-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Analysis of litmus backdoor trojan by John C. Hennessy <johnhat_private> A few weeks ago I noticed a large number of clients showing up on an irc server I run. The connections were almost all diferent IP's and had nickname's such as 0wn3d[#], hOt-# and cheap-# in the channel #hellz-net Upon closer inspection I found that all these "clients" were in fact computers with the litmus backdoor trojan A CTCP version request to the clients returned this: Litmus 2.03 (C)2001 The Litmus Group :(random quote) I kept an eye on the bots until the "owner" of them came online and issued a few commands and moved them. chazza!elite@210-55-38-7.dialup.xtra.co.nz <Chazza> .ident pure-l33t <Chazza> .reload All the bots then signed off and went to another irc network. Two bots remained connected to my server however, in #hellz-net1 and #hellz-net2. After some server config changes I masked a client onto my server as the same nick!user@host as the "owner" of the botnet. 20:57 | Chazza (elite@210-55-38-7.dialup.xtra.co.nz) (New Zealand) 20:57 20: server : TrendPimp.US.AfterNET.Org (Baltimore, MD [You must listen]) 20:59 Chazza [elite@210-55-38-7.dialup.xtra.co.nz] has joined #hellz-net2 20:59 Topic (#hellz-net2): Eddie lives somwhere in time! 20:59 Topic (#hellz-net2): set by hOt-4736 at Mon Feb 25 17:57:11 2002 20:59 [Users(#hellz-net2:2)] 20:59 [ Chazza ] [ VitaPup ] [@hOt-4736 ] 20:59 ωνω Channel #hellz-net2 was created at Mon Feb 25 17:59:54 2002 20:59 <Chazza> .ident pure-l33t The clients return the following if authentication is sucessful: 20:59 -hOt-4736(Dots@lsanca2-ar29-4-62-162-006.lsanca2.vz.dsl.gtei.net)- Nice try lamer... Your ip (4.62.162.6) is being automatically sent to the admin and you will be band of this server Here are a list of the commands I was able to discover from the 2 bots left on my server. I also obtained a binary infected with the trojans and did a strings on it. public(in channel commands): .ident <password> .raw <raw output to irc server> .reload .pwd (gives cached passwords) .download (unsure) .ping (unsure, ping's something I guess) .die .del <file> (delete a file) .regdelval <value> (delete registy value i think) .exec .killchat .sockclose .link <ip> (link to a hub or something. It seems these trojans can all be linked together somehow) .hub (Not sure) .invite (Not sure) Additionaly commands can be access via DCC chat to the trojan'ed client: 21:09 [dcc(CHAT)] Cheap-30243 21:09 ωνω DCC CHAT with Cheap-30243[66.130.77.50:1311] established 21:09 [Cheap-30243(dcc)] DrGreen was here... [dcc(Cheap-30243)] dir [Cheap-30243(dcc)] 0b . [Cheap-30243(dcc)] 0b .. [Cheap-30243(dcc)] FJEAR32.EXE 36384b fjear32.exe <----- this is the trojan's exe Files can be sent to the trojan via DCC send and then executed with the exec command in dcc or channel. DCC Commands: pwd (working directory, usualy the dir of the trojan which is c:\windows\litmus in this case) dir (dir list) path (trojan's working path) There are more commands but I didn't get a chance to play around with them as much as I'd have liked to. Here is the strings output from the trojan exe: PONG %s PING USER %s 127.0.0.1 127.0.0.1 %s NICK %s 120 %s %u %s Accept: */* (Download Thread): File %s downloaded in %u seconds (Download Thread): InternetReadFile() failed file creation failed (Download Thread): InternetOpenUrl() failed (Download Thread): InternetOpen() failed Microsoft Virii Downloader (Download Thread): Local File :%s (Download Thread): Remote Url :%s http:// (Download Thread): Thread Has Started... S Litmus 2.03 . NICK PING JOIN DrGreen was here... S %s %s%d %s VERSION TIME PING FINGER debug.txt quit : 0,1LITMUS File not found Error Changing Directory %s : USERID : UNIX :%s QUIT :Litmus II - Dead Server PING :bleh path %s %s%s %s Unable to delete %s %s Deleted %s %sb %s [%.2d:%.2d:%.2d]: %s (SERVEROUT): Caught SOCKET_ERROR, reconnecting (SERVEROUT): %s TOPIC %s :^errOr^ should be JAILED LOL! MODE %s +smk %s USER %s localhost localhost :%s %s %s%d PART %s part JOIN %s .clones PRIVMSG %s :take out the http:// http// .download QUIT :Boom ya got me! .die PRIVMSG %s :Error Deleting %s PRIVMSG %s :%s removed .del .ping NOTICE %s :unable to delete vaule NOTICE %s :value deleted .regdelval PRIVMSG %s :negative houston QUIT :Brb .reload PRIVMSG %s :(HUB): ERROR PORT IN USE! PRIVMSG %s :(HUB): Listing on %u ; Sockid: %u .hub LINK TO: %s:%u .link NOTICE %s :RegDeleteKey() failed NOTICE %s :key deleted .regdelkey %s %s %s %s .raw PRIVMSG %s :Error Running %s PRIVMSG %s :File Not Found PRIVMSG %s :%s ran ok open .exec .killchat .sockclose INVITE %s %s .invite NOTICE %s :Non Resovable host NOTICE %s :quit the other oj first load nick %s nick quit join %s join NOTICE %s :Stopped sending file file clear NOTICE %s :On Connect: %s NOTICE %s : (OJ Msg): %s NOTICE %s :Files sent: %u PRIVMSG %s :Files sent: %u sent stain .pwd (PARSE): %s!%s@%s is now a master NOTICE %s :Nice try lamer... Your ip (%s) is being automatically sent to the admin and you will be band of this server .ident PRIVMSG PRIVMSG %s :%s %u LITMUS MODE %s -o+b %s *!*@%s KICK %s %s NOTICE %s :Asshole MODE %s -b *!LITMUS@%u MODE %s +k %s MODE JOIN NICK JOIN %s %s PRIVMSG %s :HELP! I AM possesed! PART PRIVMSG %s :Thanks alot asshole... JOIN %s %s KICK QUIT NOTICE %s: error: INVALID_HANDLE_VALUE SEND NOTICE %s :resume requests are not supported! RESUME NOTICE %s :Try .killchat CHAT NOTICE %s : FINGER WINDOWS %s %u.%u %s BUILD#: %u Uptime: %u seconds MODE %s +o %s NOTICE %s : VERSION %s (C)2001 The Litmus Group :%s NOTICE %s :%s %s NOTICE %s : TIME %s MODE %s +i MODE %s -kw %s %s %s PONG PONG%s PONG :SERVER (CONNECTBOT): Computer is in offline mode (CONNECTBOT): Non resolvable host (CONNECTBOT): Resolved %s to %s (CONNECTBOT): Were online, Connecting... Server socket closed... success (BOT): Undefined Connect Error: %s (BOT): Connection Attempt Timed out (BOT): Connection Refused %s %s%d%s USER %s 127.0.0.1 127.0.0.1 :%s PASS %s (BOT): Connection Established unknown wishing LTM-II Error! Window Registration Failed! PRIVMSG %s :%s (INSTALL): finished installing... (INSTALL): Regkey Failed (INSTALL): [Key Set Failed] %s Size+1: %u (INSTALL): [Key Set Ok] %s Size+1: %u LTM2 (INSTALL): RegKey Generated Ok Software\Microsoft\Windows\CurrentVersion\Run (INSTALL): File Copy Failed (INSTALL): File Copy Success (INSTALL) Source File: %s (INSTALL) Target Exe: %s Installing... (COMMAND LINE): %s (WndProc): [WM_CREATE] Bot Started.... %s%s RegisterServiceProcess kernel32.dll \litmus mypic.exe Barbara NOTICE DrGreen :Help me liam (WndProc): WM_CLOSE *Poof* QUIT :(WndProc): WM_ENDSESSION (WndProc): WM_ENDSESSION *slam*! I think I heard a shot The only thing worse than not knowing the truth is ruining the bliss of ignorance. Server owners, admins, and IRCops are not responsible for anything found on this network Fuck a cadilliac, Survive All my life I wanted a computer, now all I want is my life back. -async Where ignorance rains, life is lost Fight the war, FUCK the norm! names MacGuyver Empty your pockets son One mind, Brute Force, and full of money come and play, come and play - forget about the movement Anger is a gift For great justice... I don't wanna hassle with making linux partitions. I want it done automagically -ColdFyre Even a broken watch is right twice a day Fuck the G-Ride i want the machines that are making them You need to drop this "Dont give a shit" attitude What a peice of shit The world is yours... We dont need the key we will break it Damn Straight nah fuck it, turn it off my isp takes it rather seriously actually im talking about the massive amount of emails you guys sent me this should be fun i love lamers who play stupid dont you barb means someones did a bit of exploiting so what are we gonna do about this? i plan on taking a bit of action speak of the devil All eyes never on a floppy disk They rally round your family with a pocket full of shells Get the fuck out the commode with the sure shot, sure to make your body drop YOU GOT A BULLET IN YOUR FUCKING HEAD Your brain dead... you got a fucking bullet in your head Buying all the products that there selling you Play it again and again and rewind the tape No Escape from the Mass Crime Rate Just Victims of the in house drive-by, they say "jump", you say "how high?" They dont gotta burn the books, they just remove them **NOTICE** If you cannot get your IRCD to work, please ask us in the channel... while waiting for a reply please sit down and read the book we included: it is a spanish story about a guy named "Manual" -devdev I give a shot out to the living dead A yellow Ribbon instead of a swastika Eddie lives somewhere in time InternetGetConnectedState(); TerminateThread(); it was like "do not use this product because it will probably kill you" -Butter "i have a fast computer, my computer can complete an infinate loop in 5 minutes" -Cyrix employee from M$ Sorry this ones taken! (HUB): Dead Socket (link): Error! (link): Connected (LINK): Connected! (LINK): lost link (link): FD_CLOSE (LINK): %s PRIVMSG %s :%s n %s i %s %s %s %s NOTICE %s :%s (OJ): JOINS: %s!%s JOIN :~@ PONG :bleh PING USER %s localhost localhost %s NICK %s notice %s :No Passes Found =( notice %s :Function doesnt exist! WNetEnumCachedPasswords NOTICE %s :Couldnt load mpr.dll! - ------------------------------------------------------------------ After tracking the botnet to undernet, and then dalnet I found that the hostmask for the botnet "master" was set to *!*elite@* meaning anyone with the ident of elite and the proper password could authenticate. I joined the channel with the bots in it on dalnet and authenticated with them: 22:07 ωνω chazza [eliteat_private] has joined #hellz-net 22:07 ωνω Topic (#hellz-net): Eddie lives somwhere in time! 22:07 ωνω Topic (#hellz-net): set by Cheap-23689 at Tue Feb 26 03:11:02 2002 22:07 ωνω [Users(#hellz-net:25)] 22:07 [ chazza ] [@Cheap-6548] [@hOt-7405 ] [@Cheap-3092] [@Cheap-2550] 22:07 [@Cheap-1103] [@Cheap-2452] [@Cheap-2960] [@Cheap-3226] [@Cheap-2256] 22:07 [@Cheap-429 ] [@Cheap-3111] [@Cheap-1079] [@Cheap-2990] [@Cheap-2114] 22:07 [@Cheap-8177] [@Cheap-8888] [@Cheap-2007] [@Cheap-2676] [@Cheap-7131] 22:07 [@Cheap-6838] [@Cheap-1151] [@Cheap-2055] [@Cheap-2810] [@Cheap-1317] 22:07 ωνω Channel #hellz-net was created at Tue Feb 26 03:10:57 2002 22:07 ωνω BitchX: Join to #hellz-net was synched in 1.122 secs!! 22:07 <chazza> .ident pure-l33t 22:07 -Cheap-25508(~1911@calnet4-116.gtecablemodem.com)- Nice try lamer... Your ip (207.175.227.116) is being automatically sent to the admin and you will be band of this server 22:07 -Cheap-8888(Tyke@24-127-123-40.we.client2.attbi.com)- Nice try lamer... Your ip (24.127.123.40) is being automatically sent to the admin and you will be band of this server 22:07 -Cheap-21142(~IANat_private)- Nice try lamer... Your ip (138.234.186.46) is being automatically sent to the admin and you will be band of this server 22:07 -hOt-7405(~sesh@net206-162-107.xu.edu)- Nice try lamer... Your ip (206.21.162.107) is being automatically sent to the admin and you will be band of this server 22:07 -Cheap-8177(~jakeat_private)- Nice try lamer... Your ip (216.207.95.31) is being automatically sent to the admin and you will be band of this server 22:07 -Cheap-6548(~oOPonyOBoat_private)- Nice try lamer... Your ip (24.64.42.137) is being automatically sent to the admin and you will be band of this server 22:07 -Cheap-28105(Alexat_private)- Nice try lamer... Your ip (68.80.92.72) is being automatically sent to the admin and you will be band of this server 22:07 -Cheap-10791(~Shaneat_private)- Nice try lamer... Your ip (192.168.0.2) is being automatically sent to the admin and you will be band of this server 22:07 -Cheap-1151(jsweetpharat_private)- Nice try lamer... Your ip (24.218.156.167) is being automatically sent to the admin and you will be band of this server 22:07 -Cheap-32260(~Defaultat_private)- Nice try lamer... Your ip (192.168.1.100) is being automatically sent to the admin and you will be band of this server 22:07 -Cheap-13175(Christophe@ool-18bc5f-184.dyn.optonline.net)- Nice try lamer... Your ip (24.188.95.184) is being automatically sent to the admin and you will be band of this server 22:07 -Cheap-20556(Default@gso163-4-129.triad.rr.com)- Nice try lamer... Your ip (24.163.4.129) is being automatically sent to the admin and you will be band of this server 22:07 -Cheap-22562(jsweetpharat_private)- Nice try lamer... Your ip (24.218.156.167) is being automatically sent to the admin and you will be band of this server 22:07 -Cheap-29903(~Bryanat_private)- Nice try lamer... Your ip (192.168.1.101) is being automatically sent to the admin and you will be band of this server 22:07 -Cheap-7131(Osirisat_private)- Nice try lamer... Your ip (24.212.25.120) is being automatically sent to the admin and you will be band of this server 22:07 -Cheap-11035(~Soloman74@adsl-20-68-219.mem.bellsouth.net)- Nice try lamer... Your ip (192.168.1.102) is being automatically sent to the admin and you will be band of this server 22:07 -Cheap-29609(~Murphyat_private)- Nice try lamer... Your ip (172.16.1.36) is being automatically sent to the admin and you will be band of this server 22:07 -Cheap-2452(~Mike@millikin-124109.millikin.edu)- Nice try lamer... Your ip (172.16.150.247) is being automatically sent to the admin and you will be band of this server 22:07 -Cheap-20073(Pier-Luc@adsl-66-110-156-196.globetrotter.net)- Nice try lamer... Your ip (66.110.156.196) is being automatically sent to the admin and you will be band of this server 22:07 -Cheap-30923(~James@CPE-144-137-120-80.nsw.bigpond.net.au)- Nice try lamer... Your ip (192.168.1.12) is being automatically sent to the admin and you will be band of this server 22:07 -Cheap-31116(~mra@adsl-175-218.cybernet.ch)- Nice try lamer... Your ip (192.168.35.33) is being automatically sent to the admin and you will be band of this server 22:07 -Cheap-26767(hbat_private)- Nice try lamer... Your ip (192.236.53.150) is being automatically sent to the admin and you will be band of this server 22:07 -Cheap-429(~Briceat_private)- Nice try lamer... Your ip (10.1.130.37) is being automatically sent to the admin and you will be band of this server 22:07 -Cheap-6838(Administraat_private)- Nice try lamer... Your ip (128.123.125.200) is being automatically sent to the admin and you will be band of this server 22:07 ωνω Cheap-1530 [Whoozer@h24-78-3-198.tb.shawcable.net] has joined #hellz-net I attempted to delete and or ove the trojan exe called fjear32.exe on the cheap-# bots and hOt32.exe on the hOt-# ones. It was sucessful on most but 3 of them failed for some reason. I issued the public .die command aftwards which killed the trojan and on the machines the EXE was deleted should have removed it. I havn't seen any of them back on dalnet or any other network in #hellz-net. I still have a little more information to sort through that I can put into this document. If anyone has anything they wish to add please let me know. John C. Hennessy Information security analyst -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> iQA/AwUBPI4LWjfHYhhTZOYaEQIgcgCfVsuJyWwyyfjypcMDbB3rVpc4HXkAoISP GDNXJjhuPq7CQC4mFugUY35Y =nRRl -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Mar 12 2002 - 09:36:02 PST