Tracking Down a Botnet

Tracking Down a Botnet

Intro:

This will not be very long, nor will I go into excessive amounts of detail into the tools and steps required. The purpose of this paper is simply to help you grasp an idea on how to track down the Control and Command center for a Botnet. What you do after that is completely up to you.

Requirements:

a) Zombie IP list
b) Snmpscanner (or a port scanner)
c) Net-snmp (snmpwalk)
d) Previous knowledge of the snmp protocol comes helpful.
e) Your brain.

Theory:

So what your basically doing is scanning your list of Zombie IP addresses to see which have snmp open. You can do this with nmap (i.e: nmap -sV -iL zombieIPlist -p161). This will take the IP from a file called zombieIPlist and scan to see which host have port 161 open. Even tho the port is open, doesnt mean you'll be able to get any info from it without the community string. You can also do this a little easier and more automated with a variety of programs such as:

Onesixtyone - http://www.phreedom.org/solar/onesixtyone/ (linux)
SNScan - http://www.foundstone.com/resources/proddesc/snscan.htm (w32)

These programs check a lit of IP's to see wether snmp is open and then tries to bruteforce the community string (i.e: "public", "private" are common community strings),. Once you have you results of ip's + community string, then you can begin to snmpwalk the MIB (Management Information Base). I only snmpwalk the TCP-MIB which has the info we need.

Concentrate on only snmpwalking the windows boxes from your results since they seem to be the ones that provide the most useful information.

Here is an example of what running onesixtyone on a list of zombie IPS looking to see which ones have SNMP enabled and a community string of either public, or private looks like:

dni@logan:~/onesixtyone-0.3.2$ ./onesixtyone -i ../leamington_4-8-07
Scanning 59997 hosts, 2 communities

125.254.130.65 [public] WebCAM Server
218.14.26.91 [public] Unable to decode SNMP packet: unrecognized integer length
218.16.190.44 [public] 218.56.145.194 [public] HOS-GW (version 2.2 Release 02.18.00) Compile time : Aug 24 2004 21:09:22 . BootRom Version: 1.8 Release time at 08:00, 2004/03/18 NetHammer G908: BackBoard Hardware Version 1.30
218.69.216.104 [public] Router
218.75.93.150 [public] 218.202.158.134 [public] Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-I-M), Version 12.0(3)T3, RELEASE SOFTWARE (fc1) Copyright (c) 1986-1999 by cisco Systems, Inc. Compiled Thu 15-Apr-99 15:41 by kpma
86.106.166.97 [public] Hardware: x86 Family 15 Model 4 Stepping 1 AT/AT COMPATIBLE - Software: Windows 2000 Version 5.1 (Build 2600 Multiprocessor Free)

As we can see: 86.106.166.97 is a win2k machine with a community string of public. So lets run snmpwalk on it.

dni@logan:~$ snmpwalk 86.106.166.97 -c public tcp

TCP-MIB::tcpRtoAlgorithm.0 = INTEGER: vanj(4)
TCP-MIB::tcpRtoMin.0 = INTEGER: 300 milliseconds
TCP-MIB::tcpRtoMax.0 = INTEGER: 120000 milliseconds
TCP-MIB::tcpMaxConn.0 = INTEGER: -1
TCP-MIB::tcpActiveOpens.0 = Counter32: 12125
TCP-MIB::tcpPassiveOpens.0 = Counter32: 2212
TCP-MIB::tcpAttemptFails.0 = Counter32: 5377
TCP-MIB::tcpEstabResets.0 = Counter32: 3305
TCP-MIB::tcpCurrEstab.0 = Gauge32: 29
TCP-MIB::tcpInSegs.0 = Counter32: 3486328
TCP-MIB::tcpOutSegs.0 = Counter32: 3832754
TCP-MIB::tcpRetransSegs.0 = Counter32: 147401
TCP-MIB::tcpConnState.0.0.0.0.135.0.0.0.0.2092 = INTEGER: listen(2)
TCP-MIB::tcpConnState.0.0.0.0.445.0.0.0.0.6258 = INTEGER: listen(2)
TCP-MIB::tcpConnState.0.0.0.0.3898.0.0.0.0.32788 = INTEGER: listen(2)
TCP-MIB::tcpConnState.0.0.0.0.5051.0.0.0.0.2208 = INTEGER: listen(2)
TCP-MIB::tcpConnState.0.0.0.0.5101.0.0.0.0.2064 = INTEGER: listen(2)
TCP-MIB::tcpConnState.86.106.166.97.135.86.106.166.147 .2190 = INTEGER: finWait2(7)
TCP-MIB::tcpConnState.86.106.166.97.135.86.106.166.147 .3446 = INTEGER: finWait2(7)
TCP-MIB::tcpConnState.86.106.166.97.139.0.0.0.0.2176 = INTEGER: listen(2)
TCP-MIB::tcpConnState.86.106.166.97.1151.216.155.193.1 57.5050 = INTEGER: established(5)
TCP-MIB::tcpConnState.86.106.166.97.1311.195.160.162.2 1.6969 = INTEGER: established(5)
TCP-MIB::tcpConnState.86.106.166.97.1332.195.160.163.1 46.411 = INTEGER: established(5)
TCP-MIB::tcpConnState.86.106.166.97.1343.68.142.233.17 0.5061 = INTEGER: established(5)
TCP-MIB::tcpConnState.86.106.166.97.1556.208.65.153.25 3.80 = INTEGER: established(5)
TCP-MIB::tcpConnState.86.106.166.97.1562.193.108.95.10 5.80 = INTEGER: established(5)
TCP-MIB::tcpConnState.86.106.166.97.1568.72.14.221.99. 80 = INTEGER: established(5)
TCP-MIB::tcpConnState.86.106.166.97.1572. 217.12.18.73.6667 = INTEGER: established(5)

see this last entry ?? ^^^ Bingo!! we see the client 86.106.166.97 connecting to server 217.12.18.73 on port 6667. Thats our bot connecting to the Control and Command center which is in this case a ircd.

Once you have you results from onesixtyone, or SNscan and have a list of windows boxes running snmp with a comm string of "public" you can put all of them in a file and automate your snmpwalking by doing something like.

#####BEGIN CODE
#!/bin/sh

for i in `cat $1` ; do {
echo $i
snmpwalk -Os -v1 -c public $i tcp.tcpConnTable.tcpConnEntry.tcpConnState
} ; done
####END CODE

This cat a file filled with ip's and snmpwalks each value in the file.

you run this by:

./script.sh listofIPs

then you can pipe this into a file for later reviewing with add > fileOut to the code.

Outro:

This is not the only way to track down botnets. You can also use a honeypot, or simply tcpdump or packetsniff on a machine that is infected. Make sure you have the ASCII flag set when tcpdumping in order to capture the communication back and forward between the server and infected box. Im going to end this paper now, because im tired of writing.

For further questions pass by IRC or the forums.

by dni. - destr0y