Home > Articles

  • Print
  • + Share This
From the author of

Infected by Tkbot: Saturday Morning

Now that I had a direction, I was ready to find out firsthand what the Trojan did. So, I loaded up Windows 2000 inside VMWare and downloaded the tk1.exe file I had obtained from the FTP server. I took a deep breath, prepared my screen-capture program and my file-monitoring program, and double-clicked the Trojan file. One quick shell window, as seen in Figure 5, and the screen was back to normal. However, a quick Netstat and task list check confirmed that I was now a victim of the THR34t Krew's IRC worm.

Figure 5Figure 5 Screen shot of TK1.exe installation.

After checking my system for changes, I discovered that, once executed, this 1 file became 30 files, which included programs, settings, and services that started up with the computer. These services included a customized mIRC client, an FTP server, and a complex IRC script. Once I examined the files a bit more closely using Notepad, I discovered that the majority of the files were written as plain text. Fortunately, inside this text I quickly discovered several possible passwords.

My next step was to test the potential passwords, so I went back to the chat server. To my delight, one of the passwords (private) worked, and I was able to enter the chat room. Once I entered, I immediately changed my nickname to match the other algorithmically created names (as in TK^8374 and TK-=-887). I then started to probe the chat room and its inhabitants for any bits of information I could find.

After a few minutes, I began to realize that my efforts were futile. While I could query the other handles for information, and could even find their IP addresses by port-scanning their subnets on port 1297 (the Trojan port), I was not able to get any response from the room. My next step was to head back to my infected Windows 2000 system for some more file investigation.

I started with the file containing the IRC script that I assumed controlled the IRC bots. I scanned the script and came to the conclusion that this script was indeed the culprit for the IRC bot and also an IRC relay server that opened on port 1297. To confirm this, I started examining the script for a command I could use to test the other Tkbots that were in the secret chat room with me. To my dismay, I found the following line inside the code:

if ($level($address($nick,9)) != 100) { halt }

In other words, unless I was an operator of the server, I wouldn't have the power to command the bots. While this was a bit discouraging, I must admit that this was a wise decision on behalf of the scripter. I mean, who knows what kind of trouble I could have gotten into if I had control of 1,000 computers?

However, I wanted to investigate the power of the script in a controlled environment. To do this, I loaded up the script in mIRC and edited out all the restrictions on the script and put my own in place. Once I had the script loaded up, I connected to another IRC server and created my own chat room. After a few minutes of debugging, my script was in place.

During this investigation, I discovered that the creator of this Trojan script had done an excellent job of mass producing a very powerful remote-control program. Using simple commands one to four words long, a person could probe a computer for statistical information, upload and download files, execute programs on the remote server, and even command the server to start scanning the Internet for other vulnerable computers. The following is the command and the alias that would return the estimated speed of the network the server is connected to:

if ($1 == !netspeed) { netspeed }

alias netspeed {
 set %nsp $nc
 write -c netst.bat netstat -e >stt.tx
 run netst.bat
 .timer -m 1 9950 once}

The first line contains the filter that captures the text entered by the channel operator. If the op types !netspeed, this line will execute the code in the alias netspeed, which contains code that executes Netstat and dumps the results into a file that is then sent back to the IRC chat room.

The list of commands includes those to do the following:

  • Perform a UDP flood

  • Execute file

  • Gain hard drive statistics

  • Perform a Web site flood

  • Create server lag

  • Execute IRC commands

  • Kill the server

  • Perform an open port query

  • Control BNC (Trojan installed on port 1297)

  • Execute built-in vulnerability scanner

  • Perform download/upload commands

  • + Share This
  • 🔖 Save To Your Account