Botnets in MU world

Good day! Quite often one server tries to attack other just to remove a competitor. Generally used DDoS attack. But the problem is that a strong DDoS is expensive, and gather own botnet is not so simple. Last night one customer wrote me in Skype that he found one of the people who actively collect a small botnet.

mu-inside in cahoots with a person who have own botnet they packed into the client program which starts when a client unpacking, and with it, they collects DDoS botnet base, there are correspondence and the virus itself

 

The thing smelled of troubles … and I liked it! Without hesitation, I started working. First of all, I downloaded the game client. Immediately in a time of unpacking Kaspersky began wildly yelling and told me that the files have Backdoor.Bifrose.eyon, and also he found Sality.q. Interesting tandem.


Backdoor
Executing such black box on the main PC does not make any sense. So, I created new virtual machine and executed everything there. The game client has been unpacked, updated and ran. First of all, I was interested to see the traffic and to which server backdoor is connecting. But unfortunately, Wireshark showed that there is no network activity. This meant that the trojan / backdoor just is not running. But in the archive with the game, I found another folder.

self-made backdoor

In the description to a single file was that this file should help get rid of disconnects. The file itself weighed 69 kilobytes. Opening the file properties, I immediately saw that the original file name was encrypted.exe. Very often the viruses/trojans are calling in such way during creation.

Let’s take the debugger and go!

After I opened the file through IDA Pro, I immediately saw two things. Firstly, it was a .NET 2.0 application, and secondly it was packed using MPRESS. A few minutes later a simple packer was defeated and in front of me was the original program. There was no sense to run such suspicious application, even if it is unpacked. After several hours of tinkering, I was able to fully recovery source code.

The source code does not claim to quality, I even not a C# programmer, besides it is commented out the line that launches the Trojan (in fact Trojan packed into the code).

Let me describe everything in a bit simple way. When you run the program, it takes an internal buffer that contains the encrypted data, decrypts Rijndael cipher and two times decrypts the base64, and then stores the result in the file. In the output, you will see Acrdoor Trojan.

Algorithm of backdoor

 

More information about Arcdoor you can find here or here. The main tasks of this bot are ICMP, HTTP, SYN, UDP flood. This copy most likely was created by the so-called “builder” because I doubt very much that the craftsmen’s from “Inside Mu” wrote it by themselves. This is one of the fragments that was packed in the Trojan.

So now everyone can understand its destructive purpose. With the help of the innocent and unsuspecting players (that will add the file to the antivirus exclusions), they were able to attack other servers.

If someone wants to know the botnet server IP-address – welcome under the cut:

Also, you can run the Trojan, but do not use Wireshark for sniffing traffic since Acrdoor will not start if it detects an open Wireshark.

Who is behind this?

I think everyone would be interested in what kind of villain is behind this? Here you can see some logs from the Skype

[07.11.2014 12:43:31] ZEON Support: http://prntscr.com/53vhge
[07.11.2014 12:44:58] Killbrum: is this a old zeon mu own or new one ? :)
[07.11.2014 12:45:22] ZEON Support: ne=)
[07.11.2014 12:45:24] ZEON Support: w*
[07.11.2014 12:46:42] Killbrum: so, I think you know the rules :)

+ do not check anti-ddos without any reason. There is no reason to load machine, other peoples also work on it
[07.11.2014 12:47:05] Killbrum: also do not generate extra traffic. ex ddos, spam etc
[07.11.2014 12:47:24] Killbrum: in case if ddos attack will be started from your machine – I will close it
[07.11.2014 12:47:24] ZEON Support: didn’t know about rules:)
[07.11.2014 12:47:39] ZEON Support: I just need host to create server and test it:)

[07.11.2014 12:47:41] ZEON Support: not a host:)
[07.11.2014 12:48:52] Killbrum: 178.32.184.213
Administrator
Qwerty12345
[07.11.2014 12:49:03] Killbrum: we giving you free host machine for 1-2 months

[11.12.2014 14:06:24] Killbrum: Good day. Is there any reason to load CPU to 100% a whole week?
[11.12.2014 16:38:34] Администратор: What do you mean?
[11.12.2014 16:40:57] Killbrum: I gave to you VPS. That VPS loading CPU to 100% and not lower. Is there any reasons?
[11.12.2014 16:41:09] Администратор: no
[11.12.2014 16:41:13] Администратор: everything is good
[11.12.2014 16:41:33] Администратор: just because we have OBT now I ran one program, that’s why CPU is fully used
[11.12.2014 16:41:39] Администратор: are you affected?
[11.12.2014 16:41:43] Администратор: I can turn off it
[11.12.2014 16:41:48] Killbrum: bitcoin?
[11.12.2014 16:42:01] Администратор: ye, somethink like that
[11.12.2014 16:42:17] Killbrum: I don’t think that this is good idea ;)
[11.12.2014 16:42:27] Администратор: anyway it is trash, I will disable it today
[11.12.2014 16:42:34] Killbrum: thanks

Логины скайпов:

  • ZEON Support = zeon-mu.ru
  • Администратор = mu.beafriend
  • ZEON Support = Администратор

Moreover. http://zeon-mu.ru/ also belongs to this man.

As you can see this person took our free hosting. It was possible to open the site using domain name http://mu-inside.net/ or directly by IP-address 178.32.184.213. Because of this, it became clear who is the owner of the botnet and website. At the moment the site / server is disabled. We just turned off the machine. We do not allow backbite.

Lets everyone decides morality act for himself.

Links for Trojan (download for you own risk):
Packed Trojan
UnPacked Trojan

Good luck,
Armored Software

Leave a Reply

Your email address will not be published. Required fields are marked *

*