Capturing Botnet Malware Using a Honeypot
by L0j1k (l0j1k@l0j1k.net)
I'm going to show you how to set up a honeypot to capture malware, but first a few ground rules.
This article is not to be interpreted as a how-to about creating or hijacking botnets. This article is also not to be interpreted as anything but a bit of information. As such, I can't be held liable for how you use the information. If you don't know about botnets, do a simple search on Wikipedia. That should get you started. I have changed the names of IRC channels, nicks, and forums, as well as the IP addresses for IRC servers, as they aren't needed to show the methodology. Please keep in mind that people make mistakes; I am not perfect. Also, there are five hundred million ways or more to do the things described in this article; this is just one of them. DDoS'ing my site won't make your bots better. If you see me online, say hi. On to the article.
In a perfect world, you would have a connection to the Internet that isn't through a carefully supervised network, and most lenient commercial ISPs offer this kind of connection. You are pretty much out of luck on military bases and in most hotels, but you never know!
There are a number of arguments for using either a physical machine or a virtual host for your honeypot. For example, it's possible for software to detect the use of virtualization environments like VMware. Some botnets may be programmed not to infect a host on a virtual machine.
Also, cross-contamination to your physical machine could occur. However, using a virtual machine allows you to restore your honeypot to a pristine install with a simple click of the mouse. This article is written to be independent of the choice you make in this regard. Whichever route you go, be prepared for the possibility that all the data on the machine hosting the honeypot and on any other machine on the same network will get hosed by some retarded exploit.
You will need a few things before you begin.
Search on Yandex/Google or simply use similar utilities with which you are more familiar.
First, Windows 2000 or Windows XP, Service Pack one. We're talking virgin Microsoft software here. Your goal is maximum vulnerabilities.
Second, a packet sniffer you are familiar with. Most sane people use Wireshark, but there are many others out there. A good project would be to write your own!
Third, the evaluation version of DiamondCS Port Explorer. This shows you which processes are tied to which ports and which ports are sending and receiving data.
Fourth, Process Explorer by Sysinternals/Microsoft. This is like Task Manager on steroids.
Fifth, UltraVNC server or another VNC server that you are familiar with. This isn't necessary but will speed up the infection of your honeypot by botware.
And, finally, a blank Notepad window on another machine, or go old-school and use a pen and paper.
It should be noted that while your machine will be infected regardless, it would be wise to make your honeypot looked "lived-in."
Most script kiddies will infect any machine they can, but the more savvy bot herders will avoid a machine that looks like an obvious honeypot.
Your default Windows 2000 Advanced Server installation with the sickly blue desktop won't get nearly the attention that Grandma's home computer would. Set a different desktop image, and add a few spreadsheets on the desktop listing "account information" or recipes.
Perhaps you also want to have a text file or two with notes from fake company meetings or pictures of the grandkids. The ideal target for bot herders is a lonely, always-on, corporate workstation that is in use by multiple people. Think of a print server or the guest machine at the end of the hallway. Accountability on these types of machines is almost always at a minimum and their tubes to the intarweb are usually huge, which is exactly what the bot herder wants. If you don't have a fat pipe, make your honeypot look like something your grandparents use to send pictures and email to friends and family. Dust off those social engineering skills!
Next, unplug the network cable to your honeypot.
This is the only way to be completely certain that you are not on the network. Install your Windows OS with default settings, and write these settings down in your notepad.
This makes it easier to manage things: trust me.
Change your Administrator password to password.
Install any drivers that you need to operate your hardware. Install Wireshark, Process Explorer, Port Explorer, and UltraVNC Server.
Change the password for UltraVNC Server to password.
If you are running a server version of the OS, change your passwords for FTP and IIS to password as well.
Disable the Messenger Service. This is not required, but it reduces annoying popup boxes begging you to install malware.
Reboot.
Log in to your honeypot and start Wireshark.
It's always nice to have it update the window in real time, so check that box. Also start Process Explorer and Port Explorer.
Now, plug your network cable in. If you have a hardware firewall or router such as that blue Linksys box by your cable modem, you need to log in to it and configure a DMZ with the IP address of your honeypot. This will tell your router to expose the honeypot to the network, sans router protection.
Perhaps thirty seconds to thirty hours later, your host will be infected.
Some infections are more obfuscated than others, but you can tell that your honeypot has definitely been infected when it starts a lot of outgoing connections on port 135, 137, 139, or 445. A lot of infection vectors are on these ports, for obvious reasons.
Although your host is compromised, it will probably be infected with a simple mailer Trojan or a worm instead of a bot.
Either way, you have malware to examine. At this point, you have a couple of options.
You can immediately disconnect your honeypot from the network as you have what you need. You could also leave your host running and capture the traffic using Wireshark. This is recommended if you want to ensure that you will be infected by a bot and to observe someone sending commands to bots.
Beware, however, that if you leave your honeypot connected to the network for an extended period, you will likely get flagged by your ISP for all that excessive traffic. If you are having trouble getting your honeypot infected, it certainly helps to install programs like Microsoft SQL Server 2000, Exchange Server 2000, or Outlook Express.
Use default settings and passwords. The goal here is to increase the number of vulnerabilities on your machine.
Note that by using VNC, your honeypot will be infected pretty quickly.x However, it will likely be attacked by a real human being instead of a bot.
VNC allows a person to remotely operate your computer as if they were sitting in front of it. Therefore, you want to obfuscate the fact that you are running Wireshark, Port Explorer, and programs like that.
If the hacker spots any of these programs, it will send up huge red flags. He or she will likely leave your honeypot alone and possibly report your IP to his or her friends as a honeypot. Keep your programs minimized, or, at the very least, keep them in the System Tray.
Leave your honeypot alone; you don't want to keep screwing with the mouse every five minutes, because this will scare the attacker away if he sees it.
Whatever decision you make about how much malware to collect, you need to preserve as much of the infection as possible. This means that you need to identify which files were uploaded to your honeypot, what those files did to your honeypot, and how to store those files so you can look at them later in a sterile environment.
Viewing which processes are connecting to strange ports by using Port Explorer and identifying those files are good places to start, but you might miss a few DLL or INI files that go with the main executable.
On a default installation of Windows with a relatively tiny number of files, the simplest way to find everything involved is to search your machine for every file on the hard disk.
Go to "Start -> Search -> All files and folders -> *.* ", and then sort by modification date by clicking "Date Modified" twice to summon a list of likely suspects.
These instructions will probably generate a few letters giving far more efficient and clever ways to do this and listing everything that's wrong with this way and why. I suggest that the newbie reader find and read a few of those letters to improve upon this method. It probably wouldn't hurt the old pro to take a look, as well.
Ensure that you have a clean medium to store these little nasties!
I can't impress upon readers enough that you shouldn't be using your roommate's backup drive, your personal USB thumb drive, or a network share to store all this malware! You are flirting with disaster by mixing the two worlds of honeypot and personal network. The best way to do this would be to find a virgin USB thumb drive or to start writing them to CD. Store each instance of malware in its own directory.
I'm going to show you how I observed and dissected an example bot that I took from my infected honeypot. This analysis concerns just one variety of bot, which I will call TardBot.
The instance of TardBot that I grabbed for this analysis was installed on a machine that was running VNC with very default login credentials. The hacker who infected my honeypot used other bots to scan various IP address ranges looking for computers running a VNC server with weak login credentials or an older, exploitable version of the server.
According to my sniffer logs, his bots first scanned the honeypot on VNC's TCP port 5900 about fourteen hours before he arrived personally. There was repeated scanning of the honeypot on the VNC port, spaced about an hour and a half apart, perhaps to check uptime.
Though there is generally a trend for hackers to do their work during the night at the host location, this hack was done at 10:15 am on a Tuesday morning local time. This is perhaps not the smartest move the attacker could've made, considering that the honeypot was disguised as a corporate workstation.
He logged in to the honeypot and opened Internet Explorer, and then navigated to a rooted webserver with a .ro domain, where the hacker stored one of his botware executables.
After the executable was downloaded, he ran it via "Start -> Run". That's it. The hacker then logged off, not even bothering to remove his work from the browser's history list. The executable was a dropper, a small and simple application that downloaded the rest of his botware to C:\Windows\Temp. According to the sniffer logs, the main botware was downloaded from a different rooted webserver than the dropper.
TardBot is actually a set of bare-bones utilities working together instead of just one executable. You will find that this is a very common practice, since a lot people running botnets generally lack any real computer skills; they are thus are incapable of writing or too lazy to write their own programs. Because of this, they will use prepackaged bot kits readily available in a variety of places. You would not be mistaken in calling them script kiddies, though, like any community, there are a number of very intelligent and experienced hands doing business in this field.
TardBot is packaged in an executable archive approximately 2.5 megabytes in size. I ran this archive several times on a disconnected, vanilla Windows installation to analyze how it embedded itself in the honeypot.
Once downloaded, TardBot is executed by the dropper. If the honeypot was infected automatically by a Windows exploit instead of through VNC, there would be no visible evidence that the machine was compromised. The installation itself is almost completely transparent.
To the average office worker or grandmother, the whole process would go by so quickly that they probably wouldn't think twice about it. Depending on the purpose of the bot, the user may notice a slowdown of the computer or the network. Think how many times you've heard someone mention that their computer is "running slow." Malware can be a significant cause of this problem.
The executable archive dropped several executables, their associated INI and DLL files, and a batch file into the same directory that it was downloaded to.
Next, the archive ran the batch file, which I will call PWNED.BAT.
It is the heart of the installation procedure. It first ran a small application that added registry keys to HKLM/SOFTWARE/Microsoft/windows/CurrentVersion/Run for an FTP server and for the main bot.
It then conducted a silent installation of Serv-U, an FTP server commonly used by bot herders. The INI files associated with it were custom-written with accounts and passwords which the hacker would know. After the installation completed, PWNED.BAT started the main bot application, which itself ran another application on startup, a "guardian" program that made sure the main bot program was running and would start it otherwise.
The last thing pwned.bat did was to clean up after itself by deleting the dropper, the TardBot executable archive, the Serv-U installation files, and itself. TardBot was now fully functional.
The main bot application connected to several different IRC servers and joined at least one password-protected channel on each server, as determined by the custom-written INI files.
It is important to note that a plaintext file with server, username, and password information can have any extension, even EXE.
IRC is by far the most common protocol used to link individual bots to their masters and to other bots. The great benefit (or drawback) to using IRC is that the protocol requires messages to be broadcast to everyone in a channel. Much like Ethernet, the individual computer or bot determines which messages are intended for it and ignores all others. It is therefore extremely easy to sniff traffic going to any other individual person or bot, even when using the "private" message command.
In this way, it becomes possible to catch the many different commands used to control the bots, as well as any chat text which the hacker might conduct among friends in the bot channels. This is an extremely interesting glimpse into the bot herder culture.
The instance of botware infecting the honeypot in this case was not for sending email spam, and it did not noticeably diminish performance. From the logs, it was apparent that TardBot was scanning, but that it was doing so at a throttled pace so as to prevent detection. During the approximately four days that TardBot was left running, the instance on the honeypot was used variously for FTP storage, scanning and DDoS'ing IRC and web servers.
Be aware that the infection you capture may be entirely different in form, function, and level of sophistication. Some cutting-edge bots use encryption schemes to hide the traffic used to control them and are entirely custom-built by experienced programmers. Most of these advanced hackers are making money through their botnets, rather than to flooding websites or other IRC servers. Dissecting these bots is an altogether more complex and entertaining experience.
That's all. I hope you've managed to learn at least something. If not, I hope you were at least entertained for a few minutes.
Shouts to bee, shea and his crew, arik, the culprit, everybody from ER and MUME, and the wet blanket from flavor co. Also, I'm adding the following resource for Americans, which is a compilation of different states' computer laws: www.ncsl.org/programs/lis/CIP/hacklaw.htm