Inside a botnet - part 1

Alex, December 15, 2015 08:07
I have had a couple of virtual private servers up and running for a couple of weeks. After a while an attacker used valid credentials and logged on to my server. He downloaded a couple of programs and scripts and suddenly my server was part of a botnet.

Catching the attacker

To catch an attacker in the act I set up a couple of SSH honeypots around the web. This can be easily done by renting a virtual private server for a couple of bucks, remove the default SSH server from the default port and set up a fake SSH server on port 22.

SSH Server

SSH is a program used to connect to a remote server. This is done in a secure way (Secure Shell). You need a valid login and password and/or a security certificate to log on. Once you have logged on you have usually full control over the server
Attackers will try default and simple password to log on so I created a couple of fake accounts accepting "123456" and "admin" as passwords. In the first few days a few attackers tried to log in, some were successful but logged off directly after logging on. But guess what, they came back a few days later. And immediately downloaded a couple of programs and a script and tried to start these applications on my server. The honeypot denied the execution of the programs but we do have copy of them now.

Analyzing the payload

The initial script was downloaded from http:// ██████████.pw/ which was started and downloaded a couple of new programs from http://192.227.███.███/ . The programs where compiled for a kinds of different hardware platforms ranging from WiFi-routers to 64bits linux servers. The payload consists of two parts: the first part would try to find new vulnerable hosts to connect to, to spread like a virus. The second part would connect to the command and control center at 192.227.███.███ on port 6667
Looking through the code of the "bot" it accepts a lot of commands from the remote control center.
Command Description
socks5 Installs SOCKS5 proxy server. If successful the hacked server can be used as a proxy for everyone on the internet.
portscan Scans for open ports on a given host.
sendmail Sends an e-mail with fake from fields to anyone on the internet from the hacked machine.
rootme Tries several known vulnerabilities to get root access to the server.
nmap Scans a remote host for open ports.
back Connect to another server and start a shell. The attacker can then execute commands on the hacked server.
packetstorm Reads and prints the headlines from, a information security news website.
udpflood Sends random UDP packets to a given host. The time to repeat this can be set in seconds.
udp Sends random UDP packets to a given host. The time to repeat this can be set in seconds.
httpflood Connects and disconnects to a given host. The time to repeat this can be set in seconds.
sqlflood Sends random packets to the local MySQL server. The time to repeat this can be set in seconds.
Sounds like a lot of fun if you are in the DDOS business. With a couple of hundred hacked servers around the world, all connected to a this IRC network you would be able to take down any website with a simple command.

Stand by for part 2, where I will try to connect to this botnet.