"Botnet for anon"

[Drusepth]

I've seen this posted in a few /i/nsurgency boards advertising a server.exe for making a botnet..  Just thought I'd throw it in here in case anyone wanted to look at it.

Building up a new botnet for anon's use
spread this file around, rename it, bind it, do what ever the fuck you want with it, just get it out on peoples computers
hxxp://75.136.139.188/ddos/panel/infect/server.exe
pic not related

75.136.139.188 hosts one site, H4xbox.com, which looks like just a torrent site.
Navigating to 75.136.139.188/ddos/ lets you browse the directories, where there are other scripts, including a php ddos and a botscan.pl
The panel to control the botnet is in 75.136.139.188/ddos/panel/

About server.exe:
MD5: 1c0162b5e4a87cc9be936678a024f8da
I ran it through http://virusscan.jotti.org/, but I don't know how reliable that is.

File:      server.exe
Status:    INFECTED/MALWARE
MD5:    1c0162b5e4a87cc9be936678a024f8da
Packers detected:    ASPACK
Bit9 reports:    File not found

A-Squared     Found Trojan-Downloader.Win32.Agent.euy
AntiVir    Found TR/Dldr.Agent.euy
ArcaVir    Found Trojan.Downloader.Agent.Euy
Avast    Found Win32:Trojan-gen {Other}
AVG Antivirus    Found SHeur.MHN
BitDefender    Found Trojan.Generic.76913
ClamAV    Found nothing
CPsecure    Found nothing
Dr.Web    Found nothing
F-Prot Antivirus    Found unknown virus (probable variant)
F-Secure Anti-Virus    Found Trojan-Downloader.Win32.Agent.euy
Fortinet    Found nothing
Kaspersky Anti-Virus    Found Trojan-Downloader.Win32.Agent.euy
NOD32    Found probably a variant of Win32/TrojanDownloader.Agent (probable variant)
Norman Virus Control    Found W32/Agent.DESB
Panda Antivirus    Found nothing
Rising Antivirus    Found nothing
Sophos Antivirus    Found Mal/Heuri-D
VirusBuster    Found nothing
VBA32    Found Trojan-Downloader.Win32.Agent.euy

[sowhat-x]

hxxp://75.136.139.188/ddos/panel/
-> ...he-he,they're running their server under windows:
Notice: Undefined variable: add_sub in C:\BigApache\Apache\htdocs\ddos\panel\online.php on line 36
Notice: Undefined index: a in C:\BigApache\Apache\htdocs\ddos\panel\index.php on line 133
And all of the installed apache modules listed in plain view also...
hxxp://75.136.139.188/ddos/panel/infect/

...quickly unpacked it and checked it in PEiD's disasm,
all done really quickly,didn't run it actually to see what files it creates,
or bothered checking in extensively under Olly or so...that's what I got/assume it's happening...
(original crap is written under Delphi):
it's listening all on interfaces (0.0.0.0) and also uses icmp.dll,I don't think it's for dosing though,
most probably for notifying the "mothership" in some irc channel or so...
Few strings to get the idea of what it does,quite self-explanatory...
it almost certainly copies itself to "Common files\System" dir along with a start.bat...
silently installs itself to registry in order to autostart/"survive" after reboots.
temp.exe
exe.exe
update.bat
autostart.exe
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
smss"="
REGEDIT /S "
Program Files\Common Files\
System\smss.exe
System\start.bat
TsunamiOverHost
hXXp://owned.name/exceptions
/update.php
hXXp://owned.name/upgrade

The last link mentioned above,spawns a file with the string "0" in it...
I suppose it means no update available?
Couldn't find neither temp.exe or exe.exe host in the links above,
didn't wanted to run it directly to see if it is the same one that gets renamed,
or if they're downloaded from somewhere else...
played also with the names of the dirs in the address above without luck...
I also saw a bit of xoring going on though,so I thought,
taking under consideration that these executables aren't available in the links above,
maybe they're hosted somewhere else...
and what about about this update.php,it's nowhere to be found...
either is it for storing infected ip addresses data,
or more probably it redirects to the executables in question...

...So I fired up Google,and came up with this thread in Polish,
a few more info and a couple malware links listed there also...
http://www.webhostingtalk.pl/index.php?showtopic=9542&pid=73313
And if you search for "TsunamiOverHost",
first link you'll land over is the...h4cky0u forum,lol...

P.S:...just remembered Anubis' service...http://analysis.seclab.tuwien.ac.at
It pretty much says the same,adding that "autostart.exe" mentioned above,
gets created under the usual "Startup" location of Windows...
Analysis though still doesn't mention anything about "temp.exe" and "exe.exe":
maybe it also searches for executables named as such,in order to delete them...

[JohnC]

When you run the server.exe it drops smss.exe which is a copy of itself, it also drops Autostart.exe which is a copy of itself aswell.

c:\Documents and Settings\Administrator\Start Menu\Programs\Startup\autostart.exe
c:\Program Files\Common Files\System\smss.exe
c:\Program Files\Common Files\System\start.bat


start.bat contains:

Code: [Select]

Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
smss"="C:\\Program Files\\Common Files\\System\\smss.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
smss"="C:\\Program Files\\Common Files\\System\\smss.exe"
The update.php is located on the same host as server.exe

75.136.139.188/ddos/panel/update.php

Server reply:

Code: [Select]

<br />
<b>Notice</b>:  Undefined variable:  add_sub in <b>C:\BigApache\Apache\htdocs\ddos\panel\online.php</b> on line <b>36</b><br />
1 http://75.136.139.188 80

Looks like a script error above which would stop the file doing what it naturally would if it received the right data back from the server. Not much else I can state which hasn't been mentioned by sowhat-x. /exceptions is also giving a 404, so it looks like the servers are having problems of some kind.