Botnet

         

A botnet or robot network is a group of computers running a computer application controlled and manipulated only by the owner or the software source. The botnet may refer to a legitimate network of several computers that share program processing amongst them.

Usually though, when people talk about botnets, they are talking about a group of computers infected with the malicious kind of robot software, the bots, which present a security threat to the computer owner. Once the robot software (also known as malicious software or malware) has been successfully installed in a computer, this computer becomes a zombie or a drone, unable to resist the commands of the bot commander.

A botnet may be small or large depending on the complexity and sophistication of the bots used. A large botnet may be composed of ten thousand individual zombies. A small botnet, on the other hand may be composed of only a thousand drones. Usually, the owners of the zombie computers do not know that their computers and their computers’ resources are being remotely controlled and exploited by an individual or a group of malware runners through Internet Relay Chat (IRC)

There are various types of malicious bots that have already infected and are continuing to infect the internet. Some bots have their own spreaders – the script that lets them infect other computers (this is the reason why some people dub botnets as computer viruses) – while some smaller types of bots do not have such capabilities.

Different Types of Bots

Here is a list of the most used bots in the internet today, their features and command set.

XtremBot, Agobot, Forbot, Phatbot

These are currently the best known bots with more than 500 versions in the internet today. The bot is written using C++ with cross platform capabilities as a compiler and GPL as the source code. These bots can range from the fairly simple to highly abstract module-based designs. Because of its modular approach, adding commands or scanners to increase its efficiency in taking advantage of vulnerabilities is fairly easy. It can use libpcap packet sniffing library, NTFS ADS and PCRE. Agobot is quite distinct in that it is the only bot that makes use of other control protocols besides IRC.

UrXBot, SDBot, UrBot and RBot

Like the previous type of bot, these bots are published under GPL, but unlike the above mentioned bots these bots are less abstract in design and written in rudimentary C compiler language. Although its implementation is less varied and its design less sohisticated, these type of bots are well known and widely used in the internet.

GT-Bots and mIRC based bots

These bots have many versions in the internet mainly because mIRC is one of the most used IRC client for windows. GT stands for global threat and is the common name for bots scripted using mIRC. GT-bots make use of the mIRC chat client to launch a set of binaries (mainly DLLs) and scripts; their scripts often have the file extensions .mrc.
Malicious Uses of Botnets

Types Of Botnet Attacks

Denial of Service Attacks

A botnet can be used as a distributed denial of service weapon. A botnet attacks a network or a computer system for the purpose of disrupting service through the loss of connectivity or consumption of the victim network’s bandwidth and overloading of the resources of the victim’s computer system. Botnet attacks are also used to damage or take down a competitor’s website.

Fast flux is a DNS technique used by botnets to hide phishing and malware delivery sites behind an ever-changing network of compromised hosts acting as proxies.

Any Internet service can be a target by botnets. This can be done through flooding the website with recursive HTTP or bulletin-board search queries. This mode of attack in which higher level protocols are utilised to increase the effects of an attack is also termed as spidering.

Spyware

It’s a software which sends information to its creators about a user’s activities – typically passwords, credit card numbers and other information that can be sold on the black market. Compromised machines that are located within a corporate network can be worth more to the bot herder, as they can often gain access to confidential information held within that company. There have been several targeted attacks on large corporations with the aim of stealing sensitive information, one such example is the Aurora botnet.

Adware

Its exists to advertise some commercial entity actively and without the user’s permission or awareness, for example by replacing banner ads on web pages with those of another content provider.

Spamming and Traffic Monitoring

A botnet can also be used to take advantage of an infected computer’s TCP/IP’s SOCKS proxy protocol for networking applications. After compromising a computer, the botnet commander can use the infected unit (a zombie) in conjunction with other zombies in his botnet (robot network) to harvest email addresses or to send massive amounts of spam or phishing emails.

Moreover, a bot can also function as a packet sniffer to find and intercept sensitive data passing through an infected machine. Typical data that these bots look out for are usernames and passwords which the botnet commander can use for his personal gain. Data about a competitor botnet installed in the same unit is also mined so the botnet commander can hijack this other botnet.

Access number replacements are where the botnet operator replaces the access numbers of a group of dial-up bots to that of a victim’s phone number. Given enough bots partake in this attack, the victim is consistently bombarded with phone calls attempting to connect to the internet. Having very little to defend against this attack, most are forced into changing their phone numbers (land line, cell phone, etc.).

Keylogging and Mass Identity Theft

An encryption software within the victims’ units can deter most bots from harvesting any real information. Unfortunately, some bots have adapted to this by installing a keylogger program in the infected machines. With a keylogger program, the bot owner can use a filtering program to gather only the key sequence typed before or after interesting keywords like PayPal or Yahoo mail. This is one of the reasons behind the massive PayPal accounts theft for the past several years.

Bots can also be used as agents for mass identity theft. It does this through phishing or pretending to be a legitimate company in order to convince the user to submit personal information and passwords. A link in these phishing emails can also lead to fake PayPal, eBay or other websites to trick the user into typing in the username and password.

Botnet Spread

Botnets can also be used to spread other botnets in the network. It does this by convincing the user to download after which the program is executed through FTP, HTTP or email.

Pay-Per-Click Systems Abuse

Botnets can be used for financial gain by automating clicks on a pay-per-click system. Compromised units can be used to click automatically on a site upon activation of a browser. For this reason, botnets are also used to earn money from Google’s Adsense and other affiliate programs by using zombies to artificially increase the click counter of an advertisement.

Analysis of TeleBots’ cunning backdoor

On the 27th of June 2017, a new cyberattack hit many computer systems in Ukraine, as well as in other countries. That attack was spearheaded by the malware ESET products detect as Diskcoder.C (aka ExPetr, PetrWrap, Petya, or NotPetya). This malware masquerades as typical ransomware: it encrypts the data on the computer and demands $300 bitcoins for recovery. In fact, the malware authors’ intention was to cause damage, so they did all that they could to make data decryption very unlikely

we attributed this attack to the TeleBots group and uncovered details about other similar supply chain attacks against Ukraine. This article reveals details about the initial distribution vector that was used during the DiskCoder.C outbreak.

Tale of a malicious update

The Cyberpolice Department of Ukraine’s National Police stated, on its Facebook account, as did ESET and other information security companies, that the legitimate Ukrainian accounting software M.E.Doc was used by the attackers to push DiskCoder.C malware in the initial phase of the attack. However, until now, no details were provided as to exactly how it was accomplished.

During our research, we identified a very stealthy and cunning backdoor that was injected by attackers into one of M.E.Doc’s legitimate modules. It seems very unlikely that attackers could do this without access to M.E.Doc’s source code.

The backdoored module has the filename ZvitPublishedObjects.dll. This was written using the .NET Framework. It is a 5MB file and contains a lot of legitimate code that can be called by other components, including the main M.E.Doc executable ezvit.exe.

We examined all M.E.Doc updates that were released during 2017, and found that there are at least three updates that contained the backdoored module:

• 01.175-10.01.176, released on 14th of April 2017
• 01.180-10.01.181, released on 15th of May 2017
• 01.188-10.01.189, released on 22nd of June 2017

The incident with Win32/Filecoder.AESNI.C happened three days after the 10.01.180-10.01.181 update and the DiskCoder.C outbreak happened five days after the 10.01.188-10.01.189 update. Interestingly, four updates from April 24th 2017, through to May 10th 2017, and seven software updates from May 17th 2017, through to June 21st 2017, didn’t contain the backdoored module.

Since the May 15th update did contain the backdoored module and the May 17th update didn’t, here is a hypothesis that could explain low infection Win32/Filecoder.AESNI.C ratio: the release of the May 17th update was an unexpected event for the attackers. They pushed the ransomware on May 18th, but the majority of M.E.Doc users no longer had the backdoored module as they had updated already.

The PE compilation stamps of analyzed files suggest that these files were compiled on the same date as the update or the day before.

Figure 1 – Compilation timestamp of the backdoored module pushed in May 15th update.

Figure 2 shows difference between list of classes of backdoored and non-backdoored version of module, using the ILSpy .NET Decompiler:

Figure 2 – List of classes in backdoored module (at left) and non-backdoored (at right).

The main backdoor class is named MeCom and it is located in the ZvitPublishedObjects.Server namespace as shown in Figure 3.

Figure 3 – The MeCom class with malicious code, as shown in ILSpy .NET Decompiler.

The methods of the MeCom class are invoked by the IsNewUpdate method of UpdaterUtils in the ZvitPublishedObjects.Server namespace. The IsNewUpdate method is called periodically in order to check whether a new update is available. The backdoored module from May 15th is implemented in a slightly different way and has fewer features than the one from June 22nd.

Each organization that does business in Ukraine has a unique legal entity identifier called the EDRPOU number (Код ЄДРПОУ). This is extremely important for the attackers: having the EDRPOU number, they could identify the exact organization that is now using the backdoored M.E.Doc. Once such an organization is identified, attackers could then use various tactics against the computer network of the organization, depending on the attackers’ goal(s).

Since M.E.Doc is accounting software commonly used in Ukraine, the EDRPOU values could be expected to be found in application data on machines using this software. Hence, the code that was injected in the IsNewUpdate method collects all EDRPOU values from application data: one M.E.Doc instance could be used to perform accounting operations for multiple organizations, so the backdoored code collects all possible EDRPOU numbers.

Figure 4 – Code that collects EDRPOU numbers.

Along with the EDRPOU numbers, the backdoor collects proxy and email settings, including usernames and passwords, from the M.E.Doc application.

Warning! We recommend changing passwords for proxies, and for email accounts for all users of M.E.Doc software.

The malicious code writes the information collected into the Windows registry under theHKEY_CURRENT_USER\SOFTWARE\WC key using Cred and Prx value names. So if these values exist on a computer, it is highly likely that the backdoored module did, in fact, run on that computer.

And here is the most cunning part! The backdoored module does not use any external servers as C&Cs: it uses the M.E.Doc software’s regular update check requests to the official M.E.Doc server upd.me-doc.com[.]ua. The only difference from a legitimate request is that the backdoored code sends the collected information in cookies.

Figure 5 – HTTP request of backdoored module that contains EDRPOU number in cookies.

We have not performed forensic analysis on the M.E.Doc server. However, as we noted in our previous blogpost, there are signs that the server was compromised. So we can speculate that the attackers deployed server software that allows them to differentiate between requests from compromised and non-compromised machines.

Figure 6 – Code of backdoor that adds cookies to the request.

And, of course, the attackers added the ability to control the infected machine. The code receives a binary blob official M.E.Doc server, decrypts it using the Triple DES algorithm, and, afterwards, decompresses it using GZip. The result is an XML file that could contain several commands at once. This remote control feature makes the backdoor a fully-featured cyberespionage and cybersabotage platform at the same time.

Figure 7 – Code of backdoor that decrypts incoming malware operators’ commands.

The following table shows possible commands:

Command	Purpose
0 – RunCmd	Executes supplied shell command
1 – DumpData	Decodes supplied Base64 data and saves it to a file
2 – MinInfo	Collects information about OS version, bitness (32 or 64), current privileges, UAC settings, proxy settings, email settings including login and password
3 – GetFile	Collects file from the infected computer
4 – Payload	Decodes supplied Base64 data, saves it to as executable file and runs it
5 – AutoPayload	Same as previous but the supplied file should be a DLL and it will be dropped and executed from Windows folder using rundll32.exe. In addition, it makes attempt to overwrite dropped DLL and delete it.

It should be noted that command number 5, named by malware authors as AutoPayload, perfectly matches the way in which DiskCoder.C was initially executed on “patient zero” machines.

Figure 8 – AutoPayload method that was used to execute DiskCoder.C malware.

Conclusions

As our analysis shows, this is a thoroughly well-planned and well-executed operation. We assume that the attackers had access to the M.E.Doc application source code. They had time to learn the code and incorporate a very stealthy and cunning backdoor. The size of the full M.E.Doc installation is about 1.5GB, and we have no way at this time to verify that there are no other injected backdoors.

There are still questions to answer. How long has this backdoor been in use? What commands and malware other than DiskCoder.C or Win32/Filecoder.AESNI.C has been pushed via this channel? What other software update supply chains might the gang behind this attack have already compromised but are yet to weaponize?

Special thanks to my colleagues Frédéric Vachon and Thomas Dupuy for their help in this research.

Indicators of Compromise (IoC)

ESET detection names:

MSIL/TeleDoor.A

Legitimate servers abused by malware authors:

upd.me-doc.com[.]ua

SHA-1 hashes:

7B051E7E7A82F07873FA360958ACC6492E4385DD7F3B1C56C180369AE7891483675BEC61F3182F273567434E2E49358E8210674641A20B147E0BD23C

E-banking fraud: What’s your liability?

The bank will reimburse the customer if there is a fraud/negligence on the part of the bank, whether or not you report the fraud/loss.

According to the Reserve Bank of India (RBI) draft guidelines issued on August 11, 2016, the burden of proving customer liability in an unauthorised e-banking transaction lies with the bank. Find out when you incur nil or limited liability. 

When is it zero liability? 
The bank will reimburse the customer if there is: 
a Fraud/negligence on the part of the bank, whether or not you report the fraud/loss. 

b Third party breach, where the fault lies neither with the bank nor with the customer, but elsewhere in the system, and the customer notifies the bank within three working days of receiving the communication from the bank regarding an unauthorised transaction. 

When is it limited liability? 
The customer is partially liable if: 
a It involves negligence on his part, like sharing payment credentials. In such a case, he will bear the entire loss until he reports the unauthorised transaction to the bank. Any loss after reporting will be borne by the bank. 

b The fault lies neither with the bank nor with the customer but in the system and there is a delay of four to seven working days by the customer in notifying the bank. The customer liability shall be limited to the transaction value or Rs 5,000, whichever is lower. 

Mobile Hacking Apps

In a world where everything which your computer can do, can be done on your smartphone, hacking cannot be left behind.
The world is full of smartphones these days. Most people rely on their smartphones and other portable devices to carry out their day to day activities. It won’t be an exaggeration to say that smartphones have taken over laptops in terms of productivity. Thus, it becomes extremely important to know about the (ethical) hacking tools available on your android phone. Who knows, you might need them one day!

Hacking, nowadays, is not something which is the exclusive domain of the “experts”. With the help of a few applications and basic knowledge of the true capabilities of your android phone, you, too, could delve into the world of hacking. So, let’s discuss some of the apps for your android phones which will turn you into a hacker!

1. ANDRORAT

AndroRat stands for Android Remote Administration Tool. As the name suggests, it is a remote administration tool which is used to control another device even if you have no physical access to that device! Manipulating other devices can be easily done using the app which is quite useful in case you’re away from your device and need it to perform some task. It is also useful in inducing some giggle and amazement amongst your friends and family members!

2. DROIDSHEEP

The word “hacking” for many is hacking into your friend’s social media account for giggles. Or it may be used for even something useful like extracting some important information from someone’s social media accounts. DroidSheep does the job for you. It hijacks the sessions of social media activities carried out on your network. You need the knowledge of the basics of hijacking and by installing the app on your android device you’re all set to ‘hack’ your friend’s online social life!

3. KILL WIFI

This open source ethical hacking app is one of the most popular ones in this field. Similar to the net cut app in Windows, this app is capable of cutting off anyone’s WiFi over your network. Kill Wifi is extremely useful when you have an open WiFi not protected by a strong password. You can cut off the WiFi of the intruder by just a few clicks on your device. This app is easy to use owing to its lucid and interactive interface and easy-to-use tools.

4. SPOOFAPP

Won’t it be wonderful if you could place a call to your friend phone, but instead of showing your phone number different number flashes on your friend’s phone?SpoofApp is exactly what this app does. Apart from changing your phone number, this app can also change your voice and record your entire conversation! However, you will need SpoofCards to use this app. Overall a nice app for bringing smiles on your and your friend’s face.

5. WIFI MAC CHANGER

One of the most useful ones, Wifi Mac Changer app changes the MAC address of your device you make your activities almost untraceable. With your rooted android phone, you can change the MAC Address of your device temporarily so that your online activities cannot be traced back to you. The app provides you two methods of changing your MAC Address. One is the easier way which reflects no change in your WiFi settings. The other method is a bit tougher which allows you to enter apps which are password protected and this will reflect the changed address in your WiFi settings.

CONCLUSION

These apps may not seem very productive at a first glance but with prolonged use, you will certainly realize the potential that these apps possess. Who knows someday you may need to spy upon your friend’s/significant other’s social media account? Or you may need to kick off an intruder from your network. Thus, gear up for the path untraveled and watch your world in an entirely different light using these apps!