Case study #siwa

Botnet Panel

The #siwa botnet

• IRC Botnet monitored for 5 months (+/-)

• The name “#siwa” comes from the irc channel used by the involved malwares

Some IRC backround

• IRC channels are moderated by channel operators• Chan OPs (@nick) have the rights to – give the @ to other users– change the channel topic– kick/ban people from the channel– etc

• The command +M (moderated) stands for only registered nicks (or @operatos) may talk in that channel.

The Dorothy-Drone Log file

0.2 cents Investigation

• Only operators can chage channel settings by use the MODE command. – lets grep “MODE” to see who are the operators

• Ok now we have the Operators (OPs), lets grep them to see what they said

• 72.10.169.26:2293 --> :abc!~abc@116.71.172.204 MODE #siwa +o abc• 72.10.169.26:2293 --> :abc!~abc@116.71.172.204 MODE #siwa –M• 72.10.169.26:2293 --> :abc!~abc@116.71.172.204 MODE #siwa +o Burimi• 72.10.169.26:2293 --> :abc!~abc@116.71.172.204 PRIVMSG #siwa :u seee us eee• 72.10.169.26:2293 --> :Burimi!~Burimi@79.126.177.232 PRIVMSG #siwa :lol !• 72.10.169.26:2293 --> :Burimi!~Burimi@79.126.177.232 PRIVMSG #siwa :bots joining• 72.10.169.26:2293 --> :Burimi!~Burimi@79.126.177.232 PRIVMSG #siwa :.oper• 72.10.169.26:2293 --> :Burimi!~Burimi@79.126.177.232 PRIVMSG #siwa :i cant se bots• 72.10.169.26:2293 --> :Burimi!~Burimi@79.126.177.232 PRIVMSG #siwa :oper• 72.10.169.26:2293 --> :Burimi!~Burimi@79.126.177.232 PRIVMSG #siwa :d• 72.10.169.26:2293 --> :resit!~tr@58-27-163-244.wateen.net PRIVMSG #siwa :d• 72.10.169.26:2293 --> :resit!~tr@58-27-163-244.wateen.net MODE #siwa +o resit• 72.10.169.26:2293 --> :resit!~tr@58-27-163-244.wateen.net MODE #siwa +o Burimi• 72.10.169.26:2293 --> :resit!~tr@58-27-163-244.wateen.net PRIVMSG #siwa :4% join

#testing• 72.10.169.26:2293 --> :resit!~tr@admin.siwatech.com PRIVMSG #siwa :4% join

#testing• 72.10.169.26:2293 --> :resit!~tr@admin.siwatech.com MODE #siwa +M

• 72.10.169.26:2293 --> :abc!~abc@116.71.172.204 MODE #siwa +o abc• 72.10.169.26:2293 --> :abc!~abc@116.71.172.204 MODE #siwa –M

• 72.10.169.26:2293 --> :abc!~abc@116.71.172.204 MODE #siwa +o Burimi• 72.10.169.26:2293 --> :abc!~abc@116.71.172.204 PRIVMSG #siwa :u seee us eee

• 72.10.169.26:2293 --> :Burimi!~Burimi@79.126.177.232 PRIVMSG #siwa :lol !

• 72.10.169.26:2293 --> :Burimi!~Burimi@79.126.177.232 PRIVMSG #siwa :bots joining• 72.10.169.26:2293 --> :Burimi!~Burimi@79.126.177.232 PRIVMSG #siwa :.oper• 72.10.169.26:2293 --> :Burimi!~Burimi@79.126.177.232 PRIVMSG #siwa :i cant se bots• 72.10.169.26:2293 --> :Burimi!~Burimi@79.126.177.232 PRIVMSG #siwa :oper• 72.10.169.26:2293 --> :Burimi!~Burimi@79.126.177.232 PRIVMSG #siwa :d

• 72.10.169.26:2293 --> :resit!~tr@58-27-163-244.wateen.net PRIVMSG #siwa :d

• 72.10.169.26:2293 --> :resit!~tr@58-27-163-244.wateen.net MODE #siwa +o resit• 72.10.169.26:2293 --> :resit!~tr@58-27-163-244.wateen.net MODE #siwa +o Burimi• 72.10.169.26:2293 --> :resit!~tr@58-27-163-244.wateen.net PRIVMSG #siwa :4% join #testing• 72.10.169.26:2293 --> :resit!~tr@admin.siwatech.com PRIVMSG #siwa :4% join #testing• 72.10.169.26:2293 --> :resit!~tr@admin.siwatech.com MODE #siwa +M

• 72.10.169.26:2293 --> :abc!~abc@116.71.172.204 MODE #siwa +o abc• 72.10.169.26:2293 --> :abc!~abc@116.71.172.204 MODE #siwa –M• 72.10.169.26:2293 --> :abc!~abc@116.71.172.204 MODE #siwa +o Burimi

• 72.10.169.26:2293 --> :abc!~abc@116.71.172.204 PRIVMSG #siwa :u seee us eee• 72.10.169.26:2293 --> :Burimi!~Burimi@79.126.177.232 PRIVMSG #siwa :lol !• 72.10.169.26:2293 --> :Burimi!~Burimi@79.126.177.232 PRIVMSG #siwa :bots

joining• 72.10.169.26:2293 --> :Burimi!~Burimi@79.126.177.232 PRIVMSG #siwa :.oper• 72.10.169.26:2293 --> :Burimi!~Burimi@79.126.177.232 PRIVMSG #siwa :i cant

se bots• 72.10.169.26:2293 --> :Burimi!~Burimi@79.126.177.232 PRIVMSG #siwa :oper• 72.10.169.26:2293 --> :Burimi!~Burimi@79.126.177.232 PRIVMSG #siwa :d• 72.10.169.26:2293 --> :resit!~tr@58-27-163-244.wateen.net PRIVMSG #siwa :d• 72.10.169.26:2293 --> :resit!~tr@58-27-163-244.wateen.net MODE #siwa +o resit• 72.10.169.26:2293 --> :resit!~tr@58-27-163-244.wateen.net MODE #siwa +o Burimi• 72.10.169.26:2293 --> :resit!~tr@58-27-163-244.wateen.net PRIVMSG #siwa :4% join #testing• 72.10.169.26:2293 --> :resit!~tr@admin.siwatech.com PRIVMSG #siwa :4% join #testing• 72.10.169.26:2293 --> :resit!~tr@admin.siwatech.com MODE #siwa +M

:abc: u seee us eee:Burimi: lol !:Burimi: bots joining:Burimi!: .oper:Burimi!: i cant se bots:Burimi!: oper:Burimi!: d

speculations

• It sounds like a customer service.....doesn’t it?

something more?

• Lets see what happens when the moderation was removed ( MODE –M)

Lets say...

• The string look likes :– ({IRCHOST} PRIVMSG #siwa :-04dcom2.04c- 3.

Raw transfer to {IPADDRESS} )• Buffer Overrun In RPC Interface Could Allow

Code Execution (MS03-026)• So in human gergon, it could mean that – {IRCHOST} has infected {IPADDRESS}

Lets say...

• So in human gergon, it could mean that – {IRCHOST} has infected {IPADDRESS}– {IRCHOST} = :IsGGoMJY!~apufsc@e178216081.adsl.alicedsl.de

{NICK} ! ~ {USERHOST} @{HOSTNAME}

• By RFC, every irc userhost has to be UNIQUE– We could enumerate how many UNIQUE host are

infected

Bonus (!?)

• Take a look at this line:• :resit!~tr@admin.siwatech.com PRIVMSG #siwa :4%

join #testing– resit is the nickname of the Operator– admin.siwatech.com is its host name– ....SIWAtech.com !

• yes, the label that I used for this botnet! curious

– The timestamp of this command is “06/02/2009-20:53:54”– ...and the website is still reachable! (02/2011)

The #siwa botnet

#siwa C&C on the map

Conclusions

• Botnet masters were conscious that someone was “spying” into their botnet.

Conclusions

• Botnet masters were conscious that someone was “spying” into their botnet.– botmasters are not stupid.

Conclusions

• Botnet masters were conscious that someone was “spying” into their botnet.– botmasters are not stupid.

• We saw only what they wanted to show us

Conclusions

• Botnet masters were conscious that someone was “spying” into their botnet.– botmasters are not stupid.

• We saw only what they wanted to show us– could this information be reliable?

Conclusions

• Botnet masters were conscious that someone was “spying” into their botnet.– botmasters are not stupid.

• We saw only what they wanted to show us– could this information be reliable? – Why they chose to show their botnet populations?• to show us their p0w3r?

Conclusions

• Botnet masters were conscious that someone was “spying” into their botnet.– botmasters are not stupid.

• We saw only what they wanted to show us– could this information be reliable? – Why they chose to show their botnet populations?• to show us their p0w4h?• ...or just to deceive us?

Conclusions

• Botnet masters were conscious that someone was “spying” into their botnet.– botmasters are not stupid.

• We saw only what they wanted to show us– could this information be reliable? – Why they chose to show their botnet populations?

• to show us their p0w3r?• ...or just to deceive us?

• We should be careful with conclusions...

References

• My Bachelor Thesis –Pg. 89– http://www.honeynet.it/wp-content/uploads/

Dorothy/The_Dorothy_Project.pdf

• All the data are still available and are accessible to the Dorothy WGUI– send me an email for an account– marco.riccardi@honeynet.it