Research

Milkit: An Innovator of Old Technology

Introduction

After monitoring a marked increase in tcp port 17300 scans across its client base, SecureWorks (www.secureworks.com) has discovered the source of these probes. SecureWorks has determined that a parasitic meta-trojan is responsible for the anomalous traffic. We have named this trojan "Milkit" as this is the name of the control channel it uses (which may have drawn inspiration from a Nirvana song of the same name). By infecting a honey pot with the Kuang2 virus, SecureWorks was able to capture a copy of the executable responsible for these scans. This advisory presents a brief analysis of the code.

Update

Since posting this analysis, the base source code for the trojan has been found. The version we analyzed is a custom-compiled version of Spybot 1.2 by "Mich". It has the same functionality, but the Milkit version uses a specific IRC server, channel and password, so it forms a completely separate DDoS network from any other instance of Spybot. We are keeping the analysis posted below for reference, but if you want further detail it would be easier to download and read the source code.

Milkit the Meta-Trojan

We describe 'Milkit' as a parasitic meta-trojan because it does not exploit any services run by the targeted machine. It cannot infect hosts that are not already infected by one of two well-known trojans: Kuang2_the_Virus or SubSeven.
It is believed that these two backdoors were chosen because they are fairly widespread and either have no password set (Kuang2) or very commonly a known master password (SubSeven). Kuang2 seems to be the attacker's current target of choice, perhaps because SubSeven has been scanned extensively by script kiddies over the years.

Once Milkit has been uploaded to the victim machine through one of the two above mentioned backdoors, it connects to nodanger.hackarmy.tk (which currently is an alias for irc.quakenet.net) and joins the channel ##milkit where it waits for commands from its master.

While IRC-controlled trojans have been around for some time, this one is unique in that it builds its IRC infrastructure on multiple existing trojans, acting much like a parasite.

Functionality of Milkit

Milkit has several components.

  1. Authentication

    Once the master has joined the channel, he authenticates himself with a password:

    master -- login gobo

    Now that the master is authenticated he has the option to do several malicious activities:

  2. Scanning component

    The master can scan for more hosts to infect to increase the size of his slave pool. This is the only part of the infection process that requires human intervention. If the master does not issue a scan command, then the slaves will lie dormant.

    master -- scan 81.x.x.x 17300 2 kuang

    [ ... ]

    slave -- Found port 17300 open at ip:

    slave -- Server uploaded to kuangserver IP:

    As you can see, once the slave finds a machine that has a port it is looking for open, it automatically infects the host and reports this back to the IRC channel. The infected host then connects immediately to the specified IRC channel to assume its role as another slave. This activity is almost worm-like in its automation.

  3. SYN Flooding Component

    While we did not see this happen while we were monitoring the channel, the disassembly of the executable shows this functionality exists.

  4. Key Logger

    The slave also acts as a keylogger. The master can request a slave to send the keys it has logged. This is an easy way to get access to other confidential information person or organization may have including bank accounts, shell accounts, etc.

  5. HTTP Server

    The master can turn the built-in http server on with 'httpserver' command. This appears to be a quick and easy way of getting read-only access to an infected computer.

  6. Remote Command Execution

    The master also has the ability to run a few remote commands directly on the infected machine (list files, rename, delete); however, if the master needs to do something more advanced, an interactive remote shell can be obtained.

  7. Redirect Ability

    Using the redirect command, it seems the host can do a host bounce much like the "bnc" IRC bouncer program.

    While many of these features and functionality exist in the backdoor that Milkit exploits, the advantage to this meta-system is that there is a common control channel between all infected hosts. This gives the master the flexibility needed in controlling so many hosts at once. (At the time of this writing, the number of slaves was fluctuating between 800-1000 slaves).

Detecting an Infected Host

If for some reason you do allow outbound IRC ports, the following Snort signature can be used to detect infected machines.

alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"Milkit Trojan Outbound IRC Connection"; flow:to_server,established; content:"JOIN ##milkit "; nocase; reference:url,www.secureworks.com/research/threats/milkit; classtype:misc-activity; sid:1000005; rev:1;)

If you do not allow IRC outbound, then monitoring your firewall logs for persistent IRC connections outbound will help detect infected hosts.

While it is always advised to keep anti-virus software up-to-date, the code we analyzed was not detected by any virus scanner we tested. Anti-virus will detect the existance of either Kuang2 or SubSeven, however cleaning a system of these viruses will not remove the Milkit meta-trojan.

Next Steps
Start With SecureWorks Request More Information Now
Call SecureWorks Call Us Today
877-905-6661

Subscribe to the On the Radar Newsletter