Archive

Posts Tagged ‘pastenbin C&C’

Obfuscating messages in pastebin.com

March 11, 2012 Leave a comment

A couple of days ago I was playing with pastebin, and started to “crawl” around in their website, at the same time I was reading a few news about botnets and decided to go deep into this subject, specifically their C&C. How they normally controlled the botnet using IRC channels, among others, there are a few nice references about this subject on the wiki page.

Then I was viewing some bots “pasting”. Some are clever, this is me guessing :), they even change their message structure or text to avoid hashing and add a very long list of TAGS at the end to make sure they popup on the results of any crawler. Others just send a very long list of links to download services.

So if you are monitoring the posts how do you prevent your crawler to index these messages? My solution was to look for common points, like blog links or some other characteristics. After analyzing some of these posts a thought crossed my mind and I mixed both subjects…

I thought that I could easily pass messages around pastebin that will be “ignored as spam” in most cases, using these spam messages to obfuscate the real content of the post. When I get something like this in my mind I wont rest until I get some results, positives or negatives…

So I decided to look even closer to the messages, and found two possibilities of doing this. Here’s a link to some spam messages that I found.

  1. On the first message we can use the TAG list as dictionary and hide the messages there.
  2. On the second we can use the link codes to hide the message, this means that a simple solution will not be able to give valid links to files, but it’s not impossible.

As I didn’t wanted to spend a lot of time on this subject I followed the first option.

First I got all the TAG’s from the message and created a list. To make this work I needed to be able to encode a TAG into a 0 to 255 value, so I started testing and ended up with this simple function:

# last - last key used, keyword - TAG
def makeKey(self,last,keyWord):
	# make a hash from the keyword
	key = hashlib.md5(keyWord+self.salt).hexdigest()
	# some operations that use the last value
	# to generate an index to a byte in key
	l=len(key)
	i=(last*1337)%(l/2)
	# get that byte
	byte=key[2*i:(2*i)+2]
	val=int("0x"+byte, 0)
	return val

Given the last calculated code and a keyword will generate the next code. I tested this function with the dictionary, adjusted a few things in the dictionary and created a few helper functions and was able to use the TAG’s to pass messages YEY!

In order to make the message pass as a normal spam message I still needed to add some more random TAG’s and add the normal spam text before the TAG’s.

At this point I was able to hide a message in an apparently “normal” spam message, and even pass multiple messages with different encodings or from the socket point of view, different ports.

But you only need to send a message if there is someone waiting for it 🙂 so I needed a way to distinguish these “special” messages from a “normal” message. I was already spending too much time in this subject, so I came up with a simple solution and made a checksum using the dictionary and inserted it in the first line of the message.

Please keep in mind that this was a code made in a few hours after work, and a proof of concept, so it may not be the best or the most pretty… 🙂

def checkHeader(self,control,header):
	spl=header.split(" ")
	try:
		spl.remove("")
	except ValueError:
		pass
	l=len(control)/2
	base=0
	sum=0
	for i in xrange(len(control)/2):
		x=(i*2)
		y=(i*2)+2
		seq = control[x:y]
		while(base<len(spl)):
			h=self.joinArray(spl[0:base+1])
			base+=1
			key = hashlib.md5(h).hexdigest()
			if(seq in key):
				sum+=1
				break
	if(sum==l and base==len(spl)):
		return True
	else:
		return False

def makeHeader(self,control,limit=50):
	while(True):
		header=""
		for i in xrange(len(control)/2):
			while True:
				header+=random.choice(self.keylist)+" "
				key = hashlib.md5(header).hexdigest()
				if(control[i*2:(i*2)+2] in key):
					break
		if(len(header)<=limit):
			return header

Now I was able to identify a message addressed for me from other messages. At this point I thought, well I did it, it’s possible, time to stop now! And I did stop, but I was talking to one of my friends and he convinced me to share this, I normally don’t do this I simply get over it and start thinking on something else…

But since he convinced me into sharing this, I decided to make the code more fun and made a simple shoutbox over pastebin. It’s not very easy to use because you’ll have to open a link and fill the captcha every time you send a message, it was not my objective to try to bypass pastebin spam control system.

Keep in mind that this is a proof of concept code, probably has many bugs in the obfuscating algorithms or they aren’t secure or fail in some cases. And I know that this isn’t a viable way of chatting or making a shoutbox due to many constraints.

BUT remember that I was doing this to try and pass hidden messages in normal spam messages, creating a system capable of sharing messages anonymously, under the subject of botnet C&C. By doing this little research I can conclude that ignoring spam may not be a solution in some forms of investigations. And I think that probably this was already thought and done or being used by someone else.

Without delay here you can find this simple code and some screen shots of it working.

https://github.com/lbragues/pasteshout