Agobot, SDbot, URXbot Sample Commands

Excerpt from http://www.honeynet.org/book/export/html/50

A good look into the basic configurations and commands for three common Bots. I think that given the time frame and desire to produce admirable results (having to complete a background check I can not yet deploy a Honeynet on University property, this should be accomplished by the middle of next week). Having looked at the current research and the various advances and deficits, I am greatly considering looking into the updating behavior and cycles of various Botnets. Research in this realm should be very conducive towards better arming It personnel in that more effective IDS and IPS systems can be implemented if network admins are more knowledgeable about the evolution, and progressive algorithm enhancement of various bots categorized by attack type, cloning strategy, host IP ranges, lifespan, and update cycle. If a trend emerges in the data gathered that can accurately predict what type of bot is most likely going to connect to which one of your ports and with what command, a much tighter filter can be placed allowing for administrators to better capture the Botnet types they desire to study. Research in this realm could also make for more predictable server stability in the long run by providing data for optimized server updating schedules. Of course the desires and objectives of each given party are different and thus configurations based on acquired data would be user specific. A second realm in which I tend to gather data is on the various bots ability to remain connected while various port configurations are enacted. I have not yet seen enough satisfying data on this topic, although scanning mechanisms and “most frequent port lists” are known, I want to determine if any of the Bots are intelligent enough to connect to more stable ports by either randomly selecting ports to attempt connection or by algorithmic sequencing. This activity would have to be monitored during a live session with an intrusive Bot facing massive disconnections and reopening of ports. Hopefully comprehensible and applicable port sequences do emerge that can help distinguish extremely well programmed Bots and allow for further study into the most elite Botnets.

In the following, we cover the more popular commands implemented in the common bots we have captured in the wild. Presenting all the commands is beyond the scope of this paper, as Agobot comes along with over 90 commands in the default configuration.

1. DDoS something
* Agobot
o ddos.stop
stops all floods
o ddos.phatwonk [host] [time] [delay]
starts leet flood
Starts a SYN-flood on ports 21,22,23,25,53,80,81,88,
110,113,119,135,137,139,143,443,445,1024,1025,1433,
1500,1720,3306,3389,5000,6667,8000,8080

o ddos.phatsyn [host] [time] [delay] [port]
starts syn flood
o ddos.phaticmp [host] [time] [delay]
starts icmp flood
o ddos.synflood [host] [time] [delay] [port]
starts an SYN flood
o ddos.updflood [host] [port] [time] [delay]
start a UDP flood
o ddos.targa3 [host] [time]

start a targa3 flood
Implements the well known DDoS attack Mixter authored in 1999.

/*
* targa3 – 1999 (c) Mixter
*
* IP stack penetration tool / ‘exploit generator’
* Sends combinations of uncommon IP packets to hosts
* to generate attacks using invalid fragmentation, protocol,
* packet size, header values, options, offsets, tcp segments,
* routing flags, and other unknown/unexpected packet values.
* Useful for testing IP stacks, routers, firewalls, NIDS,
* etc. for stability and reactions to unexpected packets.
* Some of these packets might not pass through routers with
* filtering enabled – tests with source and destination host
* on the same ethernet segment gives best effects.
*/
taken from
http://packetstormsecurity.org/DoS/targa3.c

o ddos.httpflood [url] [number] [referrer] [recursive = true||false]
starts a HTTP flood
This is real nasty since it fetches websites from a webserver.
If “recursive” is set, the bot parses the replies and follows
links recursively.
* SDBot
o syn [ip] [port] [seconds|amount] [sip] [sport] [rand] (sdbot 05b pure version)
o udp [host] [num] [size] [delay] [[port]]size (sdbot 05b ago version)
o ping [host] [num] [size] [delay]num
* UrXbot
o ddos.(syn|ack|random) [ip] [port] [length]
o (syn|synflood) [ip] [port] [length]
o (udp|udpflood|u) [host] [num][ [size] [delay] [[port]]
o (tcp|tcpflood) (syn|ack|random) [ip] [port] [time]
o (ping|pingflood|p) [host] [num][ [size] [delay]
o (icmpflood|icmp) [ip] [time]
o ddos.stop
o synstop
o pingstop
o udpstop
2. Spreading
* Agobot
o scan.addnetrange [255.255.255.255/32] [priority]
o scan.delnetrange [255.255.255.255/32]
o scan.listnetrangeslist scanned netranges
o scan.clearnetrangesclears netrange
o scan.resetnetranges
removes all netranges from scanner and adds local LAN as scanning range
o scan.enable [scanner]
[scanner] can be one of
Anubis Bagle CPanel DCOM DCOM2 Doom DW Ethereal HTTP Locator LSASS NetBios Optix SQL UPNP WKS
o scan.disable [scanner]
[scanner] can be the same as above
o scan.startall
starts all scanners
o scan.stopall
stops all scanners
o scan.start
starts all enabled scanners
o scan.stop
stops all scanners
o scan.stats
replys stats about exploitings per scanner
o scan.host [255.255.255.255[:port]]
If given with port, just tries to exploit the host with the scanners fitting the ports, else all scanners are used.
* SDBot & UrXBot
o (scanall|sa)
o (scanstats|stats)
o scandel [port|method]
[method] can be one of webdav ntpass netbios dcom135 dcom445 dcom1025 dcom2 iis5ssl mssql beagle1 beagle2 mydoom lsass_445 lsass_139 optix upnp netdevil DameWare kuang2 sub7
o scanstop
o (advscan|asc) [port|method] [threads] [delay] [minutes]
3. Downloading files from the internet
* Agobot
o http.download
download a file via HTTP
o http.execute
updates the bot via the given HTTP URL
o http.update
executes a file from a given HTTP URL
o The same commands are also available via FTP
* SDBot & UrXBot
o (update|up) [url] [botid]
o (download|dl) [url] [[runfile?]] [[crccheck]] [[length]]
4. Local file IO
* SDBot & UrXBot
o (execute|e) [path]
o (findfile|ff) filename
o (rename|mv) [from] [to]
o findfilestopp
5. Sending Spam
* Agobot
o cvar.set spam_aol_channel [channel]
AOL Spam – Channel name
o cvar.set spam_aol_enabled [1/0]
AOL Spam – Enabled?
o cvar.set spam_maxthreads [8]cvar
Spam Logic – Number of threads
o cvar.set spam_htmlemail [1/0]”true”,

Spam Logic – Send HTML emails
o cvar.set aolspam_maxthreads [8]
AOL Spam Logic – Number of threads
o spam.setlist
downloads list with email-addresses to spam them
o spam.settemplate
downloads an email template
o spam.start
starts the spamming
o spam.stop

stops the spamming
o aolspam.setlist
AOL Spam – downloads an email list
o aolspam.settemplate
AOL – downloads an email template
o aolspam.setuser
AOL – sets an username
o aolspam.setpass
AOL – sets a password
o aolspam.start

AOL – starts the spamming
o aolspam.stop
AOL – stops the spamming
* SDBot
So far, SDBot does not implement dedicated spamming
methods. But other options to send spam are possible:
The spammer uses the “download” command to download
and execute a SOCKSv4/v5 server. The server publishes
his IP-address and SOCKS-port at a file on a
webserver. Via this backdoor, spam can be sent.

* UrXBot
o email [server] [port] [srcmail] [dstmail] [mailsubj]
6. Sniffing
* Agobot
Agobots sniffing is really “advanced”: If you compile
the bot with sniffing enabled, it drops a stripped
down lipcpap dll on startup and registers it as system
driver. The sniffing thread then uses libpcre to
lookout for bot commands

o HTTP
Commented: Like paypals? ;-D How about cookies? YUMMEH! -rain

Checks for “PAYPAL” “SET-COOKIE”
o SSH
Commented: I dont get the idea, but the famous lsass author Nils contributed this and comments it
// SSH – works – after the RSA key is sent, the login and pass is sent raw. Believe me. -Nils
Checks for “login as:” “password:” “putty” “SECURECRT”
o CPANEL
Commented: Like configuring Domains ? Here you go ! -Nils
Checks for “cPanel” “Set-Cookie:”
o IRC
Checks for:
“^:(.*)!(.*)@(.*) ((?i)PRIVMSG|NOTICE) (.*) :(.)((?i)login|auth|id|ident|hashin|secure|l) (.*)$”
“^((?i)oper )(.*)”
“^:(.*) 381 (.*) :(.*)”
“^((?i)nickserv identify) (.*)$”
“^:.* ((?i)notice|privmsg) (.*) :Password accepted.*”
Botnet DDoS:
“^:(.*)!(.*)@(.*) ((?i)PRIVMSG|NOTICE) (.*) :(.)((?i)ddos|packet|flood|udp|syn|pfast|coldrage|syn3|syn2|targa|icmp|fuck|random) (.*)$”

o FTP
Checks for:
“^((?i)USER )(.*)”
“^((?i)PASS )(.*)”
“^(230 )(.*)”

o cvar.set sniffer_enabled 1/0
o cvar.set sniffer_channel [destinationchannel]
sets the destinations channel to which the results should be logged
o sniffer.addstring [pcre]
adds a user-defined string to the sniffer
o sniffer.delstring [pcre]
deletes a user-defined string from the sniffer
* SDBot
SDBots sniffing is based on Windows raw socket
listening. Compared to the way Agobots sniffing is
implemented, this way is ineffective and poorly: The
bot even sniffs his own traffic and recognizes it as
sniffed traffic. In addition, SDBot lacks PCRE support
and uses strstr() for comparison.

o HTTP Checks for: paypal PAYPAL paypal.com PAYPAL.COM Set-Cookie:
o IRC
Checks for the following strings: :.login :,login :!login :@login :$login :%login :^login :&login :*login :-login :+login :/login :\\login :=login :?login :’login :`login :~login : login :.auth :,auth :!auth :@auth :$auth :%auth :^auth :&auth :*auth :-auth :+auth :/auth :\\auth :=auth :?auth :’auth :`auth :~auth : auth :.id :,id :!id :@id :$id :%id :^id :&id :*id :-id :+id :/id :\\id :=id :?id :’id :`id :~id : id :.hashin :!hashin :$hashin :%hashin :.secure :!secure :.l :!l :$l :%l :.x :!x :$x :%x :.syn :!syn :$syn :%syn CDKey JOIN # NICK OPER oper now an IRC Operator
o carnivore [on/off]
7. Cloning
* Agobot
o For some reasons our agobot lacks cloning capabilities
* SDBot & UrXBot
o (clone|c) [host] [port] [channel] [[chanpass]]
o clonestop [clonenumber]
o (c_raw|c_r) [clonenumber] [raw irc command]
o (c_mode|c_m) [clonenumber][some irc mode]
o (c_nick|c_n) [clonenumber] [newnick|$randnick]
o

(c_join|c_j) [clonenumber] [channel]
o (c_part|c_p) [clonenumber] [channel]
o (c_privmsg|c_pm) [clonenumber] [dest nick or channel] [msg]
o (c_action|c_a) [clonenumber] [dest nick or channel] [msg]

“Botnet Attack and Analysis” Tynan Wilk

A short paper which discusses the repeated theme of invading IRC chat rooms as a way of attack and detecting potential and existing botnets. The author provides a sample HTTP Get request and details on how to utilize Google as a detection mechanism for discovering vulnerable targets that are likely to become zombies in the future. The paper reaches it’s climax with the author discussing a brief synopsis of what exactly happened upon entry into an IRC chat room in which he had the rare chance to actually speak with one of the “Herders” in person. The herder was actually not threatened at all by the presence of the author(In the sense that he was annoyed rather than alarmed), and banned him leaving him with the statement that the author was a rare and lucky case not to have been infected but that new attacks were being developed so that one day this luck would eventually fade if the author did not keep up with the technology gap between intruder and victim. Quite a few themes seem to be reoccurring in these papers, none of them seem to be indicative of a positive outlook for the future of network security.

New Insights Into the Elimination of Botnets

Lecture: Botnets” Anticipating failure” Rick Wesson.

Great  lecture about how Botnets are run, the internal workings of Botnet Harvesters and defense mechanisms against having your personal servers turned into “Zombie” computers and used to extract data as well as preformed a myriad of other functions. The rather apocalyptic view probably giving the lecture its name “Anticipating Failure”, a view I personally hold as true about the nature of the current status of the lack of security found globally. The lecture goes over a spectrum of key points, very helpful in terms of conducting research in this realm. Topics of interest include; Detection Systems, proper handling of found Botnets inside of a server that you own, legality, and overall devastating systemic failures. The lecture has a great collection of ideas and anecdotes that are rather off center such as “buy a Mac, it will buy you two extra years” and does a good job pointing out specific institutions that have been contacted but who repeatedly refuse to come together and create a centralized defense and detection system for dealing with this extremely ever expanding problem. Regardless of the gaps in strategy that become obvious throughout the lecture in terms of formatting such a system, the conclusion is evident; Botnets are here, they are real, and they are much more dangerous than most people realize.

“Researching Botnets” Nicolas Albright.

A relatively good paper on the subject of how to defend your network against possible enslavement, and detection mechanism’s. The paper is of a more technically oriented nature and provides a foundational framework for actually going out and being proactive in the realm of Botnet research and detection. Included in the paper is a collection of such useful tools as who to contact if a virus is detected and not already registered with the major anti-virus software companies and data collection agencies. Protocol on how to approach IRC chat rooms while raising minimal amounts of suspicion and gathering highly important data. The paper also discusses the mechanics of sniffers, auditing, and other aspects of network security in relation to Botnets and marginalization of the damage done by them.

An Update On The Books I Am Reading With Analysis

“The Art of Intrusion: The real stories behind the exploits of Hackers, Intruders, and Deceivers” Kevin Mitnick, et al.

– This book had many interesting stories about the various exploits of (mostly anonymous) hackers, con artists, and intelligent deceptive people in general. What I found much more interesting however is Mitnick’s personal take on the various exploits. The book hardly ever actually mentions his own experience in the realm of hacking( An area in which I do very much admire his notorious works), and instead speaks with the tone of a hacker, but a much more grown up, reformed hacker. Throughout various chapters in the book, it becomes apparent the publishers choose Mitnick,(Or at least agreed to finance his project) without a definitive clause stipulating whether he had to be an advocate or adversary of the people mentioned. Many times he calls them intelligent. At others, he insults them for using elementary tactics and lacking real skill. He includes segments on proper security protocols to mitigate a range of attacks, with insights ranging from how to prevent social engineering, to proper network configuration and architecture.

Information Security: Practices and Principles” Mark Stamp, et al.

– Very good book in terms of read especially for a topic that is usually both very hard to comprehend and boring for the average reader. The book covers a broad range of topics related to the field of computer security and delves into a rather deep segment on cryptography including biometric security systems and the current statistics in regards to their effectiveness. Probably the most useful of the books I have read, Information Security not only provides coverage of a wide range of fields, but does so in an efficient enough manner that the reader gets a relatively in-depth grasp of the math behind much of the applications in progress, current practices and protocols in information security, and questions that have yet to be answered.

“Computer Security Managment” Donn B.Parker.

– Computer Security Management is a text aimed more directly at people who either work as business executives and need help determining how to manage their various IT departments. It could also be thought of as a supplementary text pr brief introduction into what IT personnel should and should not do in order to optimize security. The segment on what companies should consider “secret information” and what should be declassified made for an interesting and informative read. The section of computer forensics and asset recovery also provided insight into an area of computer security I am not all that acquainted with(more so the asset recovery). The book takes a very firm stance that a rigid “militaristic type approach” be implemented in regards to job titles and their associated privileges. It also goes in-depth into what personnel type is most likely to commit what type of attack along with preemptive detection techniques and security practices that would stop these potential attacks. This section was most useful in that, it was about thwarting an attack rather than covering areas in which I have a larger library of knowledge such as common attacks and programs.

“Reconfiguring the Firewall: Carol J Burger et al.”

– The title of the book if taken alone, would be a bad indication of what the actual information within the novel is about. Although not directly related to any of my associated topics of research, the book presented a fundamental flaw in today’s world of computer security, a relatively large one at that. It does this by depicting (In detail) a grouping of theories and statistical information on why women do not enter the IT fields. Multiple minds are usually better than one, and most well developed think tanks utilize differing mindsets and personality types, without the perspective of women, a large piece of the defensive puzzle goes missing.

Understanding the Intent of This Blog

This blog is part of a mandatory requirement to keep bench mark updates as to the progress of our research. Being that the field I am conducting research in is very sensitive in nature, I am not sure how well this blog will function. I can however, state definitively that we will be constructing a Bastion Host or “Box”, and will be letting some the public try their best at gaining root access. Coming from the opposing standpoint (you decipher what that means exactly), it will be an interesting endeavor for me and the other CS students affiliated with the project. I ask that those who read this blog and decide to attempt to gain access, do so with the “Hackers Mindset” and with the appropriate etiquette (which would include submission of a handle for credit to be given and documentation of how the entire attack was preformed). It is rather nice for the IT people to allow for this type of project and it would be appreciated if things went well.

Research Day 1

Did some reading on the older intrusions, found contradictory elements in much of the literature which made me laugh. Whats more believable? The account of a 16 year old defacing the Jurassic Park homepage three days before opening night, then reveal the exploit only to go on to receive a Job offer and reject it ( This is an account from a book by Mitnick himself and thus gains some credibility in my mind). The second story by a equally credible author, Schneier, who wrote the widely read “applied cryptography” but lacks knowledge of what the real underground culture of hacking is largely constituted off (read Secrets and Lies a relatively interesting book), who says the website was defaced as a Marketing Ploy to sell tickets. Hard call in my opinion.