General Musing

blaze your trail

How to not take down a botnet by a Law Abiding Citizen #security

leave a comment »

Hi all,

I’ve spent some time over the last few days getting to know the Sality botnet, which is estimated to have at least one million peers. It was ranked by Symantec as the number one malicious code family in 2010 by number of endpoint detections, and has been used to push spam, steal passwords, crack SIP accounts, and various other nasty things.

It has come to my attention that it is not only possible but easy to seize control of version three of the botnet, and, more importantly, take it down. Sadly, doing so would require breaking the law. For this reason, I have to request that nobody perform the steps I am about describe. You can find all the files mentioned below in this archive (password: sality):

http://www7.zippyshare.com/d/65744138/9360/byesality.zip

Firstly, you should not use SQL injection to exploit this site: http://www.capesolution.com/login/login.aspx . Furthermore, you should not upload an encrypted version of the AVG Sality removal utility to /images/logo/logof.jpeg . Finally, you should under no circumstance laugh maniacally as you watch a sizable botnet disintegrate before your eyes.

Although it shouldn’t matter to anyone, this URL won’t stay active for long. When the authors of Sality remove this particular URL, or if that SQL injection turns out to be difficult to leverage, you should definitely not try to replace one of these files:

  • h ttp://yaylaozu.com/images/logo.gif
  • h ttp://destekegitim.com/images/logo.gif
  • h ttp://dav14gurgaon.org/images/logo.gif
  • h ttp://dersrehberi.com/images/logo.gif
  • h ttp://cisse.com.tr/images/logo.gif
  • h ttp://cbe.com.vn/images/logo.gif

You should also *never* use the provided Python script to get an updated list of targets from the P2P network.

Obviously this could be misused by unscrupulous individuals. For this reason, I am not providing details on how to create a properly encrypted executable, although I imagine some either already know or will quickly figure it out. The payload is not malicious, but you don’t have to take my word for it. One can check it out in a VM via the provided Sality sample by simply using fakedns and thttpd to serve up the file to the virus, or by running/unpacking the provided original.

Thanks for taking the time to read this. I might release more notes on various other pieces of Sality fun if and when the botnet is shut down, but alas, this day may never come. It is unfortunate that I am unable to do so now due to these legal issues, but, as I’m sure you all know, it is more important to respect the law than to fix anything.

Sincerely,
A Law Abiding Citizen

Written by Daniël W. Crompton (webhat)

March 27, 2012 at 2:22 pm

Posted in Uncategorized

Tagged with , ,

Please Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: