There's a lot of bits of info to do google searches on. In the binary are these strings:
.rdata:0040C2F8 0000001F C rolotech-electronics.comuf.comGoogle searches on those domains and that IP turn up lots of malware results, all of which show almost the exact same symptoms (or "IOCs" as infosec likes to call them). Normally, when malware is sold or traded heavily in the underground, the symptoms when that malware gets used will differ across multiple infections. The fact that the samples are pretty homogenous seem to hint that this malware is used by one group exclusively.
.rdata:0040C317 0000001A C speedtest1.hivelocity.net
.rdata:0040C331 0000000D C 68.11.12.242
Googling the deciphered hostname fkn.ddos.cat brings up this post from the excellent guys at exposedbotnets detailing what they saw on the IRC server when they ran the bot. That's neat too because two of the names (Sabu and tflow) are old handles from some of the infamous lulzsec guys. But it's not actually them; all of lulzsec has been busted up and in jail for a while now.
This is the part that I really liked though. This string is found in the binary:
.rdata:0040B6C4 00000044 C PRIVMSG %s :(Version): Zodiac v0.10 (HIGHLY PRIV10) Windows versionGoogling that string brings up this reddit post linking to Joe's Security Blog, where he did some very good analysis on an almost exact same sample.
But it also brought up this very interesting pastebin showing a log of some hackers hanging out in an IRC. Now, there's a lot there, but the most interesting bits are this:
09[16:22] * Topic is ' 4,1H 9T 8P 0\ 8 No power since 2011 (damn it, Acidstorm) 0\ 9Mumble up: core.hack-the-planet.tv 64738 : niggers5 0\ 4 /htp/HTP-5.txt underway (ASCII, content) 0\ 8straylig.ht now mirroring releases 0\ 13 http://i.imgur.com/9z0MGOV.png 'this:
[18:03] <&XiX> hey nachash dont forget to make HTP-5.txt editable by htp broand this:
So I'm pretty sure these are the guys that created this botnet code, because of that version string.[02:17] <&Goku> 23:16 >>>> zwin-LUMPVJ|60 (zwin-@hack-BB3B7A6D.mullvad.net) has joined #shiro[02:17] <&Goku> 23:16 <Shiro> .zwin* version[02:17] <&Goku> 23:16 <zwin-LUMPVJ|60> (Version): Zodiac v0.10 (HIGHLY PRIV10) Windows version[02:17] <&Goku> 23:16 <Shiro> .zwin* help[02:17] <&Goku> 23:16 <zwin-LUMPVJ|60> (Help): Build type: Windows (Feb 19 2013, 22:59:38)[02:17] <&Goku> 23:16 <zwin-LUMPVJ|60> (Help): COMMAND DESCRIPTION[02:17] <&Goku> 23:16 <zwin-LUMPVJ|60> (Help): quit Make the bot quit[02:17] <&Goku> 23:16 <zwin-LUMPVJ|60> (Help): help Print this menu[02:17] <&Goku> 23:16 <zwin-LUMPVJ|60> (Help): version Print the version of the bot[02:17] <&Goku> wont get much larger then that as well[02:17] <&Goku> 33kb base[02:17] <&Goku> i am[02:17] <&Goku> god sent coder
And, I'm pretty sure these are the guys that released the HTP zines (Hack the Planet). Now that's kind of a big deal. Here's the HTP-5 issue. Have a read, it's pretty good (also note that they mention "one of our botnets, Zodiac" right in the zine). They breached MIT, Securi, and the freakin' NIST-NVD. But the craziest part is that they were behind the Linode breach. That one is intense because Linode is a pretty big service provider, and in HTP's words:
Meanwhile, we enjoyed our (root) access to Nmap, Nagios, SQLite, OSTicket, Phusion Passenger (modrails), Mono Project, Prey Project, Pastie, Sucuri, Hak5, Pwnie Express, Puppet, and oauth.They were in a position to backdoor nmap. And yes, hacklogs can be faked, but all of these hacks have been verified. That's a sobering thought.
Anyway, I thought it was cool that the malware I decided to really cut my teeth on was from the HTP guys. I'm still nowhere near done with it and will post updates as I make my way through the code.
Fun times.
