Tag Archives: botnet

Dridex Black Friday

Last October different law enforcement agencies orchestrated a takedown of the Dridex Botnet. However, the threat actors behind Dridex spam runs seem stronger than ever. The resurrection of Dridex after the announced take down has been ferocious. During the last Black Friday in our spam traps we observed at least four different phishing campaigns delivering Dridex. Each campaign was carefully crafted in order to lure the users to open the malicious documents. The creativity of the threat actors is captivating. The below picture illustrates one of these emails that is supposedly sent from the well-known rent-a-car company AVIS. The email contains a Microsoft Office document attached that contains malicious macros on it.


Another one was an email supposedly sent from Bruce Sharpe from the Industrial Pump Supplier Aline Pumps in Australia. According to the social network zoominfo Bruce Sharpe exists and is an account manager in the company. The subject was Tax Invoice and once again the email contained a Microsoft Office document attached with malicious macros.Other one was an email sent from Ivan Jarman from SportSafe UK. The company is a global provider of sports equipment. This time the subject was Invoice and the email contained a Microsoft Office document attached with malicious macros. The last one was an email from the company Integrated Petroleum Services. According to the website one key location is Equatorial Guinea and the emails supposedly come from there. The subject this time was Transfer and the email contained a Microsoft Office document attached with malicious macros. As bonus the footer will mention the email has been scanned by the Antivirus AVAST. All documents use the same technique. Attract the user to enable macros in order to view the document contents.


Across all the campaigns the technique is the same. All the Microsoft Office documents contain embedded macros that download a malicious executable from one of many hard coded URLs. These hard coded URLs are normally collateral victims of the operation. The encoding and obfuscation techniques used in the macros are constantly changing in order to bypass security controls.

Normally these URLs are hosted under legitimate sites that have been compromised to host the malicious file. When the macro is executed it will fetch a second stage payload from the compromised server. This payload is then saved to C:\Users\%%username\AppData\Local\Temp and then executed.

After the machine gets infected Dridex will start beaconing out to the C2 addresses. Dridex uses HTTP to encapsulate the traffic and encrypts the payload. Below an example how the first HTTP POST request made by the infected machine looks like in the network. A POST to the root folder full of gibberish.


From this moment onward the malware is capable of stealing all kinds of credentials from the victim’s computer. It can also redirect victim’s traffic to sites controlled by the threat actors using man-in-the-browser functionality. This allows interception and manipulation of traffic that is supposed to be delivered to legitimate sites. Dridex has remote access functionality that allows the threat actor to connect to websites trough the victim computer.

Phishing campaigns that distribute commodity malware are common and ongoing problem for end users and corporations.E-mail continues to be the weapon of choice   for mass delivering malware. The tools and techniques used by attackers  continue to evolve and bypass all the security controls in place. From a defense perspective, the US-CERT put together excellent tips for detecting and preventing this type of malware and to avoid scams and phishing attempts applicable to home users and corporations.

Tagged , , ,

Step-by-Step Bot Infection process exploiting bad password.

There are two main motives involving the usage of botnets causing them to emerge and evolve. On one hand, there is the motivation to pursuit political ends using bots for example to initiate DDoS attacks. This is known as hackitivism. On the other hand, there is an economical incentive to use and exploit bots for spam, phishing, DoS extortion and other attacks. These two avenues make a strong incentive for the bad guys. Traditionally the attacker’s motivation was self-fulfillment, fun and proof of skills. However, the motivation is leading into business models that involve building, exploiting and maintaining botnets. In addition to the motivation, the methods used are also progressing. The distributions of the tools that allow infection, propagation, management and exploitation of the bots have been industrialized on IRC networks. The bot infection process has become more automated [1][2].

So, if the attackers have the motivation. Which methods are they using? How do attackers infect new bots/Zombies? Which tools are they leveraging?

One of the methods used in the bot infection process is exploiting bad passwords. During the course action of using a medium interaction honeypot, it has been observed daily brute force attempts against SSH.

The following diagram illustrates the step-by-step infection process of new bots exploiting bad ssh passwords. This process is explained in the enumerated list below.

Bot Infection Process

Bot Infection Process

  1. The attacker attempts to infect the victim machines with bots trough SSH brute force. It starts by scanning entire class A (126 nets with 126 16,277,214 possible hosts) or B (16,384 nets with 65,534 possible hosts) networks. The tool used uses TCP Syn scanning techniques in a parallel execution to achieve higher scanning speeds. The parallel scan technique is similar to the one described by Niels Provos and Peter Honeyman on their document ScanSSH – Scanning Internet for SSH Servers published in October 2001[3]. The TCP Syn scan technique is also known as “half-open” scanning because it doesn’t establish the TCP 3-way handshake [4].The most observed and downloaded tool on the honeypot used to accomplish this is called ss and is a variant of Fast Syn Scan produced by Dr.Bios [5]. Is a fast scanner and is able to scan an entire class B network in less than 30s. This means is able to send more than 2166 TCP Syn packets per second on a Intel Core Duo @ 2.20Ghz with 4Gb running Debian 5 32bit.
    To further illustrate the speed, with this tool one can scan the entire IP ranges assigned to a small country, like Portugal, in 43,5m [6]. The tool is written in C, uses libnet and libcap. The binary is a statically linked, stripped in ELF format with 552k . It needs UID 0 to be executed. The tool detects if a system has the TCP port 22 (SSH) open by processing the TCP Syn Ack packets from the scanned systems.
  2. In the next stage, the attacker launches a tool called ssh-scan. The tool is supplemented with different dictionary password files. One of the captured files contains 6 dictionaries files with a total of 232k entries. This tool is a statically linked, stripped ELF binary with 823k. When executed starts by reading the contents of a text file (mfu.txt). This text file contains the IP addresses that were identified by the ss scanner as having TCP port 22 open. Then it reads the contents of a dictionary password file (pass_file) containing combinations of username and passwords (the different dictionaries are directed to the tool using simple bash scripts which copies and renames the files). If any of the brute force login attempts is successful the IP address, username and password is written on text file (vuln.txt).
  3. With the obtained credentials, the attacker logins into the system. He typically starts by running linux commands to check who are the users connected, what the operating system is and what the hardware capabilities of the machine are. Then he downloads the necessary tools to continue his operation. In case the credentials obtained are not UID 0, the attacker typically downloads an exploit that will allow him to escalation his privileges. The majority of the tools downloaded have a .jpg extension. They are generally hosted on suspicious TLD domains like .tk or .su. The .su stands for the Soviet Union Top Level Domain, Roman Hüssy describes that cyber criminals are moving to .su from .ru TLD domains [7]. The common downloaded tools are tar archive files with extension renamed. Among others, the archives contained the tools ss and ssh-scan plus variants of bash scripts that automate the scanning and brute force process. Different ASCII art which allude to the authors is also present. Other downloaded archives may contain Perl bots.
  4. This step is where the Perl bot is executed and it attempts to connect to an IRC server using a randomly generated nickname normally starting by some common identifier. Once the bot is connected to the IRC server, it joins the attacker’s channel and waits for instructions.
  5. The infected system, now in control of the attacker, will continue to potentially compromise more SSH systems using the same technique described in step 1 in an automated fashion.
  6. After successful identified additional systems having port TCP 22 open it executes the same steps as described in point 2. This step is typically automated.
  7. This step was observed by some attacker sessions where the attacker downloaded an IRC proxy such as Energy Mech or EggDrop in order to connect to an IRC Network. This will allow him to conceal his identify and add additional layers of anonymity.
  8. With this IRC proxy, the attacker can then connect to channel where the Zombies are waiting for instructions. The settings of the IRC proxy are using properties such as the system and nick name which are also hardcode on the Perl bot script. With this the Zombies will only accept instructions for a bot-herder that meets this properties.
  9. This step was created to illustrate that the attackers will start the process all over again in their attempt to pursue more compromised systems and recruit more bots.
  10. Finally, the last step is where the attacker leverages the power of having these Zombie systems waiting for his instructions. A variety of activities can be executed and leveraged using a bot or botnets. Denial-of-service attacks, spamming, anonymization proxy, keylogging, identity theft, click fraud, etc [8][9]. During the observed time on the IRC channels the Denial-of-service attacks were the most popular.

References and further reading:

[1] Evan Cooke,Farnam Jahanian,Danny McPherson , The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets
[2] Zhen Li, Qi Liao, Aaron Striegel , Botnet Economics : Uncertainty Matters
[3] Niels Provos, Peter Honeyman, ScanSSH – Scanning the Internet for SSH Servers
[4] http://nmap.org/nmap_doc.html#sy
[5] http://www.securiteam.com/tools/5EP0B0ADFO.html
[6] http://www.nirsoft.net/countryip/pt.csv
[7] http://www.abuse.ch/?p=3581
[8] http://krebsonsecurity.com/2012/10/the-scrap-value-of-a-hacked-pc-revisited/
[9] http://honeynet.org/node/52

Tagged , , ,

Countermeasures against Botnets – Legal aspects

The NATO Cooperative Cyber Defense Centre of Excellence based in Tallinn, Estonia just released a study about the legal implications of passive and active countermeasures against botnets. This investigation is made in collaboration with European Network and Information Security Agency (ENISA). It covers the legal aspects of fighting against botnets taking into account the German and Estonian law.  The study was created by two legal experts, one attorney, two scientists and a post-graduate civil service trainee. It’s very well written and it uses an interdisciplinary language which makes it accessible to people who aren’t specialist in information technology or legal.

It covers a variety of interesting topics such as assuming a system is compromised by a botnet. One of the steps, as part of the incident handling process, is that you might capture and inspect the traffic in order to detect and analyze the botnet traffic. However, from a legal perspective the study presents a variety of legal concerns regarding this. Some of them are personal data protection, unauthorized surveillance and confidentiality of communications. It means such monitoring might be perceived as breach of criminal law.  Even if some of the laws were not written in light of cyber space it still can apply.

Another topic with very unique characteristics and legal concerns is running a honeypot to collect, store and process data to learn about botnets. What are the legal concerns about sharing the data gained from running the honeypot? Or how it can be challenging for a private researcher to prove that the data he is collecting is for scientific interests.  These and other legal concerns are discussed in the study.

How about the takeover of botnets? Which assumes you successful infiltrated the CnC server. If the Botnet is taken over with the intent to eliminate and prevent crime and not prepare one, it still has implications under criminal law. Given the uncertainty of jurisdictional traits on how to handle such situations there is the risk of someone making him susceptible to prosecution. Other topics include: Takedown of Command and Control Servers, Automated Immunization or Disinfection, Botnet Mitigation Techniques under Exceptional Circumstances, Duty to Act against Botnet Attacks and Liability of Owners of Infected Hosts.

Apart of that, through out the study there are excellent reference’s that provide supporting and corroborating evidence of their assertions. Definitely a must read for security professionals involved in incident handling and others.

Tagged , ,