...is hard work

So, for no apparent reason whatsoever, I decided that I'd run a virtual honeypot on my laptop. Host system is Win XP Pro SP2, and virtual system is Win XP Home SP2. No updates, no firewall on the virtual system--just a snapshot to go back to should someone get too frisky. Closed ports 445 and 137-139 on the host system, and forwarded those ports to my VMware. Enabled file and printer sharing on the virtual machine, shared my entire C drive, got ethereal sniffing on the host machine on the cmware adapter, and all was set. (I couldn't close port 135 on the host machine because WinXP Pro suuuuuucks )

Anyways, it only took just under 10 seconds for the first worm (different IP address, same subnet as my IP) to find my open shares. It simply queried for preset shares ( C$, D$, E$, IPC$, etc), and disconnected. The next worm, from a different IP subnet, did the same thing, and disconnected. Multiple worms came and went, quering my shares, and some actually tried to write to my open shares, but for one reason or another, disconnected whilst writing the files.

Then, around 45 seconds after connecting my honeypot to the internet, a worm connected, queried all my shares, and then started writing. And writing. And writing. All the files it wrote started with "eraseme_" and then a random number. I noticed that it was actually trying to start the files themselves, then, after a while, it simply disconnected. I searched for the files that it wrote, but didn't find any until the next day, when I enabled the viewing of system files. In my c:windows directory, there was a system file named "taskmgr.exe". That's rather odd, because the real taskmgr is in the system32 folder. I executed it.

Ethereal immediately went to hell, as taskmgr.exe connected to an IRC server, got the commands, and started wontonly scanning my "network" for open netbios ports, VNC, and epmap ports at an alarming rate. I almost didn't find where it connected to the IRC server, but once I did, I told it to follow the TCP stream. God, I love ethereal.

First, taskmgr.exe did some DNS queries on a nonexistent domain name. Then, it tried another domain name, and got a good reply--4 IP addresses under 1 domain name. One in the UK, one in Australia, and the other 2 in the US. (I won't mention the IP addresses nor the domain names, since this botnet is still active and growing, I assume.) So, either these IPs are just relays that forward packets to one central server, thereby keeping the IP address and location of the server secret, or the IPs aere each their own server, networked together over the internet. Probably hacked without the owners' knowledge, too.

So, the bot connected to an IRC server, or relay, in Australia. This server had most of the IRC code stripped out to save bandwidth. This means that I'm not able to see anything in the channel, except myself, the topic, and the modes of the channel. Finding the key to the room it joined was fun. The key wasn't in ascii, so I had to convet the hexadecimal that ethereal was displaying to decimal, and then convert the decimal to ascii. The fun part immediatly became obvious, as the decimal I got from the hexidecimal was a 2, and ascii codes don't go down that far. A friend of mine helped me do the final conversion, and decimal 2 happens to be a bold character. Pressing ctrl+b in mirc will give you the correct character. The channel key was 4 of these bold chars.

Anyways, here's a log of the initial connection and fun stuff (the lines starting with > are from me to him, and < are from him to me):

>NICK [P00|USA|79099813]

>USER XP-2501 * 0 :SSERVER1

<:log.us.sys 001 [P00|USA|79099813] :Cisco

<:log.us.sys 005 [P00|USA|79099813]



<:log.us.sys 422 [P00|USA|79099813] :

<:[P00|USA|79099813] MODE [P00|USA|79099813] :+i

>MODE [P00|USA|79099813]

>JOIN #pp ....

>MODE [P00|USA|79099813]

>JOIN #pp ....

<:log.us.sys 221 [P00|USA|79099813] +i

<:[P00|USA|79099813]!XP-2501@myhostname JOIN :#pp

<:log.us.sys 332 [P00|USA|79099813] #pp :.asc -S -s |.asc rpc135 75 5 0 -b |.asc netbios 75 5 0 -b |.asc vnc 50 5 0 -a -r

<:log.us.sys 333 [P00|USA|79099813] #pp asff 1163525766

<:log.us.sys 353 [P00|USA|79099813] @ #pp :[P00|USA|79099813]

<:log.us.sys 366 [P00|USA|79099813] #pp :End of /NAMES list.

<:log.us.sys 221 [P00|USA|79099813] +i

>PRIVMSG #pp :SC: Sequential Port Scan started on 192.168.0.0:135 with a delay of 5 seconds for 0 minutes using 75 threads.

<:log.us.sys 404 [P00|USA|79099813] <#pp : (#pp)

>PRIVMSG #pp :SC: Sequential Port Scan started on 192.168.0.0:139 with a delay of 5 seconds for 0 minutes using 75 threads.

<:log.us.sys 404 [P00|USA|79099813] <#pp : (#pp)

>PRIVMSG #pp :SC: Random Port Scan started on 192.x.x.x:5900 with a delay of 5 seconds for 0 minutes using 50 threads.

<:log.us.sys 404 [P00|USA|79099813] #pp :


So you have my nick being set to P00, the country, and a random number. My userhost info is my OS-build# * 0(no idea what the 0 is for) : my netbiosname

It "logs" me onto the server, with the password Cisco, sets my usermode to +i (invisible?), and I tell it to let me join a channel, with the key. It joins the channel, gives me the topic (which the zombie prog interprets as a series of commands):

<:log.us.sys 332 [P00|USA|79099813] #pp :.asc -S -s |.asc rpc135 75 5 0 -b |.asc netbios 75 5 0 -b |.asc vnc 50 5 0 -a -r

The first command I don;t quite know, the second command tells the zombie to scan my local network for open epmaps (135) (with a delay of 5 seconds, using 75 threads), the third command is to scan my local network for open ports 139 (same as second command), and the last one is for scanning for open VNC ports (this time, using only 50 threads).

Then, the zombie messages the room that it's scanning for those open ports on my local network. The fun part is that I have no local network on my laptop, just a lone honeypot. The firewall on my host machine is configured to block most outbound connection attempts, except for those needed by the zombie to access the servers, so all the traffic generated by the scanning is kept within vmware.




That's it for tonight, I have much more to divulge to your eager eyeballs. It's getting late here, and I want to be alive for work tomorrow