[nsp-sec] mariposa botnet drones

[ath]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here is some analysis we did earlier this year on version 1.26 of this
malware.  Some of it might still be relevant to the current version...

- ---
Aaron T. Hackworth
CERT

PGP Fingerprint:
F135 889E 1438 604F 6BC4
3232 87FC 17FC 1964 5373

- ----------

The following info is based off butterfly bot version 1.26:

The malware has three main components to its operation
- -The bot that runs on the infected hosts
- -The command and control server
- -Controller application that allows the botmaster to control the bots

The malware includes VMWare detection capabilities.  This is a weak form
of anti-analysis technology.

There are modules for HTTP download and update, spreading via common P2P
applications, spreading via USB devices, and spreading via MSN messenger.

The transport protocol for BFB is UDP/IP and is encoded.

Some of the C2 numeric protocol messages are listed below with their
descriptions listed below them.

0x61 bot-id
BOTJOIN – this is the first message sent to the server.

0x40 five-unknown-bytes
JOINRESPONSE.  This is the first message sent back to the client from
the server.

0x80
KEEPALIVE.  There is no data associated with this message.  This message
is send by either the server or the bot.  The other party responds with
it’s own KEEPALIVE message.

0x01 0x12 osinfo(5 bytes) locale user
SYSINFO - This message is sent by the bot to the server after the
initial join message and contains information about the locale,
operating system version and logged on user of the victim system.  The
format of osinfo is not known, but we are reasonably confident that it
contains information about the operating system and patch level.

0x01 0x10
KILL - Sent by the server to cause the bot to exit

0x01 0x11
RECONNECT

0x01 0x13 one-byte-flag six-unknown-bytes
MUTE - Appears to suppress responses being sent to the control server

0x01 0x14 command
COMMAND - Sends an ASCII command from the server to the bot.  The
Command is one of the ones listed in the table below:

0x01 0x51
BOT QUITTING - Sent by the bot in response to the KILL or RECONNECT messages

0x0d <seven-unknown-bytes> message
TALK FROM BOT - A text message sent from the bot to the server.  In
response to commands such as v (version)

Note: It appears that many of the unknown bytes in the protocol are
simply ignored by the client, and generated randomly or
semi-randomly by the server.

Commands (issued using 0x01 0x14 command)
Description
v
Get bot version

download url
This function was non-functional in the analyzed sample.  This should
download a file.

update url
This function was non-functional in the analyzed sample.  This should
remove the bot replacing it with the downloaded file.

m1 url
Spread via MSN

m0
stop spreading via MSN

p filename
Spread via P2P

s0 0
Disable USB spreader

s0 1
Enable USB spreader

Based on the way the C2 domains are hard hard coded into the malware, it
appears that the malware is being sold pre-configured for specific
domains.  It is also believed that each version sold will also include a
unique ID that is sent as the bot-id during the initial 0x61 bot-id message.

- ---END

Nicholas Ianelli wrote:
> ----------- nsp-security Confidential --------
> 
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkq9KDsACgkQh/wX/BlkU3MwAwCgidLr3zHMN4rf8kH3H+Yzoypz
U4YAoKhnbD/6wSCOjFQiswAwD5WtFhgy
=PEUT
-----END PGP SIGNATURE-----