Recently one of my clients became infected with the RxBot, I was able to detect it using SNORT 2.6.1.4 on a FreeBSD 6.2 system running the latest rules from
bleedingthreats.net. That being said, the issue did not originally manifest as a Bot or c&c destination but as a TCP:3306 or MySQL worm scan / propagation attempt.
Specifically it was sid 1:2001689 and sid 1:2404003 that first alerted us to the issue using the aforementioned system with
BASE and
Sguil. Further research down the line revealed IRC commands on non-standard ports...as found in the bleeding-attack_response.rules.
Without getting into the nitty gritty of the whole thing, disassembly of the bot revealed it to be an RxBot with the following characteristics.
Some of the bot commands and other findings:
auth, logout, wget, port, stop, stats, threads, procs, open, godie, reboot, nick, join, part, http, tftp, rndnick, secure, unsecre, httpstop, logstop, ftfpstop, procsstop, securestop, reconnect, disconnect, quit, status, botid, aliases, clearlog, testdlls, getclip, flusharp, flushdns, crash, killthreads, prefix, server, killproc, killid, delete, list, mirc, read, gethost, addalias, action, cycle, mode, repeat, delay, execute, rename, httpcon, upload, pstore.
Once the bot has found a vulnerable MySQL server it creates a database called 'clown' and dumps a file encoded with base64. The file is then extracted to clown.dll in c:\windows\system32.
This means its a self contained spreader and doesn't need to create additional network connections to spread.
If that fails, it will also use sql xp_cmdshell commands to tftp or ftp the binary from another host.
Over 200 passwords are hardcoded into the binary, which it uses when connecting to both sql and smb shares. Some of those passwords:
staff, teacher, student, intranet, main, winpass, blank, office, control, nokia, siemens, compaq, dell, cisco, oracle, orainstall, sqlpassoainstall, db1234, databasepassword, data, databasepass, dbpassword, dbpass, access, database, domainpassword, domain, domainpass, hello, hell, backup, technical, loginpass, login, mary, kate, george, eric......etc.
channels it sends traffic to:
#nBot-udf pass
#infected
#patch
##sniff##
##keylog##
#cracked
#vnc
#lan
##full##
#dbot
#1
#2
#3
#4
#5
#rose
##dns
#edoo
#dns
#miBot
#MYSQL#
#moh
#sql
#db0t
#nbot-3306
#dbot
##asn
#psyBNC
##final
#final#
#stable
#gecko
#mbot
##mBot
#own#
#vBot
#vCal
##yb
#nBot
#yahoo
#miBot
#rx#
#x1
#x2
#sqltest
some file drops:
c:\cmd.exe
cdmd.exe
dbot.exe
fileWin.exe
nig.exe
windowsVNC.exe
C:\ffd.exe
nrose.exe
c:\pp.exe
C:\pk.exe
C:\OG.exe
C:\ud2.exe
C:\120.exe
C:\lol.exe
C:\ne.exe
C:\fg.exe
c:\dump.exe
C:\ucla.exe
C:\eggdrop.exe
c:\210.exe
C:\faa.exe
C:\full.exe
C:\sql.exe
C:\setps.exe
sgffg.exe
C:\S.exe
C:\vsyncadi.exe
C:\g.exe
C:\npk.exe
C:\Print.exe
C:\MSDEVS.exe
MSD.exe
mswin.exe
C:\bbv.exe
C:\sql.exe
C:\bbnc.exe
C:\pBNC.exe
C:\bot.exe
C:\UD_PI.exe
C:\vbot.exe
yang.exe
qb.exe
ucla.exe
C:\secret.exe
C:\seddcret.exe
C:\S.exe
c:\l0l.exe
c:\MSDEVs3.exe
bbv.exe
C:\h1ggd3n.exe
C:\H9de.exe
C:\xx1.exe
hhiden.exe
C:\setups.exe
C:\n.bat
nwsz.exe
C:\ne.exe
The bot then joins https.easypwn.net with the password s3cr3t.
The bot administrator must have the user host "symtec.us" to issue commands.
The bot has anti-debugger and anti-vmware code, and is packed with AsPack.
The bot registers as version 2, however we've seen evidence a version 3 exists as well.
I would like to thank Nicholas, Jason and Jamaal for their invaluable assistance in the disassembly and work on this fun.
Aside from detecting IRC commands on non-standard ports and portscans, here are a few rules (more to follow) that should help detect this specific bot:
alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"RxBot Trojan Client Lookup of easypwn.net"; content:"easypwn.net"; nocase; classtype:trojan-activity; reference:url,global-security.blogspot.com/2007/07/rxbot.html; sid:3000005; rev:2;)
JJC