IRC-Botnet Channels
On a typical day, we analyze between 40-50 IRC-based bots that successfully connect to their C&C server. When analyzing these bots, we also keep track of the channel topic in order to observe trends and spots new bot variants. The following listing shows the botnet channel topics for yesterday:
The first column displays the number of binaries with a different MD5 sum that have joined a channel with the same topic.
We have three unique encrypted botnets which can be easily spotted due to the channel topic starting with an = sign. Furthermore, we see that the typical command is propagation: the bots are instructed to search for other victims and scan their neighborhood for vulnerable machines.
12 : =DvFdgNVh+JvueFDRdUbN7jfpRH&+t9I1B7V5xHfjCH9jmqzHLiLH6Zl[...]
9 : xvvv msass 150 0 0 -b -r -s
4 : xvvv asn139 150 0 0 -b -r -s
3 : .asc asn1smb 200 0 0 -r -b
2 : .scanall -b -r -a -s
2 : .k1ng.root asn445 200 4 0 -b -r
2 : .advscan asn1smb 50 5 0 -r
1 : zasc lsass_445 200 5 0 -b -r
1 : =320zAyMVhEGmtqT74wK9HD8DhqA0Ccno6ZHIygtIqjOx85Ygi1gNpHdEpX[...]
1 : =0LzmBRdf3nOwPmxZDQa1phEvUEA+cUlicB044hPPH4JAHyZD1tsSQ9xLLcSw
1 : .root.mass -a -r -b
1 : .raw join #scan1,#fatalimpact
1 : .asc asn445 200 5 0 -b -r -s
1 : .asc asn1smb 101 5 0 -r -s
1 : .advscan kt1 200 5 0 -r -a -s
1 : .advscan dcom135 150 5 0 -b -s
1 : .advscan asn1smb 50 3 0 -b -s
1 : .advscan asn1smbnt 120 4 0 -r -s
1 : .advscan asn1smbnt 100 3 800 -b -r
1 : #advscan dcom135 100 0 0 -r -b
The first column displays the number of binaries with a different MD5 sum that have joined a channel with the same topic.
We have three unique encrypted botnets which can be easily spotted due to the channel topic starting with an = sign. Furthermore, we see that the typical command is propagation: the bots are instructed to search for other victims and scan their neighborhood for vulnerable machines.
".
