Tuesday, September 11, 2012

Disclosure of an interesting Botnet - The Server (Part 2)

So let's try to shed light onto the C&C server.

At first I want again to thank Chae Jong Bin! With his brief network analysis of this botnet, he gave me a solid background.

The first thing you realize when visiting http://xlamzju-lrychj.info is directory listing was activated. This gives us the chance to explore files and folders.
There are a lot of PHP Scripts, 3 .dat files and 3 subfolders.

Figure 1: Directory Listing of ".com/.info" unit

Monday, September 10, 2012

Disclosure of an interesting Botnet - The Executable (Part 1)

While searching for another interesting malware sample I came across a brief description from Chae Jong Bin of an yet unknown botnet. So thanks to him!
I took a quick look into the executable and decided to do further analysis, because the Bot is implemented as a Windows Service and I haven't analyzed such an executable before.

The first part of this analysis is about the "Static and Dynamnic Analysis" of the executable. Tools used are HxD Hexeditor, MiTeC EXE Explorer, OllyDbg, IDA Pro, Process Explorer and Wireshark. The second part deals with the C&C server(s) and its contents.
What's remarkable is the Bots very small size of just 12 KByte. A few months ago the CSIS Security Group A/S discovered the "World’s smallest trojan-banker" and it had size of 20 KByte, so... :-)

Sample: telnet.exe
Size: 12.288 Bytes
MD5: 44AD16455EFC3051FD00FE73E3BB7E40