services are started by Bunitu on random high ports, client registers them to C&C#1 - Tunnel is operated via C&C#2 – uses it’s own protocol to wrap and bypass the traffic Two types of proxy: Standard and Tunnel
(hardcoded) 67 ab = socks proxy port (little endian -> 0xab67 = 43879) a0 32 = http proxy port (little endian -> 0x32ab = 12971) 05 00 = hard coded value 3a = minutes since last reboot 02 = hours since last reboot fb1b7067d66fc09daddf = botID 8d f0 = hard coded unique to each version of the malware
of the message (little endian) -> 0x002e -> 46 fb 1b 70 67 = bot ID, truncated (without last WORD) 01 00 00 01 = command *test given domain* 4c 16 23 3c = session constant 01 = number of queries google.com = domain to test 50 00 = port to query (little endian) 0x0050 -> 80 After registration C&C tests a bot by ordering it to query Googlele
of the message (little endian) -> 0x0590 -> 1424 fd e0 43 fd = bot ID, truncated (without last WORD) 03 02 02 02 = command *HTTP request* d0 43 00 00 = proxy client ID HTTP /1.1 … = response data Bot performs ordered request, packs it in the internal protocol and sends back to the C&C
(Middleman) 1) Register the bot 4) Send command from the distributor 3) Send commands to my bots 2) Notify appropriate distributor (based on bot’s geolocation)
framed in a crime; • have resources used without the permission Proxy Customer: • vulnerable for data theft and privacy violation; • his/her traffic may be poisoned on the way
Noun Project • Cloud by Golden Roof from the Noun Project • Skull and Crossbones by Ricardo Moreira from the Noun Project • Surveillance by Luis Prado from the Noun Project • about by Amr Fakhri from the Noun Project