Assbot

Full Version: Assbot

GovernmentSecurity.org > System Security > Windows Systems

ro_0t

Jun 23 2005, 03:02 PM

I was browsing around rizon(irc) and got a pm from a bot sending me to a link with a .exe file claiming it to be "hacking tools"

naturally i was skeptical about the exe so i downloaded it to have a look. turned out the exe was packed with upx which is easy to unpack so i downloaded upx.exe and unpacked it.

i installed it on a virtual machine(vmware) and checked it out.

it copied 2 files - "Soundmax.exe" (a modified mirc.exe) and "mirc.ini" (not exactly discreet is it?)

well i closed soundmax.exe and setup my packet sniffer then restarted the soundmax.exe file

i noticed it was connecting to an ip address (216.***.***.***) which was forwarding me onto irc.webchat.org on port 6667

i then noticed it set the modes +ixMn and changed the nick to "kashmin||523457"
once the nick had changed it sent a notice to a user called abart telling him the commands which where:

!joinchan
!partchan
!close (rehash)
!morebot (create clones)
!helpflood
and !bosscontrol

Upon looking at some of the files i noticed that the bot only listens to commands from users with the nick "abart" or "asscrewz"
I connected to the irc network and joined the channel. There was about 50 bots in there at the time (including myself).

I did a whois on abart and noticed he was online and was an @/+ in a few channels (including a help channel funnily enough)
I then whois'd asscrewz and noticed he was offline so i changed my nick to asscrewz and tried out some of the commands which worked successfully.

I soon got bored investigating this bot as it was pretty lame and basic with very little commands. Since it didn't have a !remove command i reported the bots/channel and owner to an oper who klined all of the bots.

the files are stored in "C:\Windows\Drivers\Firewall" and the main executable is "soundmax.exe"

Just a little information for anyone who comes across this bot (although it's unlikely because it seems to be unpopular and just manual infections etc.)

AdmiralB

Jun 26 2005, 01:46 AM

this bot is not very sophisticated probably spreads through irc
using spam
easily caught. easily exposed

skiddieleet

Jun 26 2005, 06:31 PM

He should have set a ban on the channel they join and on the nicks they respond to. They will just keep connecting from new IP addresses.

tomas\

Jun 26 2005, 07:03 PM

Did you use any AV to test the both upx-ed and unpacked file to see if it got picked up?

ro_0t

Jun 27 2005, 10:20 AM

nope didn't check well it didn't get picked up by norton(which i have installed) its basically just a modded mirc and some .ini files he hasnt even bothered to conceal the script names

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.


Help - Search - Member List - Calendar Full Version: Assbot GovernmentSecurity.org > System Security > Windows Systems ro_0t Jun 23 2005, 03:02 PM I was browsing around rizon(irc) and got a pm from a bot sending me to a link with a .exe file claiming it to be "hacking tools" naturally i was skeptical about the exe so i downloaded it to have a look. turned out the exe was packed with upx which is easy to unpack so i downloaded upx.exe and unpacked it. i installed it on a virtual machine(vmware) and checked it out. it copied 2 files - "Soundmax.exe" (a modified mirc.exe) and "mirc.ini" (not exactly discreet is it?) well i closed soundmax.exe and setup my packet sniffer then restarted the soundmax.exe file i noticed it was connecting to an ip address (216.*..**) which was forwarding me onto irc.webchat.org on port 6667 i then noticed it set the modes +ixMn and changed the nick to "kashmin\|\|523457" once the nick had changed it sent a notice to a user called abart telling him the commands which where: !joinchan !partchan !close (rehash) !morebot (create clones) !helpflood and !bosscontrol Upon looking at some of the files i noticed that the bot only listens to commands from users with the nick "abart" or "asscrewz" I connected to the irc network and joined the channel. There was about 50 bots in there at the time (including myself). I did a whois on abart and noticed he was online and was an @/+ in a few channels (including a help channel funnily enough) I then whois'd asscrewz and noticed he was offline so i changed my nick to asscrewz and tried out some of the commands which worked successfully. I soon got bored investigating this bot as it was pretty lame and basic with very little commands. Since it didn't have a !remove command i reported the bots/channel and owner to an oper who klined all of the bots. the files are stored in "C:\Windows\Drivers\Firewall" and the main executable is "soundmax.exe" Just a little information for anyone who comes across this bot (although it's unlikely because it seems to be unpopular and just manual infections etc.) AdmiralB Jun 26 2005, 01:46 AM this bot is not very sophisticated probably spreads through irc using spam easily caught. easily exposed skiddieleet Jun 26 2005, 06:31 PM He should have set a ban on the channel they join and on the nicks they respond to. They will just keep connecting from new IP addresses. tomas\ Jun 26 2005, 07:03 PM Did you use any AV to test the both upx-ed and unpacked file to see if it got picked up? ro_0t Jun 27 2005, 10:20 AM nope didn't check well it didn't get picked up by norton(which i have installed) its basically just a modded mirc and some .ini files he hasnt even bothered to conceal the script names This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.