Know your Enemy:
Tracking Botnets - Bot-Commands

In the following, we cover the more popular commands implemented in the common bots we have captured in the wild. Presenting all the commands is beyond the scope of this paper, as Agobot comes along with over 90 commands in the default configuration.

1. DDoS something
   • Agobot
     • ddos.stop
       stops all floods
     • ddos.phatwonk [host] [time] [delay]
       starts leet flood

             Starts a SYN-flood on ports 21,22,23,25,53,80,81,88,
             110,113,119,135,137,139,143,443,445,1024,1025,1433,
             1500,1720,3306,3389,5000,6667,8000,8080
       			

     • ddos.phatsyn [host] [time] [delay] [port]
       starts syn flood
     • ddos.phaticmp [host] [time] [delay]
       starts icmp flood
     • ddos.synflood [host] [time] [delay] [port]
       starts an SYN flood
     • ddos.updflood [host] [port] [time] [delay]
       start a UDP flood
     • ddos.targa3 [host] [time]
       start a targa3 flood

             Implements the well known DDoS attack Mixter authored in 1999.
       
             /*
             * targa3 - 1999 (c) Mixter 
             *
             * IP stack penetration tool / 'exploit generator'
             * Sends combinations of uncommon IP packets to hosts
             * to generate attacks using invalid fragmentation, protocol,
             * packet size, header values, options, offsets, tcp segments,
             * routing flags, and other unknown/unexpected packet values.
             * Useful for testing IP stacks, routers, firewalls, NIDS,
             * etc. for stability and reactions to unexpected packets.
             * Some of these packets might not pass through routers with
             * filtering enabled - tests with source and destination host
             * on the same ethernet segment gives best effects.
             */
             taken from 
                 http://packetstormsecurity.org/DoS/targa3.c
       
       

     • ddos.httpflood [url] [number] [referrer] [recursive = true||false]
       starts a HTTP flood

             This is real nasty since it fetches websites from a webserver. 
             If "recursive" is set, the bot parses the replies and follows 
             links recursively.
       

   • SDBot
     • syn [ip] [port] [seconds|amount] [sip] [sport] [rand] (sdbot 05b pure version)
       
     • udp [host] [num] [size] [delay] [[port]]size (sdbot 05b ago version)
       
     • ping [host] [num] [size] [delay]num
   • UrXbot
     • ddos.(syn|ack|random) [ip] [port] [length]
     • (syn|synflood) [ip] [port] [length]
     • (udp|udpflood|u) [host] [num][ [size] [delay] [[port]]
     • (tcp|tcpflood) (syn|ack|random) [ip] [port] [time]
     • (ping|pingflood|p) [host] [num][ [size] [delay]
     • (icmpflood|icmp) [ip] [time]
     • ddos.stop
     • synstop
     • pingstop
     • udpstop
2. Spreading
   • Agobot
     • scan.addnetrange [255.255.255.255/32] [priority]
     • scan.delnetrange [255.255.255.255/32]
     • scan.listnetranges
       list scanned netranges
     • scan.clearnetranges
       clears netrange
     • scan.resetnetranges
       removes all netranges from scanner and adds local LAN as scanning range
     • scan.enable [scanner]
       [scanner] can be one of

             Anubis Bagle CPanel DCOM DCOM2 Doom DW Ethereal
             HTTP Locator LSASS NetBios Optix SQL UPNP WKS
       		

     • scan.disable [scanner]
       [scanner] can be the same as above
     • scan.startall
       starts all scanners
     • scan.stopall
       stops all scanners
     • scan.start
       starts all enabled scanners
     • scan.stop
       stops all scanners
     • scan.stats
       replys stats about exploitings per scanner
     • scan.host [255.255.255.255[:port]] If given with port, just tries to exploit the host with the scanners fitting the ports, else all scanners are used.
   • SDBot & UrXBot
     • (scanall|sa)
     • (scanstats|stats)
     • scandel [port|method]
       [method] can be one of

       	webdav 
       	ntpass netbios 
       	dcom135 dcom445 dcom1025
       	dcom2
       	iis5ssl
       	mssql
       	beagle1
       	beagle2
       	mydoom
       	lsass_445
       	lsass_139
       	optix
       	upnp
       	netdevil
       	DameWare
       	kuang2
       	sub7
       	

     • scanstop
     • (advscan|asc) [port|method] [threads] [delay] [minutes]
3. Downloading files from the internet
   • Agobot
     • http.download
       download a file via HTTP
     • http.execute
       updates the bot via the given HTTP URL
     • http.update
       executes a file from a given HTTP URL
     • The same commands are also available via FTP
   • SDBot & UrXBot
     • (update|up) [url] [botid]
     • (download|dl) [url] [[runfile?]] [[crccheck]] [[length]]
4. Local file IO
   • SDBot & UrXBot
     • (execute|e) [path]
     • (findfile|ff) filename
     • (rename|mv) [from] [to]
     • findfilestopp
5. Sending Spam
   • Agobot
     • cvar.set spam_aol_channel [channel]
       AOL Spam - Channel name
     • cvar.set spam_aol_enabled [1/0]
       AOL Spam - Enabled?
     • cvar.set spam_maxthreads [8]cvar
       Spam Logic - Number of threads
     • cvar.set spam_htmlemail [1/0]"true",
       Spam Logic - Send HTML emails
     • cvar.set aolspam_maxthreads [8]
       AOL Spam Logic - Number of threads
     • spam.setlist
       downloads list with email-addresses to spam them
     • spam.settemplate
       downloads an email template
     • spam.start
       starts the spamming
     • spam.stop
       stops the spamming
     • aolspam.setlist
       AOL Spam - downloads an email list
     • aolspam.settemplate
       AOL - downloads an email template
     • aolspam.setuser
       AOL - sets an username
     • aolspam.setpass
       AOL - sets a password
     • aolspam.start
       AOL - starts the spamming
     • aolspam.stop
       AOL - stops the spamming
   • SDBot

     	So far, SDBot does not implement dedicated spamming
     	methods. But other options to send spam are possible:
     	The spammer uses the "download" command to download
     	and execute a SOCKSv4/v5 server. The server publishes
     	his IP-address and SOCKS-port at a file on a
     	webserver. Via this backdoor, spam can be sent.
     	

   • UrXBot
     • email [server] [port] [srcmail] [dstmail] [mailsubj]
6. Sniffing
   • Agobot

     	Agobots sniffing is really "advanced": If you compile
     	the bot with sniffing enabled, it drops a stripped
     	down lipcpap dll on startup and registers it as system
     	driver. The sniffing thread then uses libpcre to
     	lookout for bot commands
     	

     • HTTP
       Commented: Like paypals? ;-D How about cookies? YUMMEH! -rain
       Checks for "PAYPAL" "SET-COOKIE"
     • SSH
       Commented: I dont get the idea, but the famous lsass author Nils contributed this and comments it
       // SSH - works - after the RSA key is sent, the login and pass is sent raw. Believe me. -Nils
       Checks for "login as:" "password:" "putty" "SECURECRT"
     • CPANEL
       Commented: Like configuring Domains ? Here you go ! -Nils
       Checks for "cPanel" "Set-Cookie:"
     • IRC
       Checks for:

       	"^:(.*)!(.*)@(.*) ((?i)PRIVMSG|NOTICE) (.*) :(.)((?i)login|auth|id|ident|hashin|secure|l) (.*)$"
       	"^((?i)oper )(.*)"
       	"^:(.*) 381 (.*) :(.*)"
       	"^((?i)nickserv identify) (.*)$"
       	"^:.* ((?i)notice|privmsg) (.*) :Password accepted.*"
       		Botnet DDoS:
       	"^:(.*)!(.*)@(.*) ((?i)PRIVMSG|NOTICE) (.*) :(.)((?i)ddos|packet|flood|udp|syn|pfast|coldrage|syn3|syn2|targa|icmp|fuck|random) (.*)$"
       		

     • FTP
       Checks for:

       	"^((?i)USER )(.*)"
       	"^((?i)PASS )(.*)"
       	"^(230 )(.*)"
       		

     • cvar.set sniffer_enabled 1/0
     • cvar.set sniffer_channel [destinationchannel] sets the destinations channel to which the results should be logged
     • sniffer.addstring [pcre] adds a user-defined string to the sniffer
     • sniffer.delstring [pcre] deletes a user-defined string from the sniffer
   • SDBot

     	SDBots sniffing is based on Windows raw socket
     	listening.  Compared to the way Agobots sniffing is
     	implemented, this way is ineffective and poorly: The
     	bot even sniffs his own traffic and recognizes it as
     	sniffed traffic. In addition, SDBot lacks PCRE support
     	and uses strstr() for comparison.
     	

     • HTTP
       Checks for: paypal PAYPAL paypal.com PAYPAL.COM Set-Cookie:
     • IRC
       Checks for the following strings:
       :.login :,login :!login :@login :$login :%login :^login :&login :*login :-login :+login :/login :\\login :=login :?login :'login :`login :~login : login :.auth :,auth :!auth :@auth :$auth :%auth :^auth :&auth :*auth :-auth :+auth :/auth :\\auth :=auth :?auth :'auth :`auth :~auth : auth :.id :,id :!id :@id :$id :%id :^id :&id :*id :-id :+id :/id :\\id :=id :?id :'id :`id :~id : id :.hashin :!hashin :$hashin :%hashin :.secure :!secure :.l :!l :$l :%l :.x :!x :$x :%x :.syn :!syn :$syn :%syn CDKey JOIN # NICK OPER oper now an IRC Operator
     • carnivore [on/off]
7. Cloning
   • Agobot
     • For some reasons our agobot lacks cloning capabilities
   • SDBot & UrXBot
     • (clone|c) [host] [port] [channel] [[chanpass]]
     • clonestop [clonenumber]
     • (c_raw|c_r) [clonenumber] [raw irc command]
     • (c_mode|c_m) [clonenumber][some irc mode]
     • (c_nick|c_n) [clonenumber] [newnick|$randnick]
     • (c_join|c_j) [clonenumber] [channel]
     • (c_part|c_p) [clonenumber] [channel]
     • (c_privmsg|c_pm) [clonenumber] [dest nick or channel] [msg]
     • (c_action|c_a) [clonenumber] [dest nick or channel] [msg]