You’d think that people writing botnets would be well versed in systems security, but from a quick look around I see that most botnets have some serious problems. The biggest issue with any botnet is command and control. How can the owner communicate with their bot nodes without having people steal their botnet by sniffing the traffic? Very few botnets out there seem to do anything to solve this issue, which baffles me. I recently found a botnet’s command and control channel on IRC and sat in there with a nickname similar to one of the bots and waited. The owner came online, authenticated with a password:
* jaxcx (none@C7A8F60F.70A4D926.D9A031DB.IP) has joined #jaxcnc <jaxcx> .login gemma_2008 <j1F87E5A5> b 0 1 1 16701 <j81E0690F> b 0 1 0 25811 ... <jA18A5DF3> b 0 1 0 30246 <jaxcx> .av add avast.exe <jaxcx> .c * jaxcx (none@C7A8F60F.70A4D926.D9A031DB.IP) Quit (Quit)
I then logged in as him (.login gemma_2008) and tried some commands. After some playing about, I discovered his botnet ran as a process called ‘scvhost.exe’, which I then added to the bot’s AV list just as he added Avast. They all quit due to ping timeout a few minutes later.
The fatal flaw there was authentication – everything was simple plaintext. At an absolute minimum you’d expect challenge-response (CHAP) style login:
<owner> .auth <bot1234> challenge 4356462135 <bot4567> challenge 3023843571 <bot4321> challenge 5430587478 <owner> .login bot1234 e737b251fb9581502c91e56d95cbe43e <bot1234> .ok bot5678 owner 325e117a80e658027dd60ea2101823ae <bot1234> .ok bot4321 owner 51d8e811dc92e387e037f91944218491
Confusing? Let’s break it down line by line.
The owner asks to authenticate to the botnet.
<bot1234> challenge 4356462135
<bot4567> challenge 3023843571
<bot4321> challenge 5430587478
The bots give a challenge value which the user must append to his password, which he then hashes with MD5. The owner only has to authenticate to one bot.
<owner> .login bot1234 e737b251fb9581502c91e56d95cbe43e
The owner decides to authenticate to bot1234, so he calculates the MD5 hash of “password4356462135” and uses it to log in. The bot verifies that the hash matches.
<bot1234> .ok bot5678 owner 325e117a80e658027dd60ea2101823ae
<bot1234> .ok bot4321 owner 51d8e811dc92e387e037f91944218491
The bot that was authenticated to now authenticates to the other bots on behalf of the user.
Of course this is just an example. It could be improved by using private messages to perform all the authentication, or by having a more secure password challenge format. The holy grail is, of course, asymmetric cryptography. Since the .NET framework makes it trivial to use RSA, one could simply authenticate by taking a random challenge value and producing a digital signature for it. The botnet clients have the public key embedded in them, which is then used to prove the authenticity of the user.
What I really don’t understand is why these methods aren’t being used. Are bot writers really that lazy, or am I missing something?