Botnets, Threat Actors and Honeypots

By /

Botnet is a term derived from the words “robot” and “network”. It can be defined as the network (s) controlled (by a person or a group) of devices that have been (albeit partially) compromised by malware. Generally, malware does not cause any indication that shows devices have been compromised. Thus, users do not get suspicious and continue to use the devices as they are. Many botnet malware takes various actions to spread itself on the infected network.

Why?

Let’s consider a scenario where an intruder starts attacking our systems; as long as it can be detected it will be quite simple to prevent it. Also detecting one malicious activity besides a few regular user connections will be quite easy. If we think of a group of threat actors attacking our systems besides thousands of regular users connections, it can get a little tricky but possible to prevent (mostly). But how can we prevent an attack that starts at the same time and comes from hundreds of thousands of different sources? Is it possible to detect the differences between the connection an attacker is trying to establish and the connection an innocent user is trying to establish? If possible, it will be necessary to allocate a resource to distinguish it. What if everything doesn’t go as planned? This is exactly what attackers are aiming at, making everything we prepare to protect our systems, useless.

The goal is not always to launch a distributed attack against a target with the help of a botnet. For example:

  1. The processing capabilities of captured devices can be used to benefit. Mining with coin systems based on blockchain technology, trying to break the encryption algorithms or captured hashes of important systems and similar scenarios may require solving mathematical operations that require a high degree of computing power. Attackers can use the devices captured for their own purposes by overloading them.
  2. Compromised devices can be used to benefit some illegal activities. The compromised device can be used as a host for illegal sites to be used as a DNS or web server. If there is a web service that is already running and frequently visited on the compromised server, the source codes of the website may be changed and some actions or advertisements may be shown to users who use the website to benefit.
  3. Sensitive information on compromised devices can be used to blackmail and take advantage of device owners. Credit cards, identity cards, passports, saved passwords and all other kinds of sensitive pieces of information are valuable and can benefit attackers.
  4. E-mail accounts and other services (social media accounts, etc.) that offer the opportunity to reach other users via messaging with a verifiable profile are also involved in social engineering attacks, sharing disturbing content, spreading ‘fake news’ content, etc. It can be used by attackers to benefit scenarios.
  5. Before a breach can be prevented by IPS, it must first get detected. Scans that are too slow and configured properly from an IP address may not be detected but, it may take months to complete. A botnet of thousands of devices can perform scans in a much shorter time without being noticed with parallel connections. (The SOC team may not always be careful.)
  6. Captured smartphones can be used to transfer money to ‘premium’ services via SMS.
  7. Storing some data on compromised devices in an encrypted and distributed structure is another way attackers can take advantage of it.

It is difficult to say how a botnet starts to spread and what exactly is its purpose. But, it may be useful to examine botnets detected so far.

Zeus

First detected: 2006

Zeus, also known as Zbot, is a malware that runs on versions of Microsoft Windows.

It is mainly transmitted through social engineering (phishing) attacks and downloads without the user’s knowledge.

Saving keys pressed on the keyboard and organizing MITB (man-in-the-browser) attacks on forms sent over browsers are the identified goals of the software.

It was difficult to detect because it used special obfuscation techniques. It has been determined that 77% of the Zeus infected devices use up-to-date anti-virus software, but the malware continues to work unnoticed. In 2009, it was determined that it compromised 74,000 FTP accounts belonging to important institutions such as Bank of America, NASA, Monster.com, ABC, Oracle, Play.com, Cisco, Amazon and BusinessWeek. As far as it is known, it has affected 13 million devices around the world. The group behind Botnet is estimated to have made a total of $ 70 million in earnings.

With the forensic operations that gained speed in 2010, many steps were taken to slow down, stop and catch the people behind Zeus malware and its derivatives in the process until 2013, however, none of the steps gave definite results to stop the software completely.

Mariposa

First detected: 2008

The Mariposa botnet was spread through malware called “Butterfly bot” which is targeting versions of Microsoft Windows. Afterwards, it was determined that it could include any operating system into the botnet.

It is known for using captured devices for crimes such as DDOS attacks and fraud.

As far as it is known, it has affected more than 12 million devices around the world.

On June 5, 2019, United States law enforcement filed a new lawsuit against the group behind the Mariposa malware.

Judicial investigations are still ongoing.

Methbot

First detected: 2015

The botnet, which continues to spread increasingly especially in 2016, is controlled by a single group based in Russia through data centers in America and the Netherlands.

The botnet, which has 570,000 devices detected, targets ‘premium’ video display (advertising) systems. Its daily income is between 3 and 5 million dollars.

Judicial investigations are still ongoing.

Mirai

First detected: 2016

It mainly targets IOT devices (eg home modems, IP cameras, network routers) connected to the network. The biggest attack vector of the botnet is attacking devices that have default usernames and passwords and can access the Internet. It has also been found to try to spread by exploiting zero-day vulnerabilities.

Its main purpose is to carry out DDOS attacks. The fact that it performs a DDOS attack by generating 1.1 terabytes of traffic with approximately 500,000 devices recorded reveals how dangerous it is.

Dangers?

When we compare the blue team and the attackers in the fight against botnets, we see that the attackers almost always have an advantage. For example:

  • The attacker may not be traced, but the targeted organization’s DNS records are specific and fixed.
  • The attacker can fail more than once, for the blue team failing once can mean too late for everything.
  • The attacker may have millions of bots, while the blue team has a limited budget.
  • Multiple targets can be attacked with a single botnet, and each target must create its own blue team and take specific precautions against the botnet.

In terms of end-users:

  • There is not much they can do anymore even if they realize that they are part of the botnet.
  • Teams working in forensic informatics may only consider reaching the innocent end-user as a result.
  • If end-users are involved in forensic cases, their credibility will often depend on chance and those cases can affect the criminal records of end-users.
  • The rate of catching botnet software by antiviruses is 30%.

Honeypot

Honeypots are traps to collect information about attackers or users who have unauthorized access to the information systems. From 4 July 2019 and 10 July 2019, I had an active honeypot to research malware and botnet activity on the Internet. I would like to share some of my notes on my observations of telnet, ssh and HTTP services serving from default ports on the honeypot. (Physical location is USA)

4 July 2019 at 13:29

  • Honeypot server opened to the outside world.

4 July 2019 at 13:36

  • First, an attack was carried out on the telnet service. The attacker found the correct combination (root: ttnet) in the third username and password attempt. The code that the attacker suddenly executed after infiltrating the system, actually showed that the attacker was a robot, not a human. Instead of exploiting the known vulnerabilities, it was just gathering large-scale information about the system and download it to its own server. The IP address of the attacker was from Florida / Miami.

4 July 2019 at 13:37

  • Another attack on the ssh service came with the same username and password attempts from the same source, the codes executed and the correct username password pair were the same. It would not be wrong to say that there is only one malware that attacks multiple services.

4 July 2019 at 13:54

  • This time, an attacker who tried default usernames and passwords specific to routers and IP cameras started attacking with a Richfield / Utah based IP. The codes he ran after finding the right combination (admin: admin1234) over the Telnet service were for the same purpose as the previous attacker.

4 July 2019 at 13:58

  • There were now nonstop attacks from both ssh and telnet services by multiple attackers at the same time. It was getting hard to follow.

6 July 2019 at 06:31

  • The attacks on the HTTP service took 2 days to begin. The first attack was coming over an IP from Moscow / Russia, using discovery methods such as crawl and brute force to test SQL Injection and RCE over popular vulnerabilities, simple but effective.

7 July 2019 at 13:10

  • The second attack on the HTTP service was coming over an IP originating from Haidian / China. The attack technique was the same as for the previous attacker. The attacks made over the next HTTP service were not as intense as the attacks on telnet and ssh services, but it was determined that they could be extremely effective as a result of a successful attack.

July 10, 2019 at 15:00

  • As I understand from the honeypot logs, seeing that the IP addresses of the attackers, the vulnerable services they control, the username and password combinations they try are very different, but the codes they inject were same. It made me think that there are more than one attackers with the same botnet software.

If we categorize the attacks on ssh and telnet services from a total of 565 IP addresses within a 6-day period according to the geo-locations of the IP addresses, we will have a list as follows:

This research suggests that servers providing certain services with important resources are at high risk of exploitation, given that it takes only 3 hours for an attacker to scan a single service of active IP addresses around the world.

Solution suggestions for the blue team:

  • Always in-depth security hardening.
  • Getting up-to-date training.
  • Getting consultancy services such as penetration tests and load tests.
  • Choosing a backup schedule with intervals of at least 8 hours.

Solution suggestions for the end-user:

  • Using an antivirus that can keep itself updated.
  • Keeping firewalls active just in case.
  • Using software and services from trusted and licensed organizations.
  • Participating in cyber security awareness training.

This article has written by Sercan Sayitoglu and has published in “PwC Turkey – Cyber Security Blog” previously. Reference