Looking at Malware Ep 1 Part 1- MooBot
So I chose a botnet program called MooBot today to look at. It's written in C and Go. I barely know C and I have quite literally never written in Go before. Anyways. According the Microsoft's website1, apparently Microsoft Defender detects this malware, but it's not even targeted at Windows. And also to our surprise, Windows gives us great details on the symptoms of the malware such as "slow performance" and "Presence of added or modified files". I know I'm not looking in the right place, but the first thing that pops up on Google is the first thing that pops up on Google, you know?
So for background, MooBot is a Russian botnet software. It's been in operation since 2022, I think according to Medium2. MooBot basically just has preprogrammed credentials that it tries to use on different routers, scanning IP blocks for vulnerable targets. This is is what moobot.go does. There's also a cnc.c program. Those are the main parts of the system.
Client Methods
The clients(bots) are basically just DDOS bots from this code. Each of them receives a message from the CNC server that give the bot a target, duration, and what type of request to send: GET, POST, TCP, or UDP. All of them send random bytes at the target until the duration is up.
The MooBot malware is pretty interesting. It seems like it's a virus. There's a lot of obfuscation going on, for example a connectTorSock() function that connects through Tor, but I'm pretty sure through a hardcoded node. I did a scan of the port, and it isn't running a Tor service anymore. This would've been a way to obfuscate the service's IP. Although, the tor socket is only used to read information from a service, so it might actually be to obfuscate the CnC server, not to obfuscate the clientside stuff. Huh. Didn't expect that honestly. I feel like hearing police bust down the doors for these guys always just makes me think it's easy enough for some pigs in a blanket to get to it, so it's probably easy for me too.
The writers of the malware also did some cool stuff with obfuscating the process. Literaly the first thing they do is a call to syscall.Setgid to give the process a random gid. I don't exactly understand this, other than that the process won't look like it's being run by the current group, but I'm thinking that these Russian hackers probably had something in mind with it and I'm just not seeing it.
MooBot also creates a new directory and moves its program there. After,it changes the current process's name using this cool Go snippet:
argv0str := (*reflect.StringHeader)(unsafe.Pointer(&os.Args[0]))
argv0 := (*[1 << 30]byte)(unsafe.Pointer(argv0str.Data))[:argv0str.Len]
name := randomString(len(argv0))
copy(argv0, name)
They get a pointer to the process name using os.Args[0], generate a random string, then assign that to the process name string at argv0. This makes the process name completely different and adds another layer of obfuscation.
CnC Server
So, unlike the client program, the CnC server code is written in C. It also doesn't have any obfuscation methods because it doesn't live on an infected computer, but presumably on the attacker's computer. Another weird fact about it is that it's not really a server but a CLI interface to interact with the bots. Each user has a login that's stored in a SQL database and whether they're an admin or not. Regular users can create DDOS requests. The only details they need to input are the target IP, the number of bots to attack with, and the duration of the attack. The program details the two types of attacks as layer 7 and layer 4 attacks, the layer 7 attacks being GET and POST requests, where the data in the post request can be specified or random, and the layer 4 attacks target TCP and UDP. Most attacks just create random information to send, other than the POST attack that requires user supplied information. Admins can also add new regular users, and update telnet credentials on the bots for trying to login to new computers and implant MooBot on new targets. The CnC server uses multiple threads to maximize the number of bots it interacts with at a given time. Each user is given a thread to interact with.
The database credentials detail that the server should be on localhost, so it leads me to believe that the SQL server and the CnC program are supposed to run on the same computer. This is pretty interesting because if an adversary were to gain access to the program, it would be trivial to gain access to the user database because the SQL root credentials are baked into the program. This wouldn't even be unheard of, given that botnets are frequently rented out to different users. Given the hardcoded password's innate security, xxHacker1337++, I doubt anyone's hacking into it soon. I would actually recommend using this password for your personal accounts. This doesn't even get into how the CLI is also (potentially) vulnerable to SQL injection.
sprintf(query, "select password from logins where username='%s'", username);
The username and password inputs aren't really cleaned super well, they just get rid of whitespace and then don't use a prepared statement to query the MySQL database as shown. This doesn't even get into the usage of sprintf instead of snprintf. It really seems like there's no user input sanitization on the CnC side.
There's going to be a part 2 because I want to fuzz the program and find a DoS for the CnC and bot programs.
1 BichaelSoft Security Intelligence
2 Medium MooBot article If the Medium link doesn't work, here's an archived link