[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <5.2.1.1.0.20031123052913.00b7eeb0@pop.gmx.net>
From: atrazine at gmx.net (atrazine)
Subject: more ddos bots on undernet
Sarah2003 Trojan Analysis.
-----------------------------
atrazine - atrazine@....net
flurdoing - flur@...rnet.org
----------------------------
Contents:
---------
Abstract
Synopsis
Chat Text
Potential Nicks
Target Chans
Potential Commands
Suggested Solutions
Captured Control Chan Packets
Conclusion
Abstract:
---------
A new breed of annoying worm-type bots have been popping up on undernet.
They have been causing many headaches on #dubai. This paper will attempt to
illustrate how this trojan operates, how to rid your channel of it, and how
to identify it across the entire undernet network.
Synopsis:
---------
Infected machines connect to eu.undernet.org, joining a control channel and
randomly(?)
selecting channels from a list (included below). Infected machines (which
we will refer
to as bots) adopt a female nick from a list (included below). A character
is appended to
the nicks (also included below).
Bots idle on channels until they are sent a message, or sent a CTCP TIME or
PONG.
Female nicks are supposed to lure asling lamers (obviously a successful
tactic *sigh*).
After which they respond with one of a list of options, waiting for a
response of any
sort before continuing with the next list of options. The options are
listed below.
After four lines have been sent, the bot will attempt to send it's
'picture' which is a
zip archive containing a .scr trojan.
The bots accept commands, but are subject to some form of authentication
(we have not been
able to send commands successfully).
The bots idle on a single channel in common, protected with a password:
#xcnicxxcncx jnfttnlr
The trojan will not join the control channel if it doesn't discover the
presence of X (i.e. it
tries to ensure that its on undernet).
Executing the trojan file will cause an entry to be written into the
machines registry, causing
the trojan to startup and wait for an internet connection. ChkWin &
chkmsh.exe are names the
trojan refers to itself as in the registry. Remove any conspicuous entries
from:
'Software\Microsoft\Windows\CurrentVersion\Run' should u need to run the
trojan. Running the
trojan will also pop up an image, as promised (\janey.jpg). She looks cute.
The trojan is
packed with PEcompact.
Chat Text:
----------
Text options for 1st round:
"hi hello greetings salut sal hi_there ctc howdy ello:o) allo:) hey:)"
Text options for 2nd round:
"how_are_you? how_you_doin? how's_things? how's_life? doing_okay?"
Text options for 3rd round:
"17/f/texas 23/f/Walkersville 24-f-uk 26-f-Scotland 19/f/Ireland
18/f/Boston 26/f/Florida"
Text options for 4th round:
"have_a_pic?_this_is_me.. swap_pix? do_you_have_a_pic?
send_me_a_pic?_I'll_send_mine
I'll_send_my_pic._send_yours?"
Potential Nicks:
----------------
mary linda barbara maria susan dorothy lisa nancy karen betty helen sandra
donna carol ruth
sharon laura sarah deborah jessica shirley cynthia angela melissa brenda
ammy anna rebecca
pamela martha debra amanda carolyn marie janet frances anna joyce diane
alice julie heather
teresa doris gloria evelyn jean cheryl mildred joan ashley judith rose
janice kelly nicole
judy kathy theresa beverly denise tammy irene jane lori rachel marilyn
andrea kathryn
louise sara anne wanda bonnie julia ruby lois tina phyllis norma paula
diana annie lillian
emily robin peggy crystal gladys rita dawn connie tracy edna tiffany carmen
rosa cindy grace
wendy edith kimmy sherry sylvia thelma shannon sheila ethel ellen elaine
carrie monica esther
pauline emma juanita anita rhonda hazel amber evaa debbie april leslie
clara lucille jamie joanne
eleanor valerie megan alicia suzanne michele gail bertha darlene jill erin
lauren cathy joann
lynn sally regina erica dolores bernice audrey yvonne annette june marion
dana stacy annna renee
aidia vivian roberta holly melanie loretta yolanda laurie katie kristen
vanessa alma suey elsie
beth jeanne vicki carla tara eileen terri lucy tonya ella stacey wilma gina
kristin jessie natalie
agnes vera bessie delores melinda pearl arlene maureen colleen allison
tamara joye georgia
lillie claudia jackie marcia tanya nellie minnie marlene heidi glenda lydia
viola marian stella
dora vickie mattie terry maxine irma mabel marsha myrtle lena christy
deanna patsy hilda jennie
nora margie nina leah penny kaye naomi carole brandy olga dianne tracey
leona jenny felicia sonia
miriam velma becky violet toni misty shelly daisy ramona sherri erika
katrina claire lindsey
lindsay geneva belinda sheryl cora faye adai natasha sabrina isabel hattie
harriet molly cecilia
kristi brandi blanche sandy rosie joanna iris eunice angie inez lynda
amelia alberta monique
jodi janie maggie kayla sonya jani jeinine candace fannie maryann opal
alison yvette melody
luzi susie flora shelley kristy mamie lula lola verna beulah candice juana
pamm kelli hannah
whitney bridget karla celia latoya patty shelia drayle della vicky lynne
sheri kara erma blanca myra
leticia pattra krista roxanne johnnie robyn francis rosalie brooke bethany
sadie traci jody kendra
jasmine nichole rachael chelsea mable muriel elena krystal nadine kari
estelle dianna lora mona
doreen angel desiree antonia hope ginger janis betsy freda lynette teri
eula leigh meghan sophia
eloise cecelia raquel alyssa jana kelley gwen kerry jenna tricia laverne
alexis tasha silvia
elvira casey delia sophie kate patti lorena kellie sonja lila lana darla
mayei mindy essie
mandy lorene elsa jeannie miranda dixie lucia marta faith lela johanna
shari camille tami
shawna elisa ebony melba orae nettie tabitha jaime kristie marina alisha
aimee rena myrna
marla tammie latasha bonita patrice ronda sherrie addie deloris stacie
adriana cheri shelby
abigail celeste jewel cara adele rebekah lucinda dorthy effie trina reba
shawn sallie aurora
lenora etta lottie kerri trisha nikki estella josie tracie marissa karin
janelle lourdes laurel
helene fern elva corinne kelsey bettie aida caitlin ingrid ivai eugenia
christa cassie maude
jenifer therese dena lorna janette latonya candy morgan tamika rosetta
debora cherie polly dina
jewell faye jillian nell trudy patrica shanna helena cleo rosario olay
janine mollie lupe alisa
lousi maribel susanne bette susana elise cecile lesley jocelyn paige joni
leola daphne alta ester
petra imogene jolene keisha lacey glenna keri ursula lizzie kirsten shana
adeline mayra jayne jaclyn
gracie sondra carmela marisa charity tonia beatriz marisol clarice jeanine
sheena frieda lily
shauna millie angelia autumn summer jodie staci leah christi jimmie justine
elma luella margret
socorro rene martina margo mavis callie bobbi maritza lucile leanne deana
aileen lorie ladonna manuela
gale selma dolly sybil abby lara dale ivye deee winnie marcy luisa jeri
ofelia meagan audra matilda
leila bianca simone bettye randi virgie latisha barbra eliza leann rhoda
haley adela nola flossie ilaa
greta ruthie nelda minerva lilly terrie letha hilary estela valarie brianna
rosalyn earline avai
miai lidia corrine tiar sharron raye dona ericka jami elnora chandra lenore
neva marylou melisa
tabatha serena avis allie sofia jeanie odessa nannie loraine emilia benita
allyson ashlee tania
tommie karina evee pearlie zelma malinda noreen tameka saundra hillary amie
althea jordan lilia
alana dray clare elinor lorrie jerri darcy taylor noemi marcie liza louisa
earlene mallory carlene
nita selena tanisha katy
* Nick followed by one character from this list: 123456789^-_[]`\|
Target Channels:
----------------
worldchat constanta bucuresti cluj braila zurna oradea craiova cyprus
macedonia ploiesti 0mega
italia istanbul severin montreal sibiu sexe leb buzau romuzica iasul
karachi worldchat hellas
bookz cebu colentina moldova mures valcea france g-unit deva quebec mexico
focsani chat-world
canada targoviste xboxworld maroc usa ateneo merida cadde alunis kopervik
x-drag0n-x porsgrunn alba
zetnet italy zalau lebanon london pakistan hunedoara trois-rivieres
limassol montral onesti
audiobookz rock chicoutimi kiruna petrosani chatparty tealeslakt vaslui
rimouski mardelplata libanon
outaouais abitibi cybersex teens paris relevant qubec moon doyoulookgood
broadbitch casa racla azs
huedin delusion trabzon trujillo izmir tulcea filipino spania brunete
eminem- gay lebzone germany lock
blindheim caransebes detention allnitecafe familysex medias ankara brasil
navodari zerocool
xbox-prime larnaca roscatu athina gaspesie slatina ust bosnia lasalle
ulsteinvikoggursken
baiamare iloilo paphos digitalcity dordetara nbi pascani barlad sula
telecharger aiud alexandria
grecia makati nibbe vitro baia roman arab klavye ostroveni radauti victo
egypt c calarasi forde
spiru tikky uae clubred nemo irc-chatterz porno iligan lanitio shawi beirut
loveplanet st-jerome
stavanger turda fuckerii galaxy koka-kola lesbi.ro metal-malta timishoara
hideaway rock-in-hell
cash islamabad medgidia beauce atb germania killazz radiomixfm angola
kylling tecuci tacna aglantzia
arvika baia-mare card ircfun salaj spjelkavik alma ayna campina
cracks&serials pasaj apoel dinamo
gov mikmaq multan slobozia teen.no mangalia romanialibera hotkiss
pinoymusik salsalan sauda denysa
geokanta house idle st-hyacinthe tops axisppl konflikt mazepa mochis msg
nasa vagabonzi buzoieni
cqr dominicanos fagaras joliette mapua-makati morelianos russia tunisie
dhivehi intersport portugal
faisalabad koiciu labaie lamania lebano meydan ploiestiu tufte kristinehamn
lums pessamit sexe-ados
br0nx bursa elgi granby la^ingeri moldovanoua saguenay steaua terrebonne
tg.mures amistad ibiza
liban manila satu-mare sinaia adjud adultchat beyrouth
caut-proasta-ofer-asl chatleb cusco dualnet
enaerios gorda-punk hotice ovidius up xuc algerie bacolod grass holland
karlstad kjlnes la_mare
radio-medias vibes antilameri chatcy dlsu greece hattrick hattrick-ro
kickflip laval muresul
radio-toxic sempati sexforyou adultes bratts carachi cybermalta dragasani
matane planetrox
skudenes slice trafic valleyfield bash bitola friendster loc.de.veci
loftstory no-problem pe-spate
rockmania banden beach gaypakistani gujranwala java pitbull aksdal bebelusu
bitanem bizarre
cagayandeoro cebusex darckdevil dolbeau ekte fetele-rele gentoo gladiatoren
laspinas midnight-club
orstad political xlanders adoratii atenista barramansa bluebyte caterinca
cyberdream fes gaysexefr
oldtimesirc oton simleu spain yeditepe bergmo campeche castellon
colleges.ph cyberchat exclusive
halflife libnen longueuil meridas n omonoia sjit angelic dubai heye
incomplete klepp liis lillesand
merichat satumare tg.jiu wild bi-married-men bifemsex deathtrap ednet
fuerte gaynetmeeting gaysexe
infernais ircmasters juliaca lesedeu lic-decebal lissa love-channel
lovesexfun machedonii maduritos
metal mondongo oldtimes agadir bekkevoll boys centrocoop chat_cy com
housenation karadeniz morelia
repentigny sonora st-hubert ste-foy albaiulia ayuda craiova_maxima
house-planet injuraturi londra lugoj
regie rosetti sighet siyah alger bizzar cbas civil-war digitalmafia ocnita
phantom punct.shi.de.la.capat
roma satene terceira thug trance-force agigea australia ayva davao dorna
dumaguete erosion gamers-cy
girne halla laredos les life`style lucianblaga my reykjavik sadeyes st-jean
celebs-n-models csb
cynetworks debian extazyops fc-oradea iubaretzii japan lagerfeuer neptun
puba rabat sexi street-fighter
bamble bergen blue-private colegium Data ford happy_hour lipeala michoacan
nicosia pque safi setup skopje
tatar anna barcelona black&white c.d.m camera-ascunsa color_wave
creative_minds cugir diboa lb macosx
mishu modifiye peshawar puno resort rom-ger schoolwarz sluts ssl taifas
tambayan alabang brennevin
catastrophy devenii flor gorj hotzone lacul-tei original pagadian piatra
tangub toofast trancemania
x-c ymme alcools balcescu better-dayz bundy c.i.a distrikt-hiphop
fishmongers fun iloveyou mafioti
pashamas radioro remotes sanitar sava star valdery varhaug white-roses
abyse americaonline asterix
dk-zone domain fanatik fani halfar kral on toronto usctc x_team yupi
zambilica cmnorge crackers
dobrogea gaylebanon huaraz humor katafygio la.famille.rikardi.mafioso
miamibeach orsova pinkdevils
shangrila skogmo smallville-high ssc sgne targu-mures tropical-funconstanta
bucuresti cluj craiova
braila ploiesti zurna buzau italia sibiu cyprus iasul severin bios oradea
ateneo maroc leb macedonia
montreal istanbul valcea karachi cebu france hellas mures worldchat
colentina casa usa focsani filipino
roman alba onesti chatzone romania macedonia quebec chat-world chatparty
irc-chatterz
Potential Bot Commands:
-----------------------
!final
!j
!p
!msg
!down
Suggested solutions:
--------------------
Server level: GLine all clients that join the control channel.
Channel level: Kban all clients that join if nick is in the list mentioned
above.
User level: Do not chat with bots that respond with those strings and never
accept 'scr' pictures.
Sample of captured packets from within control channel:
-------------------------------------------------------
PONG :eu.undernet.org
:ssjones!~eee@...emcable120.133-202-24.mc.videotron.ca PRIVMSG #chicoutimi
:comme tjs
:StevenX!Usa@...MaTRiX.Is.The.Beginning.oF.The.End.Is.Beg.i-n-g.info NICK
:N-e-o
:X!cservice@...ernet.org MODE #agadir +b *a]!*@*
:X!cservice@...ernet.org KICK #agadir tanya] :(DoGGyStyL) Infected Irc ! Out
:BOYYGARD!aaaa@...onto-HSE-ppp3755125.sympatico.ca PRIVMSG #chicoutimi : je
vien 1 fois par mois
:LISE36!pas@...onto-HSE-ppp3759768.sympatico.ca JOIN :#chicoutimi
:poulette1!lololololo@...-177.cybernaute.com PRIVMSG #chicoutimi :salut ye
tu des mecs qui veulent parler a 2 fille de 15 ans
:flurdoing!flur@....org JOIN :#xcnicxxcncx
:allo19!Jolyane@...emcable091.133-202-24.mc.videotron.ca JOIN :#chicoutimi
:BOYYGARD!aaaa@...onto-HSE-ppp3755125.sympatico.ca PRIVMSG #chicoutimi :et
c est tojours platte
:maffo!~maffolini@...emcable138.164-203-24.mc.videotron.ca PRIVMSG
#chicoutimi :ouais
:nicole2!~nicole@...162.127.77 QUIT :Ping timeout
:maffo!~maffolini@...emcable138.164-203-24.mc.videotron.ca PRIVMSG
#chicoutimi :moi
:lorene6!~liza@...4-6-165-55.client.comcast.net JOIN :#x_team
:Tw0_L4Dy!~Jolie-17@...emcable245.156-201-24.mc.videotron.ca PRIVMSG
#chicoutimi :y a tu des bo mec interesser a faire de quoi avec deux filles
a soir
:Miss15!~DeathMeta@...emcable098.119-130-66.mc.videotron.ca PRIVMSG
#chicoutimi : ACTION 5[ 4 5] 4D 5eath 4M 5usik: 4 4 Remember The
Titans- War - Spill The Wine 4 5[ 4 5] 4D 5uration: 4 4 4m3s 4 5[ 4
5] 4 D 5eath 4M 5etal 4 666 5[ 4 5]
:ssjones!~eee@...emcable120.133-202-24.mc.videotron.ca PRIVMSG #chicoutimi
:ben sa change po pi sa changeras po
:AACleanN!~buggoff@...babe763.users.undernet.org MODE #cyberchat +l 51
:hussam!~rayanb007@...192.145.126 QUIT :Quit
:_destiny_!mar43H@...onto-HSE-ppp3756522.sympatico.ca QUIT :Quit
:leah7!~letha@...89-7-220.dtcom.ro QUIT :Read error: Connection reset by peer
:DarKSiDe`!~Foo@...192.36.105 QUIT :Quit
:eloise_!~katrina@....131.120.242 PART :#x_team
:eloise_!~katrina@....131.120.242 PART :#x_team
:ssjones!~eee@...emcable120.133-202-24.mc.videotron.ca PRIVMSG #chicoutimi
:ben p.e
:heather7!~vicky@...162.127.77 JOIN :#xcnicxxcncx
:X!cservice@...ernet.org MODE #agadir +b *!~alicia@...op*
:X!cservice@...ernet.org KICK #agadir alicia^ :(DoGGyStyL) Infected Irc ! Out
Conclusion
----------
The identity of the asshats responsible is unknown, but it has been
hypothesised that said asshats
might be from Quebec as a number of the affected channels are filled with
french speakers with .ca
hostmasks. This is however unconfirmed at this point and the channels seem
to have been chosen for
their high number of users (possibly also a high number of STUPID users).
The control channel
averages about 300 bots at any given time, as of this time (4AM GMT Nov 23)
none of the bot
controllers have entered the control channel.
The sophistication is low as usual, frankly if this is the best they can
come up with, their time
might be better spent getting girlfriends than coding. Some key strings
that may help reveal the
identity of those responsible include: Choke and Goldmember.
---
atrazine // atrazine@....net
flurdoing // flur@...rnet.org
Powered by blists - more mailing lists