427 Botnet fm qxd

has detected (by inspecting the traffic) that the protocol used in this connec-
tion is IRC. Because of that it was able to retrieve all the protocol-dependent
IRC data from the traffic stream:
■
The parameter of the user command is 
XP-DEU 0 0
:[XP|DEU|P|00|gcoDZaUz],
which means that the username is
XP-DEU
, the IRC 
usermode
is 0 and the 
realname
is
:[XP|DEU|P|00|gcoDZaUz].
■
The nickname is 
[XP|DEU|P|00|gcoDZaUz].
■
The channel ##tibia2## is joined using the password 
tibiablows
.
■
The channel topic is 
:.scan.stop -s;.scan.start NETAPI 40 -a -s;
.scan.start NETAPI 40 -b –s
.
■
From the name of the attribute 
topic_deleted
you can see that the
channel topic is received but in fact not being passed to the malware;
the CWSandbox can be configured in multiple ways to prevent a
further processing of received bot commands.
The last entries of the analysis report reveal that the malware opens a
backdoor on TCP port 1910, but it is not being connected during the analysis
run:

connectionestablished="0" socket="1392"/>

That is it for the second process of this malware analysis. We have seen the
most essential operations of such simple bot applications: After it has copied
itself to the Windows directory and started, this new instance deletes the orig-
inal malware file, sets up an autostart registry entry, opens a backdoor, resolves
the domain name of its C&C server, connects to this server, and joins the
correct channel. Because we did not let the channel topic pass to the malware
receiving function, its functionality stops there. An extract of the transformed
HTML report of this analysis appears in Table 10.1, showing the analysis only
for the second process. Again, some unimportant parts have been removed to
reduce its length.

Download 6,98 Mb.

Do'stlaringiz bilan baham: