Professional Documents
Culture Documents
the remote server and our victim computer. Packet 9 appears to show a
password being sent to the remote server, with the password being
"\google_cache2.tmp". Then, packet 17 shows a goldmine of information: it
appears to be the welcome message of an IRC channel. Bingo! The malware
is an IRC botnet recruiter. To get more information, I looked at the TCP
stream:
:FBI.GoV NOTICE AUTH:*** Looking up your hostname...
:FBI.GoV NOTICE AUTH:*** Couldn't resolve your hostname; using your IP
address instead
PASS \google_cache2.tmp
NICK NEW{EpicBot-AUT|XP}085587
USER 1854 "" "TsGh":1854
:FBI.GoV 001 NEW{EpicBot-AUT|XP}085587
:FBI.GoV 002 NEW{EpicBot-AUT|XP}085587: M0dded by uNkn0wn Crew
:FBI.GoV 003 NEW{EpicBot-AUT|XP}085587
:FBI.GoV 004 NEW{EpicBot-AUT|XP}085587: uNkn0wn - iD@ uNkn0wn
:FBI.GoV 005 NEW{EpicBot-AUT|XP}085587
:FBI.GoV 005 NEW{EpicBot-AUT|XP}085587
:FBI.GoV 005 NEW{EpicBot-AUT|XP}085587
:FBI.GoV 422 NEW{EpicBot-AUT|XP}085587:MOTD File is missing
JOIN #Cheese#
:NEW{EpicBot-AUT|XP}085587!1854@192.35.222.192 JOIN:#Cheese#
PING:FBI.GoV
PONG:FBI.GoV
So, from this we can see that the IRC channel password is
"\google_cache2.tmp", our victim's nickname is NEW{EpicBot-AUT|XP}085587,
the channel we join in #Cheese#. All this from the Wireshark traffic
analysis!
Now, being the adventurous person I am, I was curious about this botnet.
So, I took it upon myself to attempt to connect to the IRC and have a
loot for myself, hopefully talking the author of the malware himself. So,
I headed on a web IRC client so that the botnet master wouldn't be able
to see my own IP address and possibly launch a DDos attack against me. I
logged in using the password and other information found from the packet
capture file. I logged in and waited. Every now and then, I would see a
user issue commands taking the form of "UDP ". I assumed that he was
directing his bots to DDos the victim with UDP packets. Eventually, I
actually started typing, and caught the botmaster's attention. The
conversation went something like this:
Me: Hello? Anyone there?
Botmaster: lulz you arnt too smart
Botmaster: u shoulda used a vpn
Me: Don't worry, I'm using an web IRC, so I'm good. So what exactly is
going on here?
At this point, I was booted from the chat. I figured my work was done, so
I didn't bother reconnecting. A few days later, I checked back in, and
the IRC channel and the host itself went down. I figure he thought he was
caught, and just shut everything down.
4. Malware Analysis: Conclusions
All
was
out
the