Rapid7 Blog

Botnets  

Election Day: Tracking the Mirai Botnet

by Bob Rudis, Tod Beardsley, Derek Abdine & Rapid7 Labs Team What do I need to know? Over the last several days, the traffic generated by the Mirai family of botnets has changed. We've been tracking the ramp-up and draw-down patterns of Mirai botnet members…

by Bob Rudis, Tod Beardsley, Derek Abdine & Rapid7 Labs Team What do I need to know? Over the last several days, the traffic generated by the Mirai family of botnets has changed. We've been tracking the ramp-up and draw-down patterns of Mirai botnet members and have seen the peaks associated with each reported large scale and micro attack since the DDoS attack against Dyn, Inc. We've tracked over 360,000 unique IPv4 addresses associated with Mirai traffic since October 8, 2016 and have been monitoring another ramp up in activity that started around November 4, 2016: At mid-day on November 8, 2016 the traffic volume was as high as the entire day on November 6, 2016, with all indications pointing to a probable significant increase in botnet node accumulation by the end of the day. We've also been tracking the countries of origin for the Mirai family traffic. Specifically, we've been monitoring the top 10 countries with the most number of Mirai daily nodes. This list has been surprisingly consistent since October 8, 2016. However, on November 6, 2016 the U.S. dropped out of the top 10 originating countries. As we dug into the data, we noticed a significant and sustained drop-off of Mirai nodes from two internet service providers: There are no known impacts from this recent build up, but we are continuing to monitor the Mirai botnet family patterns for any sign of significant change. What is affected? The Mirai botnet was initially associated with various components of the “internet of things”, specifically internet-enabled cameras, DVRs and other devices not generally associated with malicious traffic or malware infections. There are also indications that variants of Mirai may be associated with traditional computing environments, such as Windows PCs. As we've examined the daily Mirai data, a large percentage of connections in each country come from autonomous systems — large block of internet addresses owned by the provider of network services for that block — associated with residential or small-business internet service provider networks. How serious is this? Regardless of the changes we've seen in the Mirai botnet over the last several days, we still do not expect Mirai, or any other online threat, to have an impact on the 2016 United States Presidential Election. The ballot and voting systems in use today are overwhelmingly offline, conducted over approximately 3,000 counties and parishes across the country. Mounting an effective, coordinated, remote attack on these systems is nigh impossible. The most realistic worst-case scenarios we envision for cyber-hijinks this election day are website denial of service attacks, which can impact how people get information about the election. These attacks may (or may not) be executed against voting and election information websites operated by election officials, local and national news organizations, or individual campaigns. If early voting reports are any indication, we expect to see more online interest in this election than the last presidential election, and correspondingly high levels of engagement with election-related websites. Therefore, even if an attack were to occur, it may be difficult for website users to distinguish it from a normal outage due to volume. For more information on election hacking, read this post. How did we find this? We used our collection of Heisenberg Cloud honeypots to capture telnet session data associated with the behaviour of the Mirai botnet family. Heisenberg Cloud consists of 136 honeypot nodes spread across every region/zone of six major cloud providers. The honeypot nodes only track connections and basic behavior in the connections. They are not configured to respond to or decode/interpret Mirai commands. What was the timeline? The overall Mirai tracking period covers October 8, 2016 through today, November 8, 2016. All data and charts provided in this report use an extract of data from October 30, 2016 through November 8, 2016.

Mirai FAQ: When IoT Attacks

Update: Following the attack on Dyn back in October, there is some speculation over whether a similar Mirai-style attack could be leveraged to influence the election. This feels like FUD to me; there doesn't seem to be a mechanism to knock out one critical service…

Update: Following the attack on Dyn back in October, there is some speculation over whether a similar Mirai-style attack could be leveraged to influence the election. This feels like FUD to me; there doesn't seem to be a mechanism to knock out one critical service to kick over enough state and county election websites, Dyn-style, to make such an attack practical. It could potentially be feasible if it turns out that a lot of city, county, and state websites are sharing one unique upstream resource, but without knowledge of that being the case, worries about a surgical DDoS against the election seems more like hyperbolic speculation than anything else. Unless you've been blessed with some long DNS TTLs, you probably noticed that some name-brand chunks of the Internet seemed to go missing on Friday, October 21, including Twitter, GitHub, and Pandora. Over the weekend, it became clear that this was another (yes, another) IoT-based denial-of-service attack, where many thousands of devices with direct access to the internet participated in a wide-scale attack on DynDNS, unbeknownst to their legitimate owners, as part of a botnet called "Mirai." What is Mirai? Mirai is a botnet — a malicious software application that is designed to gain unauthorized access to Linux-powered devices and conscript them into a distributed infrastructure of clients. Once enlisted, these machines have the capability to perform a variety of denial-of-service attacks against a target dictated by the attacker. In the Friday attacks, the target was Dynamic Network Services' managed DNS service (heretofore referred to as simply "Dyn"). How does Mirai work? In order to gain access to IoT devices (and really, any Linux computer running telnet), Mirai does not exploit any software vulnerabilities. Instead, it simply tries to guess telnet login credentials for computers accessible via telnet from the internet. Some of these username and password combinations are pretty bad choices for anything hanging out on the internet, like "admin / admin" and "root / root," and some are associated with specific video surveillance systems, like "root / juantec" and "root / klv123." The complete list of credentials is published at GitHub, as part of the Mirai source code. Once compromised, software is installed on that device that can kick off a variety of attacks as described in the source code, such as UDP or ACK flooding, DNS water torture, HTTP request flooding, and other volume-based attacks. In the most recent attack, Dyn's services were knocked offline. Since Dyn provided DNS services exclusively for some major services, that meant that we could no longer figure out "where" on the Internet these services lived. How big is Mirai? Given the vagaries of internet-wide scanning, it's hard to say how many devices were involved in the Mirai botnet, but the order of magnitude looks to be in the hundreds of thousands range. For a sense of scale, we can look at the recent scans from the National Exposure Index, where we found 15 million apparent telnet servers. We also peeked at a recent Sonar scan of HTTPS certificates, where we found about 315,000 web servers providing a certificate associated with Dahua Technologies, one of the vendors of video surveillance systems that was targeted in the attack. Not all of these telnet servers or video systems are going to be vulnerable, and there are other vendors associated with the attack, but this "hundreds of thousands" figure seems about right. With all these compromised and compromisable devices, Mirai is capable of sustaining hundreds of gigabytes per second of traffic against a chosen target. What's Being Done to Fix This? For this immediate issue, it looks like the heroic engineers at Dyn have been busy reconfiguring their routing in order to be able to weather further attacks. At the same time, their downstream customers are implementing more robust fall-back strategies with other DNS providers. This is not a vote of no confidence against Dyn, of course; disasters and outages happen, and it's only prudent for name-brand services to have fall-backs like this in place. The fundamental problem of having many, many thousands of insecure devices on the internet remains an issue, though. BCP38 describes techniques for filtering traffic at the edge of an Internet Service Provider's network, which helps defend against DoS attack schemes that generate packets with forged source addresses, but this isn't particularly helpful against the threat demonstrated by Mirai. What Can I Do? First and foremost, you should not be exposing your telnet ports to the internet. Period. Full stop. End of story. It doesn't matter how much you think you need unfettered access to telnet over the internet, you need to stop it. Now. There are much better alternative protocols, such as SSH for shell access, and HTTPS for GUI-based control, both of which offer modern security features like encryption and mutual authentication. Don't merely change your telnet access credentials; stop using them, and make it impossible for others to control your network bandwidth via telnet. If you rely on a cloud service — and who doesn't, these days — then you should find out what their redundancy plans are in the event of not only an attack on their infrastructure, but an attack on their upstream providers. Reputable providers are quite forthcoming with sharing this information with their customers, and usually publish real-time status pages, like this one. The Post-Mirai Reality Unfortunately, the cost associated with exposing insecure devices is not just borne by the operators of these devices. While it may be creepy to know that anonymous, internet-based attackers can access your home or office camera feeds, the attacker in this case was not interested in those video streams at all. Instead, the attacker only cared about the processing power and network bandwidth of the vulnerable device. Solving for externalities like this is extremely difficult, but given our track record, we know that technology professionals are pretty gifted at coming up with novel solutions to seemingly intractable problems. I'm confident we can come up with a solution that protects IoT devices, protects the rest of the network from those IoT devices, and still manages to preserve the open and distributed nature of the internet.

Cyber security around the world - 7/4/14 - Germany

With so much happening in cyber security around the world lately, we're highlighting some of the interesting stories each week from across Europe, Middle East, Africa and Asia Pacific. This week we're in Germany where officials have found the second mass user account hacking this…

With so much happening in cyber security around the world lately, we're highlighting some of the interesting stories each week from across Europe, Middle East, Africa and Asia Pacific. This week we're in Germany where officials have found the second mass user account hacking this year…GermanyLast week German officials confirmed that 18 million email address and passwords were hacked in a mass data breach. The details of the breach are still being investigated by the country's Federal Office for Information Security, but here is what we know:The breach was discovered while investigating a botnet used to send spam emails (see diagram on right).The stolen information is also being used to make online purchases where users are using the same email/password combination.The discovery originated from the north western German city of Verden, but the compromised accounts are from all over the world.It's likely that a mass malware attack was used to steal the credentials, meaning millions of computers are probably still infected.This is not the first time German authorities have found a mass data breach – just 3 months ago the BSI announced that 16 million German user accounts were compromised.  These attacks show the importance of not reusing passwords across multiple sites, and using encrypted password vaults like LastPass, 1Password, KeePassX, etc. to create  complex, unique credentials for all your online accounts.

Botnets and the War on Bitcoin

If you've been reading the most recent news from the interwebs, you probably heard that Bitcoin is on a rollercoaster. If you're not familiar with it, Bitcoin is a global online currency, the cash of the Internet. It has no central regulator and no authority:…

If you've been reading the most recent news from the interwebs, you probably heard that Bitcoin is on a rollercoaster. If you're not familiar with it, Bitcoin is a global online currency, the cash of the Internet. It has no central regulator and no authority: it's a decentralized system where technology is in control. Bitcoins are generated by the people part of its network. Generating, or better "mining", Bitcoins requires your computer to perform an expensive cryptographic computation that, combined with a proof-of-work system, ensures that the user spent a certain amount of time and CPU power for each new coin. The global availability of Bitcoins affects the difficulty and cost of performing such computations. In this way Bitcoin regulates its own growth and distribution in the same way that we do with other limited resources such as gold and silver. Bitcoin is controversial. It's an independent currency that no government or legal authority has control over, making it an interesting technological, social and economical experiment of the last years. However, it's also an investment: people are buying and selling Bitcoins all the time on stock exchanges like every other traditional currency. As a consequence, an arms race started with people clustering GPU and FPGA boards to be able to mine at a higher rate and sell the Bitcoins to make an actual profit. Over the last two years, this approach drew the attention of cybercrooks who started using their botnets to run Bitcoin miners and introduce an additional source of income to their business. Some of the most recent botnets include ZeroAccess and Skynet, but there are many more that are following the lead, such as the one very recently uncovered by Kaspersky. In the last few days, Bitcoin hit an historical record: it grew to a value of almost $270 each, an unprecedented and very promising result for the future of this currency. Then something suddenly happened: it dropped drastically and at the time of writing it floats around $75. You can see it in the following graph: The value of the currency is determined by its popularity and its availability. The reason for the drop might be caused by a sudden increase in the availability of coins. There are several Bitcoin exchanges, of smaller and larger size. In the last few days Mt. Gox, the largest existing exchange, suffered some issues originally attributed to a DDoS attack and later attributed to a large and unexpected growth of their user base, and the amount of transactions they found themselves handling. As a result of panic caused by the unavailability or slowness of the website, their users rushed into selling their Bitcoins and "cashing out", affecting the stability of the currency's value. Can you see the issue here? There's a door open for speculation. If someone would have the power to affect the stability of Bitcoin exchange, they could force its users to sell their coins, buy them at a lower price and wait for the value to grow up again before selling them and making a profit. In this scenario a DDoS would sound reasonable. Haaave you met Skynet? We talked about this botnet and his colorful operator quite some months ago. No, he didn't stop operating his botnet as much as we didn't stop tracking it and occasionally engaging in friendly conversations with him on Twitter. ![](/content/images/post-images/15971/Screen Shot 2013-04-10 at 11.47.22 PM.png) Apparently the Operator understood the influence he might have just in the same way as I described, and very recently started launching UDP and SYN flooding DDoS attacks against the Bitcoin exchangers VirWox, BitFloor and Mt. Gox. Following are DDoS commands issued by the operator in the very last days: 21:59 < suda> !udp 46.4.112.231 53 1000 1100 100 60 22:03 < suda> !udp 46.4.112.231 53 1000 1100 100 180 22:31 < suda> !syn bitfloor.com 443 100 60 03:36 < suda> !syn bitfloor.com 443 100 30 03:44 < suda> !syn bitfloor.com 443 100 5 03:52 < suda> !syn bitfloor.com 443 100 1 04:06 < suda> !syn bitfloor.com 443 1000 1 17:05 < suda> !syn mtgox.com 443 100 10 17:06 < suda> !syn mtgox.com 443 10 5 17:22 < suda> !syn bitfloor.com 443 1000 1 The owners of BitFloor lamented the issue as well: Skynet guy, that is not cool . Bitcoin is a very interesting initiative, though it is encountering multiple obstacles along its way. It's usability issues will probably prevent it from going mainstream and leave the space free for Google Wallet and other similar services. However, it's fundamental structure leaves it open for abuses and speculations by botnet operators, who can possibly influence the market in their favor and destabilize Bitcoin's economics. The fact that cybercriminals can be so instrumental in the fluctuation of the currency leaves me wondering whether they could effectively compromise the reliability of the system and undermine the ongoing investment efforts from the Bitcoin community. We are actively looking at malware and botnets abusing Bitcoin, if you encounter anything interesting please email me or tweet @botherder, sharing is caring!

Skynet, a Tor-powered botnet straight from Reddit

While wandering through the dark alleys of the Internet we encountered an unusual malware artifact, something that we never observed before that gave us fun while we meticulously dissected it until late night. The more we spent time looking at it, the more it started…

While wandering through the dark alleys of the Internet we encountered an unusual malware artifact, something that we never observed before that gave us fun while we meticulously dissected it until late night. The more we spent time looking at it, the more it started to look unusually familiar. As a matter of fact it turned out being the exact same botnet that an audacious Reddit user of possible German origin named “throwaway236236” described in a very popular I Am A thread you can read here. Following is an overview of this malware labelled by the creator as Skynet: a Tor-powered trojan with DDoS, Bitcoin mining and Banking capabilities, that we observed spreading through the veins of Usenet. Beware the warez “People download software from Usenet and install it in the offices or at friends pretty often. Also Usenet isn't that hard anymore, as easy as buying a premium account for an onc click hoster. Most Providers have their own Usenet client for idiot proof downloads” throwaway236236 Usenet is a distributed discussion platform established around 1980 and still very popular worldwide. Despite its original intent of simply being a plain text discussion forum (much like bulletin boards), over the years it has become a widely adopted platform for distributing pirated content such as movies and games, which are generally uploaded as RAR archives then split into chunks to circumvent the size limitations of Usenet's protocol. Consequently and inevitably, malware writers found a perfect vehicle in Usenet for spreading viruses, just like what happened to other file sharing networks such as eDonkey, Gnutella and BitTorrent. Today, Usenet has become a malware minefield. The security industry seems to have its unblinking eye focused on the evolution of more fashionable, and possibly more widespread, infection vectors such as exploit kits and other traditional products of the Russian blackmarket. In the meantime, part of the underground keeps distributing their malware almost unnoticed through alternative channels, such as file sharing. As a matter of fact, this botnet appears to have slid under the radar for quite some time now. Ironically, spreading malware through file sharing is still quite effective: There's no need to exploit the victims, they're going to directly execute the malware. The file shares are very easy to employ. They are hard to eradicate. They have a large pool of potential victims. The only pitfall is that they require some social engineering component, ie, luring the victims to download the trojaned files, but that's the case for most attack vectors in today's world. Malware Overview “I operate a ~10k botnet using a ZeuS software I modified myself, including IRC, DDoS and bitcoin mining. Everything operating tru TOR hidden service so no feds will take my servers down.” throwaway236236 The malware sample we retrieved from Usenet has an unusually large size (almost 15MB) and has a fairly low detection rate (7/42). It was not observed on VirusTotal and apparently it was not observed on any other online resource before our discovery. The core code base composes a very simple Tor-enabled IRC bot which incorporates DDoS and a few other capabilities. A large part of the binary appears to be junk data, possibly to better disguise it as a legitimate download. It also empowers several obfuscation routines to twist detection. The malware comes along with 4 additional embedded resources: A ZeuS bot. The Tor client for Windows. The CGMiner bitcoin mining tool. A copy of OpenCL.dll, used by CGMiner for CPU and GPU hash cracking. When executed, the malware first copies itself in a randomized directory under %AppData% and then starts an initialization routine that consists of several process creations and injections, resulting in the end with the core being disguised either as Internet Explorer or as svchost.exe: In order to initialize its components, the malware creates multiple legitimate processes in suspended state, overwrites their memory with the desired malicious executables and resumes their execution. From the command line arguments we can guess that the malware does not only use Tor to connect to its backend infrastructure but also creates a Tor Hidden Service on the infected system itself: In order to enforce execution after reboot, it creates a traditional entry in the Run registry key: Torify all the things! “TOR is pretty safe as long as you don't use exit nodes, which I never do, because everything is inside hidden services. Hidden Service guarantees the traffic is only readable at the actual server, the magic of private/public key encryption.” throwaway236236 For those of you that might not be as familiar, Tor is an anonymity network operated by volunteers which provides encryption and identity protection capabilities. Tor is a great initiative that helps people all over the world protect themsleves from surveillance and traffic interception as well as circumvent Internet censorship: it's widely used by whistleblowers, political activists, and anyone concerned about the privacy and safety of their communications. At the same time though, it does get abused a lot, which we also describe in this article. However, this article is not condemning the network as it's legitimate use is still a very valuable service. The potential use of Tor as a bulletproof botnet infrastructure has been discussed several times in the past (for example at Defcon 18 by Dennis Brown), but we have never observed it being implemented in a real case scenario before. In September the German Antivirus vendor G-Data briefly described a similar case, which we believe could probably belong to the same malware family. Common botnets generally host their Command & Control (C&C) infrastructure on hacked, bought or rented servers, possibly registering domains to resolve the IP addresses of their servers. This approach exposes the botnet from being taken down or hijacked. The security industry generally will try to take the C&C servers offline and/or takeover the associated domains by making them point to a different host by cooperating with hosting providers and domain registrars (this practice is commonly known as “sinkholing”), effectively disrupting the botnet's operations. In some cases these efforts are nullified when the botnet operators acquire some services from a particular type of hosting provider that guarantees the operators that they won't respond to abuse complaints nor cooperate with takedown requests. These providers are commonly known as “bulletproof hosting” and they are widely used in the cybercrime ecosystem. However their services are typically more expensive and they might not be 100% reliable. What the Skynet botnet creator realized, is that he could build a much stronger infrastructure at no cost just by utilizing Tor as the internal communication protocol, and by using the Hidden Services functionality that Tor provides. Hidden Services are a functionality of the Tor network introduced in 2004 that permits the creation of completely anonymous and concealed services accessible through Tor only (or through a bridge like Tor2Web). These hidden servers publicize their existence through Tor using a public encryption key which is then indexed in Tor's directory servers. Out of the keys generated for the service, a .onion pseudo-domain is generated, which will then be used to resolve and contact the hidden server. At no point is the original IP address of the hidden server disclosed, nor do the directory servers know the identity that is behind a .onion domain. There is no way to identify the origin of the hidden service and neither to revoke or take over the associated .onion domain. Details on the implementation of Tor Hidden Services can be found here. Skynet runs all its C&C servers as Hidden Services and all compromised computers are configured to be part of the Tor network as well. The advantages of this approach are: The botnet traffic is encrypted, which helps prevent detection by network monitors. By running as an Hidden Service, the origin, location, and nature of the C&C are concealed and therefore not exposed to possible takedowns. In addition, since Hidden Services do not rely on public-facing IP addresses, they can be hosted behind firewalls or NAT-enabled devices such as home computers. Hidden Services provide a Tor-specific .onion pseudo top-level domain, which is not exposed to possible sinkholing. The operator can easily move around the C&C servers just by re-using the generated private key for the Hidden Service. Long story short, Tor, due to its design and internal mechanics, makes it a perfect protocol for botnets. Because of this, all critical communications of Skynet to its C&C servers are tunneled through a Tor SOCKS proxy running locally on compromised computers. Following are all the hardcoded .onion pseudo-domains we were able to identify, we observed only some of them being actively used: 6ceyqong6nxy7hwp.onion owbm3sjqdnndmydf.onion 4njzp3wzi6leo772.onion qdzjxwujdtxrjkrz.onion x3wyzqg6cfbqrwht.onion niazgxzlrbpevgvq.onion ua4ttfm47jt32igm.onion 6tkpktox73usm5vq.onion 4bx2tfgsctov65ch.onion gpt2u5hhaqvmnwhr.onion 7wuwk3aybq5z73m7.onion 742yhnr32ntzhx3f.onion f2ylgv2jochpzm4c.onion 6m7m4bsdbzsflego.onion xvauhzlpkirnzghg.onion h266x4kmvmpdfalv.onion jr6t4gi4k2vpry5c.onion ceif2rmdoput3wjh.onion uzvyltfdj37rhqfy.onion uy5t7cus7dptkchs.onion As mentioned, the malware also creates a Tor Hidden Service on every compromised computer on port 55080. Nothing is listening on such port by default, but when the operator issue a particular command on the IRC C&C, the malware will open a SOCKS proxy on port 55080 which will then be reachable through a newly created .onion domain. IRC Botnet like it's 1999 “DDoS is only useful for trolling, best applied when two companies sue each other accusing use of DDoS in competition.” throwaway236236 The core of the malware provides functionalities that can be operated through specific commands submitted through the IRC channels the bot connects to. When it comes to DDoS, the malware includes support for SYN flooding, UDP flooding, Slowloris flooding, and a generic HTTP flooding. As previously said, the malware connects to an IRC server hosted behind a Tor Hidden Service and use the following nickname pattern: [NED-XP-687126]USERNAME You can find it also in a screenshot throwaway236236 provided himself on the Reddit thread: Following is a list of commands that can be used to execute specific functions of the bot. Feature Commands Get information on the compromised computer !info, !version, !hardware, !idle Download and execute files !download Download a binary to memory and inject it into other processes !download.mem Visit a webpage !visit, !visit.post SYN and UDP flooding !syn, !syn.stop, !udp, !udp.stop Slowloris flooding !slowloris, !slowloris.stop HTTP flooding !http.bwrape, !http.bwrape.stop Open a SOCKS proxy !socks Retrieve .onion address of the Hidden Service opened on the compromised computer !ip We managed to patch and hijack the malware and make it connect to an IRC server hosted behind a Tor Hidden Service that we created uniquely for testing purposes. We started playing with it to try its functions, and here are some log examples from our tests. Retrieve generic information on the compromised computer: <claudio> !info <[DEU-XP-625287]ANALYST> [AV: No-Antivirus (R)] [GPU: VirtualBox Graphics Adapter] [MEM: 1023 MB] [HASHES: 0.00 MH/s] [IDLE: 0 sec] Retrieve details on hardware available: <claudio> !hardware <[DEU-XP-625287]ANALYST> [HW] GPU: VirtualBox Graphics Adapter MEM: 1023 MB Retrieve the version of the malware installed: <claudio> !version <[DEU-XP-625287]ANALYST> [VER] Skynet_0.4 Check idle time: <claudio> !idle <[DEU-XP-625287]ANALYST> [IDLE] I'm idle for 0 seconds. Start a SYN flooding DDoS attack: <claudio> !syn <TEST IP> 80 1 60 <[DEU-XP-625287]ANALYST> [SYN] Started flooding <TEST IP> Stop an ongoing attack: <mark> !syn.stop <[DEU-XP-625287]ANALYST> [SYN] Stopping <TEST IP> Start a Slowloris flooding attack: <claudio> !slowloris <[DEU-XP-625287]ANALYST> [SL] Failed to start!, missing parameters: [DNS] [PORT] [HOLD_DELAY] [TIME in sec] [SOCKETS] Start a generic HTTP flooding attack: <claudio> !http.bwrape <[DEU-XP-625287]ANALYST> [HTTPBW] Failed to start!, missing parameters: [URL] [SIZE] [TIME] Start a SOCKS proxy behind a Tor Hidden Service on the compromised computer: <claudio> !socks on <[DEU-XP-625287]ANALYST> [SOCKS] Started Retrieve the .onion domain pointing to the proxy just opened. <mark> !ip <[DEU-XP-625287]ANALYST> [HS] t3svp5x674d7qqxh.onion ZeuS “Got around 1k Liberty Reserve $ for random zeus logs and million email adresses I found in a shop.” throwaway236236 As mentioned by the creator on the Reddit post, ZeuS, an extremely common Banking Trojan whose source code has been leaked some time ago, represents a core part of the botnet and probably the main source of income from this malicious infrastructure. The leak of said source code also led to some variants, including the more recently discovered Ice IX and Citadel bots. The operator kindly provided a screenshot of his ZeuS control panel on Reddit as well: In this particular case, the malware is provided with a ZeuS bot embedded into the resource with ID 5000. Despite the claims of being largely modified, the bot shows some traditional behavior without any peculiar apparent changes. It has a decent average Antivirus detection (36/46). Just as the IRC C&C server, also the ZeuS C&C server is hosted behind a Tor Hidden Service. When executed, it tries to fetch an updated configuration from: hxxp://localhost:42349/z/config.bin In a traditional ZeuS botnet, the address for the configuration updates would be an external public server, while in this case it's requesting them to a proxy running locally on the compromised computer on port 42349. This proxy then translates the request to a specific Tor .onion pseudo-domain and tunnel the requests through the Tor SOCKS proxy listening on port 9050. We managed to extract such domain and as expected, the translated configuration URL is the following: hxxp://qdzjxwujdtxrjkrz.onion:80/z/config.bin At the same address we can find the landing page which ZeuS uses to report the harvested credentials: hxxp://qdzjxwujdtxrjkrz.onion:80/z/gate.php Following is the decoded updated configuration in XML format that we retrieved at the time of writing: <?xml version="1.0" encoding="ISO-8859-1" ?> <root> <zeusbuild>2.1.0.0</zeusbuild> <updatepoint> <url>http://localhost:42349/z/bot.exe</url> </updatepoint> <droppoint> <url>http://localhost:42349/z/gate.php</url> </droppoint> <webdatafilters> <url><![CDATA[!*.microsoft.com/*]]></url> <url><![CDATA[!http://*myspace.com*]]></url> <url><![CDATA[https://www.gruposantander.es/*]]></url> <url><![CDATA[!http://*odnoklassniki.ru/*]]></url> <url><![CDATA[!http://vkontakte.ru/*]]></url> <url><![CDATA[@*/login.osmp.ru/*]]></url> <url><![CDATA[@*/atl.osmp.ru/*]]></url> <url><![CDATA[!*.facebook.com/*]]></url> </webdatafilters> </root> The targets list appear to be quite standard and probably not manually configured. Nevertheless, the ZeuS bot will collect and report all HTTP credentials it can, without requiring specific configuration entries. Bitcoin Mining “My guess is that around 30% of the whole bitcoin hashing power come from botnets, the amount coming from "unknown" pools.” throwaway236236 The malware embeds the “CGMiner” open-source bitcoin miner, which supports both GPU as well as regular CPU mining. Skynet installs a WH_MOUSE and a WH_KEYBOARD hook procedures that monitor the systems for keystrokes or mouse movements. By doing so it's able to understand whether the victim is interacting with the desktop and, in order to be less noticeable, it starts mining bitcoins only after two minutes of inactivity and immediately stops when some monitored event occurs. As a matter of fact, the operator appears concerned with not affecting his victims' recreation and entertainment: “My Botnet only mines if the computer is unused for 2 minutes and if the owner gets back it stops mining immidiatly, so it doesn't suck your fps at MW3. Also it mines as low priority so movies don't lag. I also set up a very safe threshold, the cards work at around 60% so they don't get overheated and the fans don't spin as crazy.” throwaway236236 The individual miners request a work task from one of several web servers run by the botnet operators. These webservers host an open source application called “Bitcoin Mining Proxy”, which is used to centrally manage the distributed workers and assign pools to the miners. The operator also provided a screenshot of his Bitcoin Mining Proxy control panel: Following is the list of Bitcoin Mining Proxy servers we identified being used by the botnet: 95.211.7.6:81 109.236.80.74:81 77.235.61.37:81 74.91.20.82:81 74.82.212.213:81 88.191.123.223:81 178.33.32.238:81 At the time of writing only the first two appear to be active. Tracking the Botnet My momma always said, "A botnet is like a box of chocolates. You never know what you're gonna get." throwaway236236 While reverse engineering the malware sample we were able to identify the Tor Hidden Service it was connecting to in order to receive its commands through its IRC Command & Control. At the time of writing the IRC server is still running at the domain uy5t7cus7dptkchs.onion on port 16667. Once connected, the bot joins the channels #5net1 and #allin. The botnet seems to be still very active and maintained, in fact even during the few days we've been monitoring it, we observed it conducting some DDoS attacks. Following are some logs showing the botnet operator instructing all the bots to perform a SYN Flooding DDoS attack against an IP address (that we partially censored) on port 111. 02:48 < sudo> !syn 31.204.xxx.xxx 111 1 10 02:52 < sudo> !syn 31.204.xxx.xxx 111 1 30 03:47 -!- mode/#allin [+o sudo] by sudo 03:48 -!- sudo changed the topic of #allin to: !silence on 03:48 < sudo> !silence on 05:29 < sudo> !syn 31.204.xxx.xxx 111 1 10 05:56 < sudo> !syn 31.204.xxx.xxx 111 1 15^ 05:56 < sudo> !syn 31.204.xxx.xxx 111 1 15 05:58 < sudo> !syn 31.204.xxx.xxx 111 1 15 05:59 < sudo> !syn 31.204.xxx.xxx 111 1 15 06:00 < sudo> !syn 31.204.xxx.xxx 111 1 15 06:08 < sudo> !syn 31.204.xxx.xxx 111 1 15 06:29 < sudo> !syn 31.204.xxx.xxx 111 1 15 06:56 < sudo> !syn 31.204.xxx.xxx 111 1 15 06:58 < sudo> !syn 31.204.xxx.xxx 111 1 15 06:58 < sudo> !syn 31.204.xxx.xxx 111 1 15 The target of the attack was a server located in The Netherlands. We informed and cooperated with the affected organization, which kindly provided us with the list of IP addresses blocked by their firewalls during the ongoing attacks. Following are some maps representing the geographical location of the attacking hosts. It's interesting to note that the highest concentration of bots are located in central Europe, with high densities in The Netherlands and Germany. We believe the size of the botnet amounts to between 12 and 15 thousand compromised computers. Monetization “Botnet operation is a mini job, once a day you check for 30minutes, pay once a month server bills, sell for about an hour information on the market and enchance your code if you feel like it. I was thinking about working for Kaspersky, but these guys want all kinds of phony diplomas and can't even recognize native code (see the duqu 'incident'). The profit? Depends, sometimes 400$ a day, sometimes none, but a steady 40$ a day with bitcoins alone.” throwaway236236 As kindly explained by Mr. Throwaway, the main source of monetization comes from both the Bitcoin mining as well as the credentials harvested by ZeuS. He also explained that he doesn't cash out the stolen accounts himself, but rather sells them on the black market, which is convenient and much less risky. Conclusions The way we encountered this malware was completely incidental and we had some good fun reversing and analyzing it. Despite not being particularly sophisticated it represents a nice example of a simple but still effective botnet with a large portfolio of capabilities. The most important factor is certainly the adoption of Tor as the main communication channel and the use of Hidden Services for protecting the backend infrastructure. While it's surprising that not more botnets adopt the same design, we can likely expect more to follow the lead in the future. Another surprising factor is that while the Reddit post was widely covered more than 6 months ago, the botnet went apparently (at least to the public) unnoticed until now. It will be interesting to follow its evolution and find out if there's any realistic way to dismantle it. The lessons learned are: Exploitation is not required to build a decently-sized botnet. Always be careful when using any Internet service, especially file sharing. It is possible to build an almost cost-free bulletproof botnet. In its democratic nature Tor is a great tool, both for legitimate users as well as for cybercriminals unfortunately. Lesson for botnet operators: As The Grugq says, “keep your mouth shut”. Talking about your business on Reddit is not such a smart idea. This analysis was conducted by Claudio “nex” Guarnieri and Mark “rep” Schloesser, Security Researchers at Rapid7. Credits Thanks to the friend Pallav Khandhar for helping with the analysis of the ZeuS binary. Thanks to the Shadowserver fellow Dave DeCoster for creating the fancy maps.

Buttinsky: Hello World

Thanks to Rapid7's funding and technical support via the Magnificent 7 program we will be able to work on a framework for botnet command and control monitoring for the next year. The motivation behind this project is based on the fact that botnet analysis is…

Thanks to Rapid7's funding and technical support via the Magnificent 7 program we will be able to work on a framework for botnet command and control monitoring for the next year. The motivation behind this project is based on the fact that botnet analysis is often neglected due to the lack of proper open source tools. But this is about to change. Both developers have previously build their own, very specialized and case specific solutions and in this project we are going to combine and build on top of our experience.Botnet monitoring is a process of actively joining a botnet infrastructure in order to learn about its inner workings for research and analysis purposes. One clear distinction between a real bot and a monitoring bot is that the monitoring bot does not perform any harmful actions when instructed to by the bot herder. If the monitoring bot can collect information we will be able to understand what is going on inside the botnet and also find weaknesses and design flaws of the botnet protocol. This information can then be used for botnet takedown.In Buttinsky, we will introduce some fresh ideas. One of the more exciting features of this project is the ability to mimicking bot behaviour in order to provoke more interaction from the bot herder. A simple example would be collection of instructions and responses from the control channel and generation of a communication dictionary used by the bot herder. Another interesting feature is support for receiving control channel parameters from malware analysis systems (MAS) such as Cuckoo Sandbox and starting the monitoring tool in an automated fashion. The design will be highly modular where each layer of the framework stack can be customized using plugins. It will be especially interesting to see how the community will make use of the framework for monitoring new botnet c&c protocols, adapt it to the data collected in a channel on the fly as well as customization of the behavior emulation.In the end we want to provide a platform to help creating an automated threat assessments of the monitored botnets.The project is divided into two phases over a one year period. Main targets for each phase are listed below.Phase I - First releaseReceive bot parameters from a MAS (malware analysis system) for spawning new botnet monitors.Plugins for some well-known IRC, HTTP and P2P botnet protocols.Process collected information (e.g., intercepted update files) in a MAS.Bot behaviour mimicking using the collected data and machine learning.Phase II - Final release in M7 programSupport for distributed botnet monitoring.Gathering of auxiliary information to enrich the data collected by the monitors.Attach analysis tools to logged botnet data to provide input for automated threat assessment of botnets (e.g. amount of attacks, targets and collected botnet metrics).After each phase we are going to publish our results from some monitored botnets and describe the features in more detail so stay tuned for updates and releases!/Buttinskies

Featured Research

National Exposure Index 2017

The National Exposure Index is an exploration of data derived from Project Sonar, Rapid7's security research project that gains insights into global exposure to common vulnerabilities through internet-wide surveys.

Learn More

Toolkit

Make Your SIEM Project a Success with Rapid7

In this toolkit, get access to Gartner's report “Overcoming Common Causes for SIEM Solution Deployment Failures,” which details why organizations are struggling to unify their data and find answers from it. Also get the Rapid7 companion guide with helpful recommendations on approaching your SIEM needs.

Download Now

Podcast

Security Nation

Security Nation is a podcast dedicated to covering all things infosec – from what's making headlines to practical tips for organizations looking to improve their own security programs. Host Kyle Flaherty has been knee–deep in the security sector for nearly two decades. At Rapid7 he leads a solutions-focused team with the mission of helping security professionals do their jobs.

Listen Now