After doing a few google searches it appears that the links that existed to the source previously have been taken down. Lab 9: Is it possible to find the malware’s source code? If so, how did you do it? Since it has file transfer and process controls, it can also be used to further escalate the intrusion to include additional functionality as needed by the attacker. Natively, it can be used to steal data such as authentication credentials and financial information. The bot seems to be a multipurpose bot that allows an attacker to gain control over the host. Lab 8: What do you think the purpose of this malware is? You can lookup an extensive analysis of the Rbot family at Running it through VirusTotal and ThreatExpert along with the runtime behavior and strings analysis all show that this is a variant of Rbot. Lab 7: How would you classify this malware? Why? whois bothunter bothunter is * bothunter bothunter is connecting from 127.0.0.1 /msg USA4221645. You will want to mask your hostname to “” Now if you try and connect this is what everything will look like. What’s nice about InspIRCD is that the server allows operators to mask their hostnames. In order to login you need to use the gemp123 password, but it will throw an error. login somepass -USA4221645- Are you a Fucker?. Here is the output if you try and join with the incorrect password. Next execute the malware and wait for it to join. After everything is configured, connect to the server and join channel #chalenge. ThreatExpert reports this file as a Backdoor.IRCBot.īack on 6667, that’s what we want to listen on. Let’s also check the executable against to see what it reports. There is a directory of common usernames and passwords included, in addition to refer-ences to several default Windows administrative shares.Ī list of keywords such as “Welcome to Gmail” and “PayPal” may mean that it watches for user activity and can capture credentials and/or account numbers. “Microsoft Svchost local services” which may be how the malware survives between re-boots There is a reference to an executable “Winsec32.exe” as well as a Windows service Mands, which means it uses IRC for command and control There are numerous different network and security related registry keys that this mal. The malware is identified as Crxbot Alias Realmbot –by Lindem- The malware contains an IRC server hostname, channel name and associated com. Upon analyzing the strings information, what can you tell about the malware now? The tools I will be using are:PE Explorer – – – – – – – Pro Freeware – - Ghex - Fedora respositoriesFile Analyzer - InstallRite - mIRCd – inspIRCd. You can download the virtual machine from here: This is to show you that there is more than one way to skin a cat. We will be performing some of these labs several times in several different ways. The virtual machine that we will be using to analyze the malware will be a Windows XP SP3 machine. You can download the virtual machine from here: Malware_ The tools I will be using are: PE Explorer – Wireshark – VirusTotal – ThreatExpert – PEiD – Netcat – Regshot – IDA Pro Freeware – Stud_PE - Ghex - Fedora respositories File Analyzer - Files/File-Analyzer.shtml InstallRite - mIRCd – 1 © Malware Analysis Lab Manual Lab 1: Describe your malware lab The virtual machine that we will be using to analyze the malware will be a Windows XP SP3 machine.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |