Analyze unique communications to/from a bot-infected host, reassembles an IRC communication over a non-standard port, and identifies what bot is on the infected host and spot unusual DNS replies..
This analysis is carried out using WireShark, a network analysis tool formerly known as Ethereal, captures packets in real time and displays them in human-readable format. Wireshark includes filters, color-coding and other features that let you dig deep into network traffic and inspect individual packets.
TCP three–way handshake is used for initiating a connection.
The TCP three-way handshake in Transmission Control Protocol (also called the TCP-handshake; three message handshake and/or SYN-SYN-ACK) is the method used by TCP set up a TCP/IP connection over an Internet Protocol based network. TCP’s three way handshaking technique is often referred to as “SYN-SYN-ACK” (or more accurately SYN, SYN-ACK, ACK) because there are three messages transmitted by TCP to negotiate and start a TCP session between two computers. The TCP handshaking mechanism is designed so that two computers attempting to communicate can negotiate the parameters of the network TCP socket connection before transmitting data – See more at:
The unusual thing about this is that for these handshakes they are not being completed. After investigating the traffic I noticed there is no SYN ACK packet or reset packet and did not expect to get back an ICMP packet Destination unreachable (Port unreachable) instead.
tcp==02 tcp==12 tcp.port==80 tcp.stream eq 0
tcp.seq==1 && tcp.ack==1 && tcp.len==0 && (tcp.window_size_scalefactor ge 0 or tcp.window_size_scalefactor eq -2)
From analyzing the trace file it is possible to identify a number of devices been scanned by the 10.129.211.13 and it is also possible to see the Ports that these are going out too, netbios.ssn port 139.
Domain Name System (DNS) is the system used to resolve store information about domain names including IP addresses, mail servers, and other information.
TCP/UDP: Typically, DNS uses TCP or UDP as its transport protocol. The well known TCP/UDP port for DNS traffic is 53.
- Show only the DNS based traffic filter: DNS
- You cannot directly filter DNS protocols while capturing if they are going to or from arbitrary ports. However, DNS traffic normally goes to or from port 53 and traffic to and from that port is normally DNS traffic, so you can filter on that port number. Filter: port 53
Request 1 shows a standard DNS request to bbjj.househot.com.
- 10.129.211.13 is the Bot infected host.
Using the simple DNS Filter noted abive to separate its Traffic and make it more manageable.
- Standard DNS Request shows it is connecting to bbjj.househot.com.
Destination: Watchgua_04:f8:35 (00:90:7f:04:f8:35) & Source: DellEsgP_58:93:fa (00:0b:db:58:93:fa).
After investigation I found out that this is a malicious Mocbot IRC Bot (MS06-040) that allows Remote Code Execution and Local Elevation of Privilege on a Microsoft Windows system.
- The C&C servers, bnjj.househot.com and ypgw.wallloan.com have been published in most write-ups of Mocbot. But, even if we know the correct port number for the IRC server (18067), it is inadvisable to simply connect to the server using a standard IRC client.
- Through AOL IM Sending a malicious Web site to the address book list.
Attempt by others through social engineering trick HTTP Download a malicious file execution Row.
- Connected to a specific IRC Server, Issued instructions to wait for hackers
- The DNS reply for bbjj.househot.com – notice the CNAME (canonical
name, or alias) entry in the DNS response field and look at how many IP addresses are
associated with that name. Not the typical DNS response you’d expect and sign that the host
being located may be a malicious one.
It’s saying that the alias is ypgw.wallloan.com.
- dns.resp.type == CNAME
- Within the Response its shows that it contains 12 answer RRS which is strange, also after expanding the answers tab it lists a large amount of IP addresses assigned to ypgw.wallloan.com, which looks like a lot of IRC Servers.
Illegal Ping Packets
Many network discovery tools and OS fingerprinting tools (such as Nmap, NetScanTools and Xprobe) send out illegally-formed ping (ICMP Echo Request packets) that can be used to ID the application in use.
Receiving a high number of ICMP traffic. This could be a primitive attempt at DDoS.
Internet Control Message Protocol uses ICMP to transfer control messages between IP hosts. ICMP is part of IP and uses IP datagram’s for transport. The assigned protocol number for ICMP on IP is 1.
Show only the ICMP based traffic: icmp
The payload of ICMP Echo Request (ping) packets to see if there is a signature for the application running sending the ICMP Echo Request.
Follow TCP Stream & Manual Investigate Stream
- Possibility to get the information you need to spy on the C&C without being spotted is to run the bot in a sandnet, and let it connect to a fake IRC server first. Then use the credentials to log in to the real server.
- Ability to then use telnet to connect to the C&C server on port 18067 and spy on the control channel
Follow TCP Stream
- Helpful to see the data from a TCP stream in the way that the application layer sees it.
- Simply select a TCP packet in the packet list of the stream/connection you are interested in and then select the Follow TCP Stream menu item from the WireShark Tools menu (or use the context menu in the packet list). WireShark will set an appropriate display filter and pop up a dialog box with all the data from the TCP stream laid out in order
- Port: 18067. Right click on the Packet and select the option to follow its stream or use the more complex approach of carrying out manual verification of each stream.
- Client data is in red and Server data is in blue.
- For Mocbot, we use the sandnet to obtain the following IRC login sequence generated by the bot:
Follow TCP Stream
- Previous outlined 184.108.40.206 as the 1st IP associated with the Bot. This is then the 1st infected host that the Bot tried to carry out a TCP handshake with.
The TCP Request goes out and an ICMP packet Destination unreachable (Port unreachable) comes back instead of a TCP SYN ACK or a Reset.
- It then gives up and goes after the Canonical Name.
The Response for this DNS Request shows a high number of asnwers containing IRC Comand & Control Servers and contains a SYN ACK, completeing the three way handshake.
After this the client sends data up to that server using the PSH Flag. Instant delivery of data.
Possible to exam this to find out what sort of data is been pushed.
This tells you that the client is connecting to an IRC Server in the background.
Client tried to unsuccessfully connect to hometown.aol.com. After this it started scanning.
- Outcome of Investigation.
- A bbjj.househot.com
- CNAME: ypgw.wallloan.com
- Port: 1087
- Target IP’s from DNS Requests
- User l l l l
- NI CK P8-00 196671
Prepare a filter; create a filter based on specific packet data.
Prepare a filter using the 2nd Request that contains Answer RRs: 12.
- Simply right Click on the Answer RRs: 12 and select prepare filter.
- Change the ==12 to greater than 5 to determine an above average results.
- dns.count.answers gt 5
- Found another DNS Request containing Answer RRs: 11.
A very useful mechanism available in WireShark is packet colorization. You can set-up Wireshark so that it will colorize packets according to a filter. This allows you to emphasize the packets you are (usually) interested in.
- Highlight the filter and select edit colors.
Choose a bright foreground and background.
Filter will now make it extremely hard to miss these kinds of malicious communications if a host on the network does become infected again.
The below image is the configurable graph of the captured network packets.
The user can configure the following things:
- Graph 1-5: enable the specific graph 1-5 (only graph 1 is enabled by default)
- Color: the color of the graph (cannot be changed)
- Filter: a display filter for this graph (only the packets that pass this filter will be taken into account for this graph)
- Style: the style of the graph (Line/Impulse/FBar/Dot)
- X Axis
- Tick interval: an interval in x direction lasts (10/1 minutes or 10/1/0.1/0.01/0.001 seconds)
- Pixels per tick: use 10/5/2/1 pixels per tick interval
- View as time of day: option to view x direction labels as time of day instead of seconds or minutes since beginning of capture
- Y Axis
- Unit: the unit for the y direction (Packets/Tick, Bytes/Tick, Bits/Tick, Advanced…) [XXX – describe the Advanced feature.]
- Scale: the scale for the y unit (Logarithmic,Auto,10,20,50,100,200,500,…)
The save button will save the currently displayed portion of the graph as one of various file formats.
The copy button will copy values from selected graphs to the clipboard in CSV (Comma Separated Values) format.
Each type of traffic was added to the filter for 3 graphs. Color was altered; tick interval was set to 1 sec, Pixel per tick 10 and scale 200.
WireShark provides a wide range of network statistics.
These statistics range from general information about the loaded capture file (like the number of captured packets), to statistics about specific protocols (e.g. statistics about the number of HTTP requests and responses captured).
- File: general information about the capture file.
- Time: the timestamps when the first and the last packet were captured (and the time between them).
- Capture: information from the time when the capture was done (only available if the packet data was captured from the network and not loaded from a file).
- Display: some display related information.
- Traffic: some statistics of the network traffic seen. If a display filter is set, you will see values in the Captured column, and if any packages are marked, you will see values in the Marked column. The values in the Captured column will remain the same as before, while the values in the Displayed column will reflect the values corresponding to the packets shown in the display. The values in the Marked column will reflect the values corresponding to the marked packages.
W32/IRCBot.EX provides unauthorized access to an infected computer and also has the capability to spread to remote computers using the PnP exploit on port 445.
The backdoor’s file is a PE executable file about 8 kilobytes long, packed with MEW file compressor and patched with PE_Patch. The code of backdoor is encrypted with a simple crypto algorithm.
IRCBot.EX was found on August 17th, 2005 and is very similar to the IRCBot.ES variant found 2 days earlier.
The server name is known: Mocbot connects on TCP port 18067, bjj.househot.com as well as ypgw.wallloan.com, if the first server is unavailable. It involves same IRC server that used the original Mocbot variants.
Then the backdoor joins an IRC channel called ‘#p4’ using the hardcoded password and creates a bot there. A remote hacker can control a backdoor via a bot that it creates in the ‘#p4’ channel. A hacker can do any of the following:
- Scan for vulnerable computers and spread to them using PnP exploit
- Download and run files on an infected computer
- Find files on local hard disks
- Perform DDoS (Distributed Denial of Service) attack
- Perform SYN and UDP flood
- Deploy IPS System.
- Regular vulnerability scanning.
- Analytic application layer packet contents can identify and block suspicious IRC Login and connection behavior Management IM/P2P Use.
- Reduce the proliferation of malicious software pipeline isolating infected computers.
- Install patches.
- Antivirus software installed on the host side.
- Strengthen the host side protection.
- Strengthen user information security awareness education.
- Don’t open any Email Attachments.
WireShark provides a rich set of features which can be used by Network Analysts, Administrators, Security Analysts and anyone who is curious to learn about networking. Utilizing these features allow us to effectively understand, troubleshoot and make our network(s) more secure.
Within this Assignment WireShark was used to analyze network traffic to/from bot-infected host, reassembles an IRC communication over a non-standard port and identify what bot is on the infected host and spot unusual DNS replies.
Research was also carried out to provide how this botnet could have infected the host and identified multiple way of preventing it from reoccurring.