Backdoor.IRC.Cirebot

Printer Friendly Page

Discovered: August 02, 2003
Updated: August 05, 2003 8:53:45 PM
Systems Affected: Windows

Backdoor.IRC.Cirebot is an IRC bot with auto-rooting capabilities that exploits a number of vulnerabilities.

Discovered: August 02, 2003
Updated: August 05, 2003 8:53:45 PM
Systems Affected: Windows

Backdoor.IRC.Cirebot is an IRC bot/backdoor with auto-rooting capabilities.

The backdoor includes a dropper called "worm.exe" that creates the following files:

c:\rpc.exe
c:\tftpd.exe
c:\rpctest.exe

It then executes "rpc.exe". This causes "tftpd.exe", an FTP server that listens on TCP port 69, to be launched. This program also opens a window and attempts to connect to port 445 on each IP address in a randomly generated class-B space. This suggests an attempt at propagation, however, Symantec has not been able to observe successful replication or even reproduce this function in a lab environment. The program then obtains "lolx.exe" via FTP and executes it.

lolx.exe:

This is a comprehensive IRC bot and autorooter. It contains several exploits and methods of propagation including: IIS Unicode Overflow, Netbios share propagation, SQL blank SA password, Sub7 and Netdevil propagation, and peer-to-peer file share propagation. The bot also includes standard IRC bot functionality including DDoS and portscanning capabilities

The file "rpctest.exe" is an exploit for the Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability. Successful exploitation provides a shell on port 57005.

Also included is "Tasklist.exe", a command-line program to show the process list on a system.

The bot has a routine to terminate certain processes, however, it appears to be incomplete. It is intended to terminate the following processes:
sdbot.exe
taskmgr.exe
winamp.exe
antivirus.exe

There is also a routine that generates a file deletion batch file. This is intended to create a ile named r.bat which is intended to delete various files. It is unclear how this batch file was intended to be implemented.

The bot also hooks the keyboard in order to intercept keystrokes. The remote attacker can then retrieve the logfile of captured keystrokes through the back door functionality.

Once the bot is installed on the system, it sends an ICQ pager notification to the remote attacker. The page will have the following properties:
From: AUser
To: k@ericbot.com
Subject: WWPage

The bot allows the remote attacker to perform portscans and vulnerability scans of other systems. There are errors in this implementation that may cause only the SQL blank SA account password scan to function.

There is also functionality to allow the bot to communicate with other networks, including other bot networks and file sharing networks. This routine is not fully implemented and does not currently function.

The bot attempts to connect to the following IRC servers:
irc.observers.net
irc.seicher.net
irc.cobra.net
us.undernet.org
atlanta.ga.us.undernet.org
irc.icq.net
us.quakenet.org
uk.undernet.org
washington.dc.us.undernet.org
fairfax.va.us.undernet.org
irc.ingrak1.org
irc.wilson.org
irc.ef.net

Once connected to the server, the bot attempts to join one of the following channels:
#botchan1
abc123
#botnet!
@log|n