Presentation is loading. Please wait.

Presentation is loading. Please wait.

Case study #siwa Botnet Panel. The #siwa botnet IRC Botnet monitored for 5 months (+/-) The name #siwa comes from the irc channel used by the involved.

Similar presentations


Presentation on theme: "Case study #siwa Botnet Panel. The #siwa botnet IRC Botnet monitored for 5 months (+/-) The name #siwa comes from the irc channel used by the involved."— Presentation transcript:

1 Case study #siwa Botnet Panel

2 The #siwa botnet IRC Botnet monitored for 5 months (+/-) The name #siwa comes from the irc channel used by the involved malwares

3 Some IRC backround IRC channels are moderated by channel operators Chan OPs (@nick) have the rights to – give the @ to other users – change the channel topic – kick/ban people from the channel – etc The command +M (moderated) stands for only registered nicks (or @operatos) may talk in that channel.

4 The Dorothy-Drone Log file

5 0.2 cents Investigation Only operators can chage channel settings by use the MODE command. – lets grep MODE to see who are the operators Ok now we have the Operators (OPs), lets grep them to see what they said

6 72.10.169.26:2293 --> :abc!~abc@116.71.172.204 MODE #siwa +o abc 72.10.169.26:2293 --> :abc!~abc@116.71.172.204 MODE #siwa –M 72.10.169.26:2293 --> :abc!~abc@116.71.172.204 MODE #siwa +o Burimi 72.10.169.26:2293 --> :abc!~abc@116.71.172.204 PRIVMSG #siwa :u seee us eee 72.10.169.26:2293 --> :Burimi!~Burimi@79.126.177.232 PRIVMSG #siwa :lol ! 72.10.169.26:2293 --> :Burimi!~Burimi@79.126.177.232 PRIVMSG #siwa :bots joining 72.10.169.26:2293 --> :Burimi!~Burimi@79.126.177.232 PRIVMSG #siwa :.oper 72.10.169.26:2293 --> :Burimi!~Burimi@79.126.177.232 PRIVMSG #siwa :i cant se bots 72.10.169.26:2293 --> :Burimi!~Burimi@79.126.177.232 PRIVMSG #siwa :oper 72.10.169.26:2293 --> :Burimi!~Burimi@79.126.177.232 PRIVMSG #siwa :d 72.10.169.26:2293 --> :resit!~tr@58-27-163-244.wateen.net PRIVMSG #siwa :d 72.10.169.26:2293 --> :resit!~tr@58-27-163-244.wateen.net MODE #siwa +o resit 72.10.169.26:2293 --> :resit!~tr@58-27-163-244.wateen.net MODE #siwa +o Burimi 72.10.169.26:2293 --> :resit!~tr@58-27-163-244.wateen.net PRIVMSG #siwa :4% join #testing 72.10.169.26:2293 --> :resit!~tr@admin.siwatech.com PRIVMSG #siwa :4% join #testing 72.10.169.26:2293 --> :resit!~tr@admin.siwatech.com MODE #siwa +M

7 72.10.169.26:2293 -- > :abc!~abc@116.71.172.204 MODE #siwa +o abc 72.10.169.26:2293 --> :abc!~abc@116.71.172.204 MODE #siwa –M 72.10.169.26:2293 --> :abc!~abc@116.71.172.204 MODE #siwa +o Burimi 72.10.169.26:2293 --> :abc!~abc@116.71.172.204 PRIVMSG #siwa :u seee us eee 72.10.169.26:2293 --> :Burimi!~Burimi@79.126.177.232 PRIVMSG #siwa :lol ! 72.10.169.26:2293 --> :Burimi!~Burimi@79.126.177.232 PRIVMSG #siwa :bots joining 72.10.169.26:2293 --> :Burimi!~Burimi@79.126.177.232 PRIVMSG #siwa :.oper 72.10.169.26:2293 --> :Burimi!~Burimi@79.126.177.232 PRIVMSG #siwa :i cant se bots 72.10.169.26:2293 --> :Burimi!~Burimi@79.126.177.232 PRIVMSG #siwa :oper 72.10.169.26:2293 --> :Burimi!~Burimi@79.126.177.232 PRIVMSG #siwa :d 72.10.169.26:2293 --> : resit!~tr@58-27-163-244.wateen.net PRIVMSG #siwa :d 72.10.169.26:2293 --> :resit!~tr@58-27-163-244.wateen.net MODE #siwa +o resit 72.10.169.26:2293 --> :resit!~tr@58-27-163-244.wateen.net MODE #siwa +o Burimi 72.10.169.26:2293 --> :resit!~tr@58-27-163-244.wateen.net PRIVMSG #siwa :4% join #testing 72.10.169.26:2293 --> :resit!~tr@admin.siwatech.com PRIVMSG #siwa :4% join #testing 72.10.169.26:2293 --> :resit!~tr@admin.siwatech.com MODE #siwa +M

8 72.10.169.26:2293 --> :abc!~abc@116.71.172.204 MODE #siwa +o abc 72.10.169.26:2293 --> :abc!~abc@116.71.172.204 MODE #siwa –M 72.10.169.26:2293 --> :abc!~abc@116.71.172.204 MODE #siwa +o Burimi 72.10.169.26:2293 --> :abc!~abc@116.71.172.204 PRIVMSG #siwa :u seee us eee 72.10.169.26:2293 --> :Burimi!~Burimi@79.126.177.232 PRIVMSG #siwa :lol ! 72.10.169.26:2293 --> :Burimi!~Burimi@79.126.177.232 PRIVMSG #siwa :bots joining 72.10.169.26:2293 --> :Burimi!~Burimi@79.126.177.232 PRIVMSG #siwa :.oper 72.10.169.26:2293 --> :Burimi!~Burimi@79.126.177.232 PRIVMSG #siwa :i cant se bots 72.10.169.26:2293 --> :Burimi!~Burimi@79.126.177.232 PRIVMSG #siwa :oper 72.10.169.26:2293 --> :Burimi!~Burimi@79.126.177.232 PRIVMSG #siwa :d 72.10.169.26:2293 --> :resit!~tr@58-27-163-244.wateen.net PRIVMSG #siwa :d 72.10.169.26:2293 --> :resit!~tr@58-27-163-244.wateen.net MODE #siwa +o resit 72.10.169.26:2293 --> :resit!~tr@58-27-163-244.wateen.net MODE #siwa +o Burimi 72.10.169.26:2293 --> :resit!~tr@58-27-163-244.wateen.net PRIVMSG #siwa :4% join #testing 72.10.169.26:2293 --> :resit!~tr@admin.siwatech.com PRIVMSG #siwa :4% join #testing 72.10.169.26:2293 --> :resit!~tr@admin.siwatech.com MODE #siwa +M

9 :abc: u seee us eee :Burimi: lol ! :Burimi: bots joining :Burimi!:.oper :Burimi!: i cant se bots :Burimi!: oper :Burimi!: d

10 speculations It sounds like a customer service.....doesnt it?

11 something more? Lets see what happens when the moderation was removed ( MODE –M)

12 Lets say... The string look likes : – ({IRCHOST} PRIVMSG #siwa :-04dcom2.04c- 3. Raw transfer to {IPADDRESS} ) Buffer Overrun In RPC Interface Could Allow Code Execution (MS03-026) So in human gergon, it could mean that – {IRCHOST} has infected {IPADDRESS}

13 Lets say... So in human gergon, it could mean that – {IRCHOST} has infected {IPADDRESS} – {IRCHOST} = :IsGGoMJY!~apufsc@e178216081.adsl.alicedsl.de {NICK} ! ~ {USERHOST} @{HOSTNAME} By RFC, every irc userhost has to be UNIQUE – We could enumerate how many UNIQUE host are infected

14 Bonus (!?) Take a look at this line: :resit!~tr@admin.siwatech.com PRIVMSG #siwa :4% join #testing – resit is the nickname of the Operator – admin.siwatech.com is its host name –....SIWAtech.com ! yes, the label that I used for this botnet! curious – The timestamp of this command is 06/02/2009- 20:53:54 –...and the website is still reachable! (02/2011)

15 The #siwa botnet

16 #siwa C&C on the map

17 Conclusions Botnet masters were conscious that someone was spying into their botnet.

18 Conclusions Botnet masters were conscious that someone was spying into their botnet. – botmasters are not stupid.

19 Conclusions Botnet masters were conscious that someone was spying into their botnet. – botmasters are not stupid. We saw only what they wanted to show us

20 Conclusions Botnet masters were conscious that someone was spying into their botnet. – botmasters are not stupid. We saw only what they wanted to show us – could this information be reliable?

21 Conclusions Botnet masters were conscious that someone was spying into their botnet. – botmasters are not stupid. We saw only what they wanted to show us – could this information be reliable? – Why they chose to show their botnet populations? to show us their p0w3r?

22 Conclusions Botnet masters were conscious that someone was spying into their botnet. – botmasters are not stupid. We saw only what they wanted to show us – could this information be reliable? – Why they chose to show their botnet populations? to show us their p0w4h?...or just to deceive us?

23 Conclusions Botnet masters were conscious that someone was spying into their botnet. – botmasters are not stupid. We saw only what they wanted to show us – could this information be reliable? – Why they chose to show their botnet populations? to show us their p0w3r?...or just to deceive us? We should be careful with conclusions...

24 References My Bachelor Thesis –Pg. 89 – http://www.honeynet.it/wp- content/uploads/Dorothy/The_Dorothy_Project.p df All the data are still available and are accessible to the Dorothy WGUI – send me an email for an account – marco.riccardi@honeynet.it


Download ppt "Case study #siwa Botnet Panel. The #siwa botnet IRC Botnet monitored for 5 months (+/-) The name #siwa comes from the irc channel used by the involved."

Similar presentations


Ads by Google