 12:53 AM
Very nice read. Love the chat with the bastard.
vnet576
Jan 8 2004, 01:06 AM
Not a good idea to make u're botnet hostname dependant...if you decide to change isp's you will lose all of your bots since your hostname changes. Also some people have dynamic IPs.
Yorn
Jan 8 2004, 01:48 AM
QUOTE
what are rm's and cards?
Russian Mafia. I don't know why they want them as much as they want "cards" which are CC#s. They go for bank accounts, but that stuff usually only works for a while. CC's are good source of low income to fake porn or russian brides sites.
^ Old links though. They are doing African banks last I heard. More money I guess.
Note: I was not involved with, nor did I ever work with anyone that represented them. They did, however, need arbitrators or "middle men" to do negotiations with 3rd parties and for some reason thought a post I made on some perl forum a gazillion years ago qualified me.
Instead I forwarded the info I had to fbi.gov.
QUOTE
//For all the botnet stealing talk If you do steal a botnet, just make sure the owner doesnt see the command you use to update their files, or he can download your pack, and then do just what you did
Well, yeah.. unless you use a P2P botnetwork and use SHA-1 hashes with a master pass on different network "farms". There are botfarmers that will know if something is up and actually DDOS on alert. There are levels beyond file-sharing in IRC and just running xdcc bots on college networks. Esp when some of these guys are scanning from bots inside networks on the LAN.
CODE
I know theres some botnets where the password will depend on your nick and hostmask. ie make a md5 of your current nick!ident@host, and this is your password.
Yeah. There are. But all you have to do is spam a text that says, "http://link-to-your-IE-exploit" and then steal his info. Or, if passworded, run a key-gen on his machine to route out and obliterate the botnet using his password. It's these kinds of i-vilgilantes that are a bane to botnet runners.
Of course, sometimes I think that the folks dispersing the networks are actually FBI agents that get paid to do it. Wouldn't that be a hell of a job? Getting paid to infiltrate a botnet and disassemble it. Awesome.
xzibit
Jan 8 2004, 02:06 AM
heh ive never seen botnets the size of 300,000. But being honest, i have seen one up to 250,000.
The server was on a 100mbit freebsd dedicated box. And yes they were all in one channel. The IRCD was specially moded to save bandwidth. Only opers could see nicklists. No join/part messages, and other ways to save bandwidth So it is possible....
In the past, I have racked up 30k. These were hosted on an IRCD similiar to the one i just mention but not as modified as much as that one.
U guys have interesting theorys on ways to steal ;x
Progressor
Jan 8 2004, 08:17 AM
Interesting read. I heard about some honepot programs, so you don't need to install virtual machine, but I can't remember the name of them ...
Yorn
Jan 8 2004, 03:53 PM
QUOTE (xzibit @ Jan 7 2004, 08:06 PM)
The server was on a 100mbit freebsd dedicated box. And yes they were all in one channel. The IRCD was specially moded to save bandwidth. Only opers could see nicklists. No join/part messages, and other ways to save bandwidth So it is possible....
The problem I have with this is that while it can be done, it'd be far better to write your own P2P code and have the bots communicate over that than connect to a shell account running IRCd.
ara2
Jan 8 2004, 10:29 PM
updates made to honeypot:
- installed iis - hid vmware service and analysis tools with hacker defender - restricted outgoing traffic so i dont scan/spread for anyone
--
just got two other ddos bots installed.
note: if you use mstask/at to run the file you uploaded, this is logged in %sysdir%\SchedLgU.txt
example:
QUOTE
"At1.job" (fasz.exe) Started 2004-01-08 17:42:00
GhostCow
Jan 9 2004, 11:57 AM
where are the key log files on nt based systems? sorry to ask this but im a noob
daguilar01
Jan 9 2004, 03:50 PM
very interesting read, i love to learn off others mistakes, thank you for this great article and very will written
edit: would love to see more articles like this form you,
Donken
Jan 9 2004, 04:31 PM
very intresting reading. Thx for the post. Hope that he learned his lession
GhostCow
Jan 10 2004, 02:15 PM
great post... question: how can i, a simple XP user view my logs, and how can i see which applications log, and to where? how can i clean them successfully on other nt-based systems? (i know of a program called clearlogs, and i use it but i dont know to what extent it works)
UnDeRTaKeR
Jan 10 2004, 05:08 PM
Very great post man!!! 10x a lot!!!
Yorn
Jan 10 2004, 08:39 PM
Is this honeypot running on an EDU network?
LiquidIce
Jan 12 2004, 01:15 AM
v/nice read thnx for writing up
LiquidIce
Jan 12 2004, 01:16 AM
QUOTE (Yorn @ Jan 10 2004, 08:39 PM)
Is this honeypot running on an EDU network?
no it says his .edu host was a bnc
xzibit
Jan 12 2004, 11:03 PM
QUOTE (GhostCow @ Jan 10 2004, 02:15 PM)
great post... question: how can i, a simple XP user view my logs, and how can i see which applications log, and to where? how can i clean them successfully on other nt-based systems? (i know of a program called clearlogs, and i use it but i dont know to what extent it works)
Nice reading. Greetings ara2 for the forensics job
=k3Rn=
Jan 13 2004, 02:29 AM
hehe yea really nice! when i got a linuy system running - i'll setup an honypot too - just for the fun
could someone please tell me where ara2 posted that artice originally?
greetz =k3Rn=
w00dy
Jan 13 2004, 02:42 AM
He originally posted it to ComSec. He was unable to post to this forum because of the trial member status. But since we dont want to completely disallow trial members from creating new threads, they are welcome to send any topic they wish to start to a moderator and if it passes, the mod will post it giving the original person credit for the article just has comsec has done here.
=k3Rn=
Jan 13 2004, 03:21 AM
alright thx for the info i think it's a mate of mine - i'll ask him the world is getting smaller and smaller like time is slipping and slipping more into he future
Cow|
Jan 13 2004, 08:18 AM
Thankx for this nice topic dude i enjoyed reading it really nice
Max_Payne
Jan 14 2004, 03:04 PM
nice stuff dude..enjoyed the reading
Dulok
Jan 15 2004, 06:03 AM
WOW...an Admin myself and very active on the scene - I have never set up a honeypot...this makes me want to bad...
looks like I will be getting no sleep tonight
sybexs
Jan 15 2004, 09:26 AM
i would like to get a few more details on how the vmware was setup. in the past i have tried to do something similar. using winxp for the host and win2k pro for the vitural os. but i had a problem with the port forwarding. so i just took a old box i had laying around and set it up as a dummy machine.
ara2
Jan 15 2004, 04:55 PM
sybexs at the very beginning of the article, i link to how close the crucial ports on the host machine. once youve went through all those, reboot, and check with netstat or fport that the ports really are closed.
after the ports are closed, you want to setup the vmware to use NAT. to setup the nat options: - go in Edit - Virtual Network Settings - click on NAT - the VMnet8 should be selected by default, click on 'edit..' - click on 'port forwarding...' - click 'add...' to add ports.
for example on port 135, i filled in the following values: Host port: 135 Forwarding ip address: 192.168.136.127 135 then click ok
once all my ports were setup, in the win2k ran by vmware, i set it up to get the ip 192.138.136.127. - right click my network places - properties - right click local area connection - properties - select tcp-ip - properties - click use the following ip address - fill in ip info (192.168.136.127, 255.255.255.0, 192.168.136.2) - fill in the two dns servers below (use the dns servers your main comp uses)
* 192.168.136.2 is the ip of your host on the internet vmware network, i got it with ipconfig
* the dns servers info you can also get with ipconfig
**all of this assumes your not running on a home network. if you are running on a home network, then you probably will want to setup your router to forward those ports to your host machine. or setup the vmware comp as part of your home network, but that might be dangerous if your network boxes are not 100% secure. be sure to setup some outgoing port restrictions on the honeypot.
ktr
Jan 16 2004, 12:29 PM
a very interesting reading great job
Mouse
Jan 27 2004, 06:12 PM
interesting article here
but people with honeypots need to be aware of legal problems... I do not think you can legally charge or report any hackers that you 'allow' them to hack your box.
also honeypots violates wiretapping laws.
StreetZone_
Jan 27 2004, 06:45 PM
This Is An Amazing Thread, Very Nice Replays
One Thing, 300,000 bots.... Nah, Dont think so......
Ara2 : Very Nice Job On The Article, Very Nice !
The First Thread/Article/Post I Ever Had Fun With ..
Eltharion
Jan 27 2004, 07:14 PM
Indeed a great article, well written.
Keep up the good work, would love to see more from you
nolimit
Jan 27 2004, 08:29 PM
great read, brings back memories of when i ran a botnet of 3000 or so, we used modded irc servers as well with most non essential cmds gutted. We also used a MD5 encryption scheme for all bot commands, so stealing the botnet would have been quite a hassle.
=k3Rn=
Jan 27 2004, 08:36 PM
really really intresting - i need to get into that!
MpR
Jan 27 2004, 08:40 PM
shit anymore 3k bots can be gathered in a matter of hours not that hard ..few hundred k bots is alot more common then you think .. just takes the people with a bit of patience to "house" them all and a bit of spare time
Dinos
Jan 28 2004, 03:17 PM
It's a nice work. More tools though should had been used for better results.
Uli
Jan 28 2004, 03:26 PM
lol nice report, very enjoyable
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
