I am sure If historians ever write about botnet take downs, they wont forget to mention the pushdo botnet. It's the third time in last two years or so that there has been an attempt to take down this botnet. The first attempt was back in Nov 2008 when the McColo ISP shutdown crippled Pushdo along with other spam botnets like Srizbi and Rustock. The second attempt was earlier this year when FireEye got a hold of some of the Pushdo CnC servers. This was so unexpected for the bot masters that they abandoned all other servers and went completely silent for few weeks . Now approximately six months after FireEye's shutdown attempt, researchers from LastLine put together another effort to shutdown Pushdo CnCs.  LastLine identified around 30 or so active CnC servers and sent abuse notifications to the hosting providers.  According to their earlier disclosure most of the CnCs are dead at the moment resulting in a sudden drop in spam associated with this botnet.

There are two general ways a complex problem can be solved, using a good approach or a bad one.  The only good thing about the bad approach is that it will usually be simpler to understand and implement, but in the long run one will find that shortcuts don't always work. The good thing with most humans is that they learn from their mistakes and move forward.  This is what we are seeing happen at the moment within the anti-malware industry.  Host based anti-virus products are shifting their focus from signature based detection to advanced behavioral analysis and memory forensics.  Network based sensors which used to rely heavily on DNS and IP black lists for detecting phishing attacks, SPAM emails and botnet command and controls are moving towards advanced protocol analysis and emulation.

The purpose of this series is to discuss limitations and challenges involved in using black lists (DNS & IP) for network based anomaly detections.  I will focus more on the problems of tracking botnets using their control server identities alone. I will also discuss if there are better techniques available to detect compromised (botted) machines and terminate CnC channels to prevent further damage.

This is not anything new and exciting¹, and should hopefully be familiar to some of you reading this. Some time ago I reversed the shellcode from Metasploit's download_exec module. It's a bit different from the rest of the stuff in MSF, because there's no source code with it, and it lacks certain features that the other shellcode[s] have (like being able to set the exit function).

When I started writing this blog post, the day before yesterday, I looked into the history of this particular scrap of code…

It's very similar to lion's downloadurl_v31.c (previously available here: http://www.milw0rm.com/shellcode/597 [archive] but now also here: http://www.exploit-db.com/exploits/13529/ and here: http://inj3ct0r.com/exploits/9712 and a zillion other places).

… Except that, that code seems to be a more recent version than the code in MSF. For example, that does the LSD-PL function name hash trick, rather than lug around the full function names for look-up (as the version in MSF does.)

So, lion was a major figure in the Chinese 红客 Honker scene — literally translated as Red Guest (or Red Visitor or Red Passenger). (Basically Hackers who are also Chinese nationalists.) His group was the Honker Union of China [HUC], http://www.cnhonker.com — this site seems to have been dead for a while. He wrote a lot of code back in 2003 and 2004. (我现在明白了一些在写这个汉字!)

I managed to dig up an older version of this 'downloadurl' code dated 2003-09-01 which is closer to the code in MSF. http://www.cnhonker.com/index.php?module=releases&act=view&type=3&id=41 [archive] The code credits ey4s (from XFocus I think) for the actual shellcode.

Anyway, big chunks of this code, like the whole PEB method, also look like they were directly copied from Skape's old stuff (Dec 2003) — which was copied from Dino Dai Zovi (Apr 2003) — which was copied from Ratter/29A (Mar 2002) etc. etc. Like I said, this is all very old stuff. None of it has really changed since 2002, and it's still in very common use.

pita's contribution to all this appears to be wrapping up the blob of code output by the lion program above into a MSF2 module:

http://www.governmentsecurity.org/forum/index.php?showtopic=18370