To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
----------
Resending, as it doesn't appear this message made it out the first
time.
--
PinkFreud
Chief of Security, Nightstar IRC network
irc.nightstar.net | www.nightstar.net
Server Administrator - Blargh.CA.US.Nightstar.Net
Unsolicited advertisements sent to this address are NOT welcome.
--- Begin Message ---
This was discussed on another list about two weeks ago.
There are at least two versions of secrets.exe out. Both are zipsfx
(iow, can be unpacked with unzip).
Archive: secrets.exe
;The comment below contains SFX script commands
Path=C:\WINDOWS\system32\data
Setup=C:\WINDOWS\system32\data\start.exe
Silent=1
Overwrite=2
Filelist for the bot:
Length Date Time Name
-------- ---- ---- ----
12 11-10-06 18:01 date.txt
27780 11-05-06 16:19 ie.exe
13104 11-05-06 20:26 irc.exe
5612 11-11-06 00:27 listener.exe
8704 11-11-06 00:09 main.exe
9392 11-10-06 18:09 mozilla.exe
124688 03-09-04 15:45 mswinsck.ocx
0 11-05-06 20:22 names.txt
0 11-05-06 22:25 new.txt
0 11-05-06 22:25 old.txt
9543 11-05-06 20:12 servers.txt
4816 11-10-06 22:55 start.exe
326 11-10-06 18:42 start.reg
18 11-10-06 18:10 address.txt
7352 11-05-06 20:32 aim.exe
13384 11-11-06 02:11 av.exe
-------- -------
224731 16 files
The difference between the two secrets packages are:
diff -ur secrets/date.txt update1/secrets/date.txt
--- secrets/date.txt 2006-11-10 18:01:28.000000000 -0500
+++ update1/secrets/date.txt 2006-11-11 21:02:06.000000000 -0500
@@ -1 +1 @@
- 27108088
+0
\ No newline at end of file
Binary files secrets/main.exe and update1/secrets/main.exe differ
All of the executables are packed, so it's somewhat difficult to get an
idea of what they are.
Someone posted a partial dump of strings from a memory image of
irc.exe, though:
***** UNICODE SECTION *****
000023EC: 2c49f800-c2dd-11cf-9ad6-0080c7e7b78d
00002494: ircSpreader\Final Stripped Version\
00002DA8: JOIN
00002FD4: Timer
00002FE0: Event
000033DC: PRIVMSG
000033FA: DCC SEND
00003444: LIST
0000346C: tem32\
0000354E: windows\system32\data\secrets.
000035C6: windows\system32\data\servers.
00003618: PART
00003630: , 133:USERID:WIN32:
0000365C: NICK
0000366C: USER BiTCH 1 1 :BiTCH PLeaSe
000036AC: PING
000036BC: PONG
000036CC: 321
000036DC: 323
000036EC: 322
00003708: 353
00003734: 366
00003744: PRIVMSG
00003762: DCC RESUME
00003788: RESUME
000037A0: ACCEPT
0000419E: jjUj
0000E07C: ircSpreader\Final Stripped Version\
Update site for this bot is http://www.oinkoinkme.com /files/update1.exe
This url appears to still be active as of this writing.
md5sums:
791e69bf4b0492b98a2ba1a859e7d549 update1.exe
9787d16652592c0683fc1803ab36624b secrets.exe
3bae90a04668c231fdc5584d3ddb3e89 update1/secrets.exe
Sunbelt Software has a sandbox report of the original secrets.exe at
http://research.sunbelt-software.com/ViewMalware.aspx?id=6160
Hope that helps.
On Sun, Nov 26, 2006 at 11:11:02PM +0100, Geir ?ge Mortensen babbled thus:
> To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
> ----------
> Hi,
>
> We got hit by something in a channel.
>
> Can someone tell me what it was?
> Time of incident 22:42 26/11/2006 [CET]
>
> [22:42] * fuuoiu ([EMAIL PROTECTED]) has joined #chains
> [22:42] * fuuoiu ([EMAIL PROTECTED]) has left #chains
>
> [22:43] DCC Send from fuuoiu rejected (secrets.exe, file type ignored)
> -
> fuuoiu is [EMAIL PROTECTED] * BiTCH PLeaSe
> fuuoiu on #business +#PuiuXXX #People=Shit #mp3zone #agadir-quebec
> #Aurora_Aureae #skootterit #U.P.C. #paint_it_black
> fuuoiu using *.undernet.org The Undernet Underworld
> fuuoiu End of /WHOIS list.
> -
>
>
> How can i setup a trap to chatch anything like this?
>
>
> Geir Mortensen
--
PinkFreud
Chief of Security, Nightstar IRC network
irc.nightstar.net | www.nightstar.net
Server Administrator - Blargh.CA.US.Nightstar.Net
Unsolicited advertisements sent to this address are NOT welcome.
--- End Message ---
_______________________________________________
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement
upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
