How It Worked
Machines were first scanned at random by a few hand-infected bots. These machines would scan entire Class B ranges (for example, 192.168.*.*) for HTTP servers. The bots would then check the HTTP headers to see whether the result was on Microsoft IIS 4 or 5 Server. After these checks, the bots would try a number of Unicode exploits.
If the machine being scanned returned a positive resultthat is, an HTTP 200 responsean ECHO command such as the following would be run:
This command would create a file that could be used to connect to an FTP server and receive files on the server, including commands to download the botfile, bot.exe, and the privilege jumper, httpodbc.dll, from an anonymous FTP server. The file httpodbc.dll was commonly used in viruses to escalate web server privileges to system level. The command would be entered into httpodbc.dll, and the machine was now infected.
Machines didn't do anything malicious when they were infected. They would simply connect to an IRC server and have a backdoor FTP and a psyBNC installed as a system process.
psyBNC is an IRC bouncer program that hides the client's true IP address and keeps the IRC session open for the user, even if he or she disconnects from the psyBNC bouncer. This helps the user to keep his or her handle and can assist with logging.
Five external tools were used to create the whole bot file (along with mIRC scripts and a few .bat files):
Firedaemon was used to run our programs as a system service so they couldn't be killed without booting to safe mode.
httpodbc.dll was used to escalate privileges to that of the system.
Serv U FTP server was used to upload files remotely.
A hex-edited version of mIRC was used to connect hosts to IRC.
psyBNC was used as the remote bnc (bouncer) server.
All files were then packed into a self-extracting .exe file. A script was written to control the bots, as well as the modifications to the IRC Unreal server software, and many simple .bat files for executing primary commands. These .bat files were later erased.