Presentation is loading. Please wait.

Presentation is loading. Please wait.

Case study #siwa Botnet Panel. The #siwa botnet IRC Botnet monitored for 5 months (+/-) The name #siwa comes from the irc channel used by the involved.

Similar presentations


Presentation on theme: "Case study #siwa Botnet Panel. The #siwa botnet IRC Botnet monitored for 5 months (+/-) The name #siwa comes from the irc channel used by the involved."— Presentation transcript:

1 Case study #siwa Botnet Panel

2 The #siwa botnet IRC Botnet monitored for 5 months (+/-) The name #siwa comes from the irc channel used by the involved malwares

3 Some IRC backround IRC channels are moderated by channel operators Chan OPs have the rights to – give to other users – change the channel topic – kick/ban people from the channel – etc The command +M (moderated) stands for only registered nicks may talk in that channel.

4 The Dorothy-Drone Log file

5 0.2 cents Investigation Only operators can chage channel settings by use the MODE command. – lets grep MODE to see who are the operators Ok now we have the Operators (OPs), lets grep them to see what they said

6 : > MODE #siwa +o abc : > MODE #siwa –M : > MODE #siwa +o Burimi : > PRIVMSG #siwa :u seee us eee : > PRIVMSG #siwa :lol ! : > PRIVMSG #siwa :bots joining : > PRIVMSG #siwa :.oper : > PRIVMSG #siwa :i cant se bots : > PRIVMSG #siwa :oper : > PRIVMSG #siwa :d : > PRIVMSG #siwa :d : > MODE #siwa +o resit : > MODE #siwa +o Burimi : > PRIVMSG #siwa :4% join #testing : > PRIVMSG #siwa :4% join #testing : > MODE #siwa +M

7 : > MODE #siwa +o abc : > MODE #siwa –M : > MODE #siwa +o Burimi : > PRIVMSG #siwa :u seee us eee : > PRIVMSG #siwa :lol ! : > PRIVMSG #siwa :bots joining : > PRIVMSG #siwa :.oper : > PRIVMSG #siwa :i cant se bots : > PRIVMSG #siwa :oper : > PRIVMSG #siwa :d : > : PRIVMSG #siwa :d : > MODE #siwa +o resit : > MODE #siwa +o Burimi : > PRIVMSG #siwa :4% join #testing : > PRIVMSG #siwa :4% join #testing : > MODE #siwa +M

8 : > MODE #siwa +o abc : > MODE #siwa –M : > MODE #siwa +o Burimi : > PRIVMSG #siwa :u seee us eee : > PRIVMSG #siwa :lol ! : > PRIVMSG #siwa :bots joining : > PRIVMSG #siwa :.oper : > PRIVMSG #siwa :i cant se bots : > PRIVMSG #siwa :oper : > PRIVMSG #siwa :d : > PRIVMSG #siwa :d : > MODE #siwa +o resit : > MODE #siwa +o Burimi : > PRIVMSG #siwa :4% join #testing : > PRIVMSG #siwa :4% join #testing : > MODE #siwa +M

9 :abc: u seee us eee :Burimi: lol ! :Burimi: bots joining :Burimi!:.oper :Burimi!: i cant se bots :Burimi!: oper :Burimi!: d

10 speculations It sounds like a customer service.....doesnt it?

11 something more? Lets see what happens when the moderation was removed ( MODE –M)

12 Lets say... The string look likes : – ({IRCHOST} PRIVMSG #siwa :-04dcom2.04c- 3. Raw transfer to {IPADDRESS} ) Buffer Overrun In RPC Interface Could Allow Code Execution (MS03-026) So in human gergon, it could mean that – {IRCHOST} has infected {IPADDRESS}

13 Lets say... So in human gergon, it could mean that – {IRCHOST} has infected {IPADDRESS} – {IRCHOST} = {NICK} ! ~ By RFC, every irc userhost has to be UNIQUE – We could enumerate how many UNIQUE host are infected

14 Bonus (!?) Take a look at this line: PRIVMSG #siwa :4% join #testing – resit is the nickname of the Operator – admin.siwatech.com is its host name –....SIWAtech.com ! yes, the label that I used for this botnet! curious – The timestamp of this command is 06/02/ :53:54 –...and the website is still reachable! (02/2011)

15 The #siwa botnet

16 #siwa C&C on the map

17 Conclusions Botnet masters were conscious that someone was spying into their botnet.

18 Conclusions Botnet masters were conscious that someone was spying into their botnet. – botmasters are not stupid.

19 Conclusions Botnet masters were conscious that someone was spying into their botnet. – botmasters are not stupid. We saw only what they wanted to show us

20 Conclusions Botnet masters were conscious that someone was spying into their botnet. – botmasters are not stupid. We saw only what they wanted to show us – could this information be reliable?

21 Conclusions Botnet masters were conscious that someone was spying into their botnet. – botmasters are not stupid. We saw only what they wanted to show us – could this information be reliable? – Why they chose to show their botnet populations? to show us their p0w3r?

22 Conclusions Botnet masters were conscious that someone was spying into their botnet. – botmasters are not stupid. We saw only what they wanted to show us – could this information be reliable? – Why they chose to show their botnet populations? to show us their p0w4h?...or just to deceive us?

23 Conclusions Botnet masters were conscious that someone was spying into their botnet. – botmasters are not stupid. We saw only what they wanted to show us – could this information be reliable? – Why they chose to show their botnet populations? to show us their p0w3r?...or just to deceive us? We should be careful with conclusions...

24 References My Bachelor Thesis –Pg. 89 – content/uploads/Dorothy/The_Dorothy_Project.p df All the data are still available and are accessible to the Dorothy WGUI – send me an for an account –


Download ppt "Case study #siwa Botnet Panel. The #siwa botnet IRC Botnet monitored for 5 months (+/-) The name #siwa comes from the irc channel used by the involved."

Similar presentations


Ads by Google