Appendix A: Botnet Commands - Which commands the bots understand

In the following, we cover the more popular commands implemented in the common bots we have captured in the wild. Presenting all the commands is beyond the scope of this paper, as Agobot comes along with over 90 commands in the default configuration.

  1. DDoS something
    • Agobot
      • ddos.stop
        stops all floods
      • ddos.phatwonk [host] [time] [delay]
        starts leet flood

        Starts a SYN-flood on ports 21,22,23,25,53,80,81,88,
              110,113,119,135,137,139,143,443,445,1024,1025,1433,
              1500,1720,3306,3389,5000,6667,8000,8080
                               

      • ddos.phatsyn [host] [time] [delay] [port]
        starts syn flood
      • ddos.phaticmp [host] [time] [delay]
        starts icmp flood
      • ddos.synflood [host] [time] [delay] [port]
        starts an SYN flood
      • ddos.updflood [host] [port] [time] [delay]
        start a UDP flood
      • ddos.targa3 [host] [time]

        start a targa3 flood

              Implements the well known DDoS attack Mixter authored in 1999.

              /*
              * targa3 - 1999 (c) Mixter <mixter@newyorkoffice.com>
              *
              * IP stack penetration tool / 'exploit generator'
              * Sends combinations of uncommon IP packets to hosts
              * to generate attacks using invalid fragmentation, protocol,
              * packet size, header values, options, offsets, tcp segments,
              * routing flags, and other unknown/unexpected packet values.
              * Useful for testing IP stacks, routers, firewalls, NIDS,
              * etc. for stability and reactions to unexpected packets.
              * Some of these packets might not pass through routers with
              * filtering enabled - tests with source and destination host
              * on the same ethernet segment gives best effects.
              */
              taken from
                  http://packetstormsecurity.org/DoS/targa3.c

        </mixter@newyorkoffice.com>

      • ddos.httpflood [url] [number] [referrer] [recursive = true||false]
        starts a HTTP flood

              This is real nasty since it fetches websites from a webserver.
              If "recursive" is set, the bot parses the replies and follows
              links recursively.

    • SDBot
      • syn [ip] [port] [seconds|amount] [sip] [sport] [rand] (sdbot 05b pure version)
      • udp [host] [num] [size] [delay] [[port]]size (sdbot 05b ago version)
      • ping [host] [num] [size] [delay]num
    • UrXbot
      • ddos.(syn|ack|random) [ip] [port] [length]
      • (syn|synflood) [ip] [port] [length]
      • (udp|udpflood|u) [host] [num][ [size] [delay] [[port]]
      • (tcp|tcpflood) (syn|ack|random) [ip] [port] [time]
      • (ping|pingflood|p) [host] [num][ [size] [delay]
      • (icmpflood|icmp) [ip] [time]
      • ddos.stop
      • synstop
      • pingstop
      • udpstop
  2. Spreading
    • Agobot
      • scan.addnetrange [255.255.255.255/32] [priority]
      • scan.delnetrange [255.255.255.255/32]
      • scan.listnetrangeslist scanned netranges
      • scan.clearnetrangesclears netrange
      • scan.resetnetranges
        removes all netranges from scanner and adds local LAN as scanning range
      • scan.enable [scanner]
        [scanner] can be one of
         Anubis Bagle CPanel DCOM DCOM2 Doom DW Ethereal HTTP Locator LSASS NetBios Optix SQL UPNP WKS
      • scan.disable [scanner]
        [scanner] can be the same as above
      • scan.startall
        starts all scanners
      • scan.stopall
        stops all scanners
      • scan.start
        starts all enabled scanners
      • scan.stop
        stops all scanners
      • scan.stats
        replys stats about exploitings per scanner
      • scan.host [255.255.255.255[:port]]
        If given with port, just tries to exploit the host with the scanners fitting the ports, else all scanners are used.
    • SDBot & UrXBot
      • (scanall|sa)
      • (scanstats|stats)
      • scandel [port|method]
        [method] can be one of         webdav ntpass netbios dcom135 dcom445 dcom1025 dcom2 iis5ssl mssql beagle1 beagle2 mydoom lsass_445 lsass_139 optix upnp netdevil DameWare kuang2 sub7
      • scanstop
      • (advscan|asc) [port|method] [threads] [delay] [minutes]
  3. Downloading files from the internet
    • Agobot
      • http.download
        download a file via HTTP
      • http.execute
        updates the bot via the given HTTP URL
      • http.update
        executes a file from a given HTTP URL
      • The same commands are also available via FTP
    • SDBot & UrXBot
      • (update|up) [url] [botid]
      • (download|dl) [url] [[runfile?]] [[crccheck]] [[length]]
  4. Local file IO
    • SDBot & UrXBot
      • (execute|e) [path]
      • (findfile|ff) filename
      • (rename|mv) [from] [to]
      • findfilestopp
  5. Sending Spam
    • Agobot
      • cvar.set spam_aol_channel [channel]
        AOL Spam - Channel name
      • cvar.set spam_aol_enabled [1/0]
        AOL Spam - Enabled?
      • cvar.set spam_maxthreads [8]cvar
        Spam Logic - Number of threads
      • cvar.set spam_htmlemail [1/0]"true",

        Spam Logic - Send HTML emails

      • cvar.set aolspam_maxthreads [8]
        AOL Spam Logic - Number of threads
      • spam.setlist
        downloads list with email-addresses to spam them
      • spam.settemplate
        downloads an email template
      • spam.start
        starts the spamming
      • spam.stop

        stops the spamming

      • aolspam.setlist
        AOL Spam - downloads an email list
      • aolspam.settemplate
        AOL - downloads an email template
      • aolspam.setuser
        AOL - sets an username
      • aolspam.setpass
        AOL - sets a password
      • aolspam.start

        AOL - starts the spamming

      • aolspam.stop
        AOL - stops the spamming
    • SDBot
              So far, SDBot does not implement dedicated spamming
              methods. But other options to send spam are possible:
              The spammer uses the "download" command to download
              and execute a SOCKSv4/v5 server. The server publishes
              his IP-address and SOCKS-port at a file on a
              webserver. Via this backdoor, spam can be sent.
             
    • UrXBot
      • email [server] [port] [srcmail] [dstmail] [mailsubj]
  6. Sniffing
    • Agobot
              Agobots sniffing is really "advanced": If you compile
              the bot with sniffing enabled, it drops a stripped
              down lipcpap dll on startup and registers it as system
              driver. The sniffing thread then uses libpcre to
              lookout for bot commands
             
      • HTTP
        Commented: Like paypals? ;-D How about cookies? YUMMEH! -rain

        Checks for "PAYPAL" "SET-COOKIE"

      • SSH
        Commented: I dont get the idea, but the famous lsass author Nils contributed this and comments it
        // SSH - works - after the RSA key is sent, the login and pass is sent raw. Believe me. -Nils
        Checks for "login as:" "password:" "putty" "SECURECRT"
      • CPANEL
        Commented: Like configuring Domains ? Here you go ! -Nils
        Checks for "cPanel" "Set-Cookie:"
      • IRC
        Checks for:
                "^:(.*)!(.*)@(.*) ((?i)PRIVMSG|NOTICE) (.*) :(.)((?i)login|auth|id|ident|hashin|secure|l) (.*)$"
                "^((?i)oper )(.*)"
                "^:(.*) 381 (.*) :(.*)"
                "^((?i)nickserv identify) (.*)$"
                "^:.* ((?i)notice|privmsg) (.*) :Password accepted.*"
                        Botnet DDoS:
                "^:(.*)!(.*)@(.*) ((?i)PRIVMSG|NOTICE) (.*) :(.)((?i)ddos|packet|flood|udp|syn|pfast|coldrage|syn3|syn2|targa|icmp|fuck|random) (.*)$"
                       
      • FTP
        Checks for:
                "^((?i)USER )(.*)"
                "^((?i)PASS )(.*)"
                "^(230 )(.*)"
                       
      • cvar.set sniffer_enabled 1/0
      • cvar.set sniffer_channel [destinationchannel]
        sets the destinations channel to which the results should be logged
      • sniffer.addstring [pcre]
        adds a user-defined string to the sniffer
      • sniffer.delstring [pcre]
        deletes a user-defined string from the sniffer
    • SDBot
              SDBots sniffing is based on Windows raw socket
              listening.  Compared to the way Agobots sniffing is
              implemented, this way is ineffective and poorly: The
              bot even sniffs his own traffic and recognizes it as
              sniffed traffic. In addition, SDBot lacks PCRE support
              and uses strstr() for comparison.
             
      • HTTP Checks for: paypal PAYPAL paypal.com PAYPAL.COM Set-Cookie:
      • IRC
        Checks for the following strings: :.login :,login :!login :@login :$login :%login :^login :&login :*login :-login :+login :/login :\\login :=login :?login :'login :`login :~login : login :.auth :,auth :!auth :@auth :$auth :%auth :^auth :&auth :*auth :-auth :+auth :/auth :\\auth :=auth :?auth :'auth :`auth :~auth : auth :.id :,id :!id :@id :$id :%id :^id :&id :*id :-id :+id :/id :\\id :=id :?id :'id :`id :~id : id :.hashin :!hashin :$hashin :%hashin :.secure :!secure :.l :!l :$l :%l :.x :!x :$x :%x :.syn :!syn :$syn :%syn CDKey JOIN # NICK OPER oper now an IRC Operator
      • carnivore [on/off]
  7. Cloning
    • Agobot
      • For some reasons our agobot lacks cloning capabilities
    • SDBot & UrXBot
      • (clone|c) [host] [port] [channel] [[chanpass]]
      • clonestop [clonenumber]
      • (c_raw|c_r) [clonenumber] [raw irc command]
      • (c_mode|c_m) [clonenumber][some irc mode]
      • (c_nick|c_n) [clonenumber] [newnick|$randnick]
      • (c_join|c_j) [clonenumber] [channel]

      • (c_part|c_p) [clonenumber] [channel]
      • (c_privmsg|c_pm) [clonenumber] [dest nick or channel] [msg]
      • (c_action|c_a) [clonenumber] [dest nick or channel] [msg]