Botnet Analytics Blog

Blogging the Science of Botnet Analysis

Busting Botnet-Herders – Behind the Scenes

March 16th, 2010

We have been observing that “busting botnet-herders” is really happening these days starting with the past few incidents, although we need to think about the big picture & behind the scenes. These are the questions that arise after we see such incidents:

  • Are these guys [who get arrested] the real guys behind the scene? Or are these guys Public Representatives for those botnets?
  • What are the botnet-herders doing next, to prevent from being caught?
  • There is an interference/intersection between underground & intelligence groups. How do the intelligence agencies deal with such issues?
  • Technology wise, how are they modifying the following to stay current in evasion techniques:
    • Payloads
    • Propagation
    • Algorithm
    • Implementation
    • DDNS
    • and other stuff
    • The so called “Top botnets” takes the best from each botnet and implements them. Does this make it complicated to detect & prevent it from happening?
    • Antivirus Engines or Security tools can detect only on “Infection Vector” to begin with. Some AV’s quarantine them and some don’t, but later it might catch on Botnet Activity to known hostile IPs or domains. Does this mean that:
      • the users should reimage the host[industry best standards], as soon as they see traffic to possible hostile IPs?
      • the users should consider any Trojan or Backdoor activity as possible botnet command & control activity, as it could possibly lead to them?
      • the users should reimage the host for every malware triggered on the host?
    • Botnet herders code their botnets to spread through the following vectors. Does this help them in expand their zombie networks really fast?
      • Phished websites
      • Malware sites
      • Hosed Webservers
      • DNS Poisoning
      • Client-side attacks
    • What could the next generation botnets do?
    • Is commercializing of botnets anticipated? If the answer is “Yes”, does law enforcement have any response to it.
    • Do the courts all around the world realize that they should modify/work on their law to ensure that these botnet herders get punished, no matter what part of the world they are residing in. Classic example is, “Mariposa” botnet guys were arrested at Spain, even though Spain is lenient in various other aspects of infoSec.
    • Will the  botnet herders mix botnets with real world issues like how phishing guys do:
      • SEO Poisoning
      • Deceptive linking
      • Pharming
      • and other techniques

    Hope this helped in opening your eyes to think more into botnets & its herders. Thank you for choosing Botnet Analytics!

    Posted by BotnetAnalytics under Uncategorized with 1 Comment

    Commercializing Botnets

    March 15th, 2010

    The past few years has been a big boom in the botnet world. Botnet herders [a.k.a. the creators of botnet] are commercializing botnets by showing how powerful their botnets are than existing botnets. Some of them are good at one thing, while certain others are good at other stuff. Some of them have been listed below:

    • Infection Vector
    • Propogation
    • Payload
    • Acquiring Zombies
    • DDNS
    • Simple Lifecycle
    • Easy to communicate
    • and more

    Some of the famous botnets & botnet apps has been commercialized in recent days, although law enforcement is trying to bring such entities down. One of the most famous one is “Mariposa” botnet. Defense Intelligence was solely working on researching Mariposa and creating sinkholes to prevent users from communicating with the Zombie network or from being hosed. Though a user would be infected with infection vector of a botnet such as a Trojan, user would be taken to specific IPs or domains that would then push out the malicious code that makes them a part of Zombie network. This is where sinkholes help in protecting users from going to the real IP that holds the malicious code, and also to help such security organizations to detect the victims of this attack.

    I am not sure, but the following site looks like a commercialized version of Mariposa to me:

    They call their product as “Butterfly Flooder” and here is the list of Features that they have proposed:

    Features
    Features (client):
    • Direct code injection into remote process (part of module system) for automatic Windows Firewall bypass
    • Module system (in-file & on-fly module loading mechanism)
    • UDP flood with random data and packets sizes, configurable strength of flood
    • Strong TCP flood, working with max power on all WINNT systems with configurable strength of flood
    • USB spreader with on-fly autorun.inf content
    • Downloader that downloads files via ButterFly Network Protocol (no need for third party HTTP or FTP servers)
    • MSN spreader (hooking send and WSARecv functions) – completely version independant message replacer
    • Visit module (client visit website; hidden or with default browser)
    • External downloader – can download via HTTP, HTTPS and FTP protocols, extended options (user agent, additional request headers, target folder and filename, execute, melt and update options, single download option)
    • NEW: Reverse Proxy Simple module with receiver (turn every client into proxy server instantly!)
    • Post Data Grabber for Internet Explorer 6, 7 and 8 (catches all data sent by POST method, including HTTPS)
    • Connect Hook for Internet Explorer, Firefox, Opera and Chrome (all versions)
    • Adware Simple (adwertise your website on clients while they browse world wide web)
    • Cookie Stuffer for Internet Explorer and Mozilla Firefox
    • NEW: Slowloris Flooder (great flooder for stress testing HTTP Web servers)
    Features (protocol):
    • Based on UDP
    • Own application layer protocol
    • Own acks, reliability control
    • Support for transferring large data blocks
    • Download modules over protocol
    • Download third party software over protocol (also update)
    • Configurable max upload per second for each peer
    Features (server):
    • Multithreaded design with variable number of threads selection for maximized performance
    • Ability to configure frames per seconds to fine tune servers CPU usage / latency ratio
    • Ability to configure servers overall max upload
    • GEOIP client localization (accurate country info on clients)
    • Automated modules distribution to clients without needed modules
    Features (master):
    • Multiple server connect instances possible
    • Debug console
    • Console on/off for each instance
    • Client dump window
    • On-join commands
    • Timer commands
    • One-time commads
    • Various conditions for commands, can be used together (check screenshots)
    • Console style commanding, from where any command can be issued (for “PROs”)

    Are the Mariposa guys really arrested, or are those the ones who just do the front-end job[as in, communicate with the bots/zombies]? Is “http://bfsystems.net” part of the Mariposa network, or rather their commercialized version of Mariposa?

    Whois data for BFSYSTEMS.NET:

     Whois Server Version 2.0
 Domain names in the .com and .net domains can now be registered
 with many different competing registrars. Go to http://www.internic.net
 for detailed information.
    Domain Name: BFSYSTEMS.NET
    Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
    Whois Server: whois.PublicDomainRegistry.com
    Referral URL: http://www.PublicDomainRegistry.com
    Name Server: NS11.LOVINGHOSTING.COM
    Name Server: NS12.LOVINGHOSTING.COM
    Status: ok
    Updated Date: 07-mar-2010
    Creation Date: 31-oct-2009
    Expiration Date: 31-oct-2011
 >>> Last update of whois database: Mon  15 Mar 2010 16: 23: 41 UTC <<<

    67.43.3.69 falls in the IP range of DailyDNS:

     network: Class-Name: network
 network: ID: NETBLK-SPARKDAILYDN.67.43.3.69/32
 network: Auth-Area: 67.43.0.0/20
 network: Network-Name: SPARKDAILYDN-67.43.3.69
 network: IP-Network: 67.43.3.69/32
 network: IP-Network-Block: 67.43.3.69-67.43.3.69
 network: Organization;I: SPARKDAILYDN
 network: Org-Name: spark.dailydns.com
 network: Street-Address: po box 211
 network: City: wilbur
 network: State: wa
 network: Postal-Code: 99185
 network: Country-Code: US
 network: Tech-Contact;I: thecrazedking@aol.com
 network: Abuse: abuse@sourcedns.com

    Domains Per Host indicates 1000′s of hosts on the same IP[67.43.3.69].

    • Is Mariposa still up & Running and do we still see traffic to newer Mariposa compromised hosts? The answer is “YES”.
    • Have the arrest of those 3 guys changed anything relating to the working of Mariposa? The answer is “Not Really!”.
    • What are the various justifications for the current situation:
      • Could be that the botnets are modularized and sold to many places.
      • Open-source botnets make it harder for security community.
      • Your Botnet is My Botnet concept of Torpig makes it harder.
      • Metamorphic & Polymorphic code makes it harder to prevent research against botnets.
      • Competition in the botnet community: “Mine is better & bigger than yours”.
      • Commercializing Botnets to the Underground community to help them knock off more systems.
    • Why would they do it open-source when they can commercialize it? Botnet modules can be taken by someone else and improvised to their situations or to their creativity, when the modules are open source. Someone always see’s what someone else doesn’t. Botnet community is using this mentality in a way to make their botnets stronger, grow bigger & difficult to detect and prevent.

    We are not sure about Butterfly networks or who is behind it, but their website & content looks too Spooky to make a mention over this blog. If you guys from Butterfly networks feel that this isn’t true, kindly shoot us an email to contact.fingers@gmail.com and we will retract the post. Also, give a possible explaination as to how commercializing your UDP flood services would help anyone. Pentesters should also know their testing limits. Botnets getting sold to Pentesters is not going to help them test if their customer’s are protected against botnets. It might infact compromise their customers & make them part of the Zombie networks.

    Hoping that this post was helpful in opening your eyes. Thank you for choosing Botnet Analytics!

    Posted by BotnetAnalytics under Uncategorized with No Comments