Count Upon Security

On my previous article named Deception Techniques I introduced the concept of Honeypots and illustrated how you could easily run a medium-interaction Honeypot called Kippo. It was highlighted the advantages of running one of these systems. For instance, it could be used to gather intelligence trough the knowledge and information that one could obtain by observing, analyzing and investigating it. To illustrate the intel you can gain, the following facts were captured from a Kippo Honeypot during the first 20 days:

• 13348 Total break in attempts
• 667,4 Average break in attempts per day
• 13290 Unsuccessful break in attempts
• 2968 Unique account names
• 8060 Unique passwords
• 58 Successful break in
• 71 Unique IPs were used on the 13290 unsuccessful attempts
• 44 Unique IPs were used on the 58 successful logins
• 12 Unique IPs logged in and entered commands.
  • Where 8 where from Romania, 2 from Italy, 1 from US and 1 from Germany.

These and other interesting statistics can be visualized using Kippo graph plugin. Or you can query directly on MySQL and produce a tables with the following results, which shows the 12 Bad Villains that successful logged int and entered commands:

Other than statistics, Kippo is designed to log the entire shell interaction performed by the attacker plus the archive of any tool they downloaded. From what was observed, after successful login the attacker normally follow the same high level steps:

• Scanning other systems to identify open SSH ports.
• Gain access trough SSH brute force.
• Maintain access by installing rootkits and/or joining the system to IRC Channel.
• Covering tracks.

Looking deeper into the majority of the attacker sessions, they executed the following actions:

1. Check the speed of the internet connection by downloading a big file
2. Check the system Operating System and hardware capabilities
3. Download necessary tools to :
   1. Perform automated Recon, Scanning and Gain access to other SSH systems via brute force (e.g. gosh) ;
   2. Join the system to an IRC network in order for the system to became part of a larger bot army and wait for attacker commands (e.g. legendbot);
   3. Install IRC proxy/bouncer in order to further hide attacker identity and conceal their IP address when connecting to IRC network and issuing Command & Control commands (e.g. Eggdrop, Emech, Psybnc)
4. Maintain Access (e.g.Linux user mode rootkits like shv5)
5. Cover tracks

It is my intention to illustrate these steps and the tools and commands used in further posts. Nevertheless, the following example illustrated the commands issued by one of the attackers in order to cover his tracks:

#unset ; rm -rf /var/run/utmp /var/log/wtmp /var/log/lastlog /var/log/messages /var/log/secure /var/log/xferlog /var/log/maillog ; touch /var/run/utmp /var/log/wtmp /var/log/lastlog /var/log/messages /var/log/secure /var/log/xferlog /var/log/maillog ; unset HISTFILE ; unset HISTSAVE ; unset HISTLOG ; history -n ; unset WATCH ; export HISTFILE=/dev/null ; export HISTFILE=/dev/null

One interesting finding was an attacker that downloaded a bot script written in Perl. The script is called Legend Bot and it consists of 1032 lines of Perl code. It implements a limited set of  features: DDoS attacks (udp floods, sql floods), execution of Linux system, a vulnerability scanner and a Socks proxy. After executed it establishes a connection to a standard IRC network service port, joins the configured attacker’s IRC channel and waits for the attacker’s commands. In this case the IRC channel was hosted at Undernet. For those who don’t know the IRC network Undernet provides a free of charge communication infrastructure which can be misused by attackers to maintain, expand, manage and control their bots army[1].

IRC Bot Command and Control

The following picture (nick names removed) illustrates the interaction between a botherder (bad villain)  issuing command and control commands to two compromised systems a.k.a Zombies. This interaction happened on a channel where the chat logs were in  Romanian. First command executed (!legend @system) is used to check the operating system version (uname -a), the system uptime, the name of the process which the bot is running (init[3]) and the user id. Second he checks which  vulnerabilities could be potentially used as local escalation privileges. Third he removes the logs in order to cover is tracks.

After some time finally he launches a UDP Flood DoS attack against a particular system.Interesting that with only 2 systems the attacker can reach easily launch a two digit Megabits DoS attack. This is not shown in the picture but I pasted here the IRC chat logs (IPs removed):

<Botherder> !legend @udp 173.xxx.xxx.xxx 65000 300 22
<Bot1> .:UDP2:. UDP2 Attacking 173.xxx.xxx.xxx:22 with 65000 KB(s) for 300 seconds.
<Bot1> .:UDP2:. UDP2 Attacking 173.xxx.xxx.xxx:22 with 65000 KB(s) for 300 seconds.
<Bot1> .:UDP2:. UDP2 Sent 1275439 Kb in 300 seconds to 173.xxx.xxx.xxx.
<Bot2> .:UDP2:. UDP2 Sent 10581733 Kb in 300 seconds to 173.xxx.xxx.xxx.

Among others, the value of these compromised systems relies on their capability to be as used as vulnerability scanners, anonymity proxies and/or be part of Denial of Service attacks. To further understand the motives and monetary value behind having compromised systems you can read this article from Krebs on Security, or read the book Inside Spam Cartel by Spammer-X.

Learning the techniques of the attackers can be very useful in order to better understand the motives and methods. Plus will allow you to sharpen your intrusion detection, incident handling and forensic skills.

References:

[1] Analysis of Internet Relay Chat Usage by DDoS Zombies, Stéphane Racine, 2004