The Hebrews' Botnet

This fine trojan virus was included in a zipped peer-to-peer "warez" download. (One of the perks of sorting other people's computers out for them...)

The original file was called "hacked2.exe" and it installed a stripped-down mIRC under the nomen of "explorer.exe" into C:\temp\system. It beggars belief that anyone would willingly allow programs to run from a temp directory but soon after Server checks in with the masters it transpires that there's about a thousand of them.

The masters live at ns355195.ovh.net (the dns query goes out for "microsoft.devilunix.net") and unfortunately they are not using any latin type codepage. Wireshark just gives dots instead of letters. After messing about verifying that it is hebrew we're dealing with, and installing some hebrew fonts, I realise that this might make it look prettier, but that I have never yet actually mastered hebrew so it's a pointless task. Dots it is.

:tomson.lol.net 001 TURQ :Welcome to the lol IRC Network TURQ!casey@87-194-136-23.bethere.co.uk :tomson.lol.net 002 TURQ :Your host is tomson.lol.net, running version Unreal3.2.7 :tomson.lol.net 003 TURQ :This server was created Fri Jul 13 19:22:25 2007 :tomson.lol.net 004 TURQ tomson.lol.net Unreal3.2.7 iowghraAsORTVSxNCWqBzvdHtGp lvhopsmntikrRcaqOALQbSeIKVfMCuzNTGj :tomson.lol.net 005 TURQ CMDS=KNOCK,MAP,DCCALLOW,USERIP NAMESX SAFELIST HCN MAXCHANNELS=15 CHANLIMIT=#:15 MAXLIST=b:60,e:60,I:60 NICKLEN=30 CHANNELLEN=32 TOPICLEN=307 KICKLEN=307 AWAYLEN=307 MAXTARGETS=20 :are supported by this server :tomson.lol.net 005 TURQ WALLCHOPS WATCH=128 SILENCE=15 MODES=12 CHANTYPES=# PREFIX=(qaohv)~&@%+ CHANMODES=beI,kfL,lj,psmntirRcOAQKVCuzNSMTG NETWORK=lol CASEMAPPING=ascii EXTBAN=~,cqnr ELIST=MNUCT STATUSMSG=~&@%+ EXCEPTS :are supported by this server :tomson.lol.net 005 TURQ INVEX :are supported by this server :tomson.lol.net 251 TURQ :There are 1 users and 956 invisible on 3 servers :tomson.lol.net 252 TURQ 3 :operator(s) online :tomson.lol.net 253 TURQ 4 :unknown connection(s) :tomson.lol.net 254 TURQ 6 :channels formed :tomson.lol.net 255 TURQ :I have 418 clients and 2 servers :tomson.lol.net 265 TURQ :Current Local Users: 418 Max: 4089 :tomson.lol.net 266 TURQ :Current Global Users: 957 Max: 1160 :tomson.lol.net 422 TURQ :MOTD File is missing

 

One of the first orders is to download some extra files. These are located at http://mesukan.com and called GetSt.exe, kill.exe and run32.exe. Something must have gone wrong, because the ones I get are mere kilobytes and contain only html.

The hebrews are entertaining themselves for the most part by getting the bots to join irc networks and flooding channels. But they are also using the bots to vote for something I can't read. Every now and again an Internet Explorer page pops up:

(The website is http://linkim.yo-yoo.co.il/ followed by vote.php?id=792 for the overly curious)

And yet more entertainment for the infected is provided through "!-- run mms://212.150.123.50:4002 " (strangely enough though, it now wants a username and password?!?)

Next up is a download of "su.exe" which is a self-extracting archive to be had from http://02aad38.netsolhost.com/mesukan/

Running it extracts two executables in the C:\temp\system directory: gpvs.exe and pspv.exe. The former gets commanded to run, and the results get to be written to pspvv.dll. This doesn't happen on server. The purpose of this program is to obtain all stored passwords from Internet Explorer, and all the previous hackers have a) used Firefox and b) not saved any passwords. The results are astonishing. When the bots are commanded to spew the passwords, there are very nearly a thousand of them. They give access to a wide variety of user accounts, from e-mail to porno, from voip to warez servers, with a smattering of university logins and online shop accounts. The Hebrews must be having a field day.

As an intriguing sidenote, examining the image in memory of the running gpvs.exe some details are revealed about the original constructor of this program. Here are the printable strings:

oooooooo @isual Studio\VB98\C2.E @*\AC:\Documents and Settings\SpiderMan1.007-77B64580257\Desktop\Dk\MYproject\AutoPSPV\Project1.vbp \pspv.exe pspv.exe prstpv PSPV SysListView32 \pspvv.dll SeDebugPrivilege URL: Outlook Account Manager Passwords @*\AC:\Documents and Settings\SpiderMan1.007-77B64580257\Desktop\Dk\MYproject\AutoPSPV\Project1.vbp VS_VERSION_INFO

 

Update: two months on

Now it is june 2008, and I have managed to "repair" the Virtual Machine that was running this. We had a power cut a while back, and something seems to have gone wrong. Never mind, we're all good now, and the bot was able to connect right away again.

The masters have moved though. The new address is 202.174.80.170, which appears to be in Australia. The domain "devilunix.net" is now registered by the infamous melbourneit.com, the happy haven of phishermen world-wide.

"For the 5th year in a row we have achieved strong double-digit growth in revenue and profit. The 2007 result reflects continuing organic growth from our five key divisions as well as the impact from a full year contribution from WebCentral. It illustrates our ability to innovate and successfully evolve our business into a global IT services company. In recognition of this performance, the Board has declared a fully-franked final dividend of 7.0 cents, which will be payable on 4 April 2008," said Mr Theo Hnarakis, Melbourne IT CEO and Managing Director.

This is not entirely surprising, as one thing they are not is picky about their customers. I have seen plenty of paypal-related domain names registered through them. Hell, the Moroccan Hacker himself had a few...

The number of participants in the botnet has shrunk, though. From nearly 1000 it is now down to about 500. It remains to be seen whether this is because all bots have shed a clone.

 

So far, no commands have been issued. We shall see.