Count Upon Security

There are two main motives involving the usage of botnets causing them to emerge and evolve. On one hand, there is the motivation to pursuit political ends using bots for example to initiate DDoS attacks. This is known as hackitivism. On the other hand, there is an economical incentive to use and exploit bots for spam, phishing, DoS extortion and other attacks. These two avenues make a strong incentive for the bad guys. Traditionally the attacker’s motivation was self-fulfillment, fun and proof of skills. However, the motivation is leading into business models that involve building, exploiting and maintaining botnets. In addition to the motivation, the methods used are also progressing. The distributions of the tools that allow infection, propagation, management and exploitation of the bots have been industrialized on IRC networks. The bot infection process has become more automated [1][2].

So, if the attackers have the motivation. Which methods are they using? How do attackers infect new bots/Zombies? Which tools are they leveraging?

One of the methods used in the bot infection process is exploiting bad passwords. During the course action of using a medium interaction honeypot, it has been observed daily brute force attempts against SSH.

The following diagram illustrates the step-by-step infection process of new bots exploiting bad ssh passwords. This process is explained in the enumerated list below.

Bot Infection Process

1. The attacker attempts to infect the victim machines with bots trough SSH brute force. It starts by scanning entire class A (126 nets with 126 16,277,214 possible hosts) or B (16,384 nets with 65,534 possible hosts) networks. The tool used uses TCP Syn scanning techniques in a parallel execution to achieve higher scanning speeds. The parallel scan technique is similar to the one described by Niels Provos and Peter Honeyman on their document ScanSSH – Scanning Internet for SSH Servers published in October 2001[3]. The TCP Syn scan technique is also known as “half-open” scanning because it doesn’t establish the TCP 3-way handshake [4].The most observed and downloaded tool on the honeypot used to accomplish this is called ss and is a variant of Fast Syn Scan produced by Dr.Bios [5]. Is a fast scanner and is able to scan an entire class B network in less than 30s. This means is able to send more than 2166 TCP Syn packets per second on a Intel Core Duo @ 2.20Ghz with 4Gb running Debian 5 32bit.
   To further illustrate the speed, with this tool one can scan the entire IP ranges assigned to a small country, like Portugal, in 43,5m [6]. The tool is written in C, uses libnet and libcap. The binary is a statically linked, stripped in ELF format with 552k . It needs UID 0 to be executed. The tool detects if a system has the TCP port 22 (SSH) open by processing the TCP Syn Ack packets from the scanned systems.
2. In the next stage, the attacker launches a tool called ssh-scan. The tool is supplemented with different dictionary password files. One of the captured files contains 6 dictionaries files with a total of 232k entries. This tool is a statically linked, stripped ELF binary with 823k. When executed starts by reading the contents of a text file (mfu.txt). This text file contains the IP addresses that were identified by the ss scanner as having TCP port 22 open. Then it reads the contents of a dictionary password file (pass_file) containing combinations of username and passwords (the different dictionaries are directed to the tool using simple bash scripts which copies and renames the files). If any of the brute force login attempts is successful the IP address, username and password is written on text file (vuln.txt).
3. With the obtained credentials, the attacker logins into the system. He typically starts by running linux commands to check who are the users connected, what the operating system is and what the hardware capabilities of the machine are. Then he downloads the necessary tools to continue his operation. In case the credentials obtained are not UID 0, the attacker typically downloads an exploit that will allow him to escalation his privileges. The majority of the tools downloaded have a .jpg extension. They are generally hosted on suspicious TLD domains like .tk or .su. The .su stands for the Soviet Union Top Level Domain, Roman Hüssy describes that cyber criminals are moving to .su from .ru TLD domains [7]. The common downloaded tools are tar archive files with extension renamed. Among others, the archives contained the tools ss and ssh-scan plus variants of bash scripts that automate the scanning and brute force process. Different ASCII art which allude to the authors is also present. Other downloaded archives may contain Perl bots.
4. This step is where the Perl bot is executed and it attempts to connect to an IRC server using a randomly generated nickname normally starting by some common identifier. Once the bot is connected to the IRC server, it joins the attacker’s channel and waits for instructions.
5. The infected system, now in control of the attacker, will continue to potentially compromise more SSH systems using the same technique described in step 1 in an automated fashion.
6. After successful identified additional systems having port TCP 22 open it executes the same steps as described in point 2. This step is typically automated.
7. This step was observed by some attacker sessions where the attacker downloaded an IRC proxy such as Energy Mech or EggDrop in order to connect to an IRC Network. This will allow him to conceal his identify and add additional layers of anonymity.
8. With this IRC proxy, the attacker can then connect to channel where the Zombies are waiting for instructions. The settings of the IRC proxy are using properties such as the system and nick name which are also hardcode on the Perl bot script. With this the Zombies will only accept instructions for a bot-herder that meets this properties.
9. This step was created to illustrate that the attackers will start the process all over again in their attempt to pursue more compromised systems and recruit more bots.
10. Finally, the last step is where the attacker leverages the power of having these Zombie systems waiting for his instructions. A variety of activities can be executed and leveraged using a bot or botnets. Denial-of-service attacks, spamming, anonymization proxy, keylogging, identity theft, click fraud, etc [8][9]. During the observed time on the IRC channels the Denial-of-service attacks were the most popular.

References and further reading:

[1] Evan Cooke,Farnam Jahanian,Danny McPherson , The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets
[2] Zhen Li, Qi Liao, Aaron Striegel , Botnet Economics : Uncertainty Matters
[3] Niels Provos, Peter Honeyman, ScanSSH – Scanning the Internet for SSH Servers
[4] http://nmap.org/nmap_doc.html#sy
[5] http://www.securiteam.com/tools/5EP0B0ADFO.html
[6] http://www.nirsoft.net/countryip/pt.csv
[7] http://www.abuse.ch/?p=3581
[8] http://krebsonsecurity.com/2012/10/the-scrap-value-of-a-hacked-pc-revisited/
[9] http://honeynet.org/node/52