Botnet Analytics Blog

Blogging the Science of Botnet Analysis

Commercializing Botnets

March 15th, 2010

The past few years has been a big boom in the botnet world. Botnet herders [a.k.a. the creators of botnet] are commercializing botnets by showing how powerful their botnets are than existing botnets. Some of them are good at one thing, while certain others are good at other stuff. Some of them have been listed below:

  • Infection Vector
  • Propogation
  • Payload
  • Acquiring Zombies
  • DDNS
  • Simple Lifecycle
  • Easy to communicate
  • and more

Some of the famous botnets & botnet apps has been commercialized in recent days, although law enforcement is trying to bring such entities down. One of the most famous one is “Mariposa” botnet. Defense Intelligence was solely working on researching Mariposa and creating sinkholes to prevent users from communicating with the Zombie network or from being hosed. Though a user would be infected with infection vector of a botnet such as a Trojan, user would be taken to specific IPs or domains that would then push out the malicious code that makes them a part of Zombie network. This is where sinkholes help in protecting users from going to the real IP that holds the malicious code, and also to help such security organizations to detect the victims of this attack.

I am not sure, but the following site looks like a commercialized version of Mariposa to me:

They call their product as “Butterfly Flooder” and here is the list of Features that they have proposed:

Features
Features (client):
  • Direct code injection into remote process (part of module system) for automatic Windows Firewall bypass
  • Module system (in-file & on-fly module loading mechanism)
  • UDP flood with random data and packets sizes, configurable strength of flood
  • Strong TCP flood, working with max power on all WINNT systems with configurable strength of flood
  • USB spreader with on-fly autorun.inf content
  • Downloader that downloads files via ButterFly Network Protocol (no need for third party HTTP or FTP servers)
  • MSN spreader (hooking send and WSARecv functions) – completely version independant message replacer
  • Visit module (client visit website; hidden or with default browser)
  • External downloader – can download via HTTP, HTTPS and FTP protocols, extended options (user agent, additional request headers, target folder and filename, execute, melt and update options, single download option)
  • NEW: Reverse Proxy Simple module with receiver (turn every client into proxy server instantly!)
  • Post Data Grabber for Internet Explorer 6, 7 and 8 (catches all data sent by POST method, including HTTPS)
  • Connect Hook for Internet Explorer, Firefox, Opera and Chrome (all versions)
  • Adware Simple (adwertise your website on clients while they browse world wide web)
  • Cookie Stuffer for Internet Explorer and Mozilla Firefox
  • NEW: Slowloris Flooder (great flooder for stress testing HTTP Web servers)
Features (protocol):
  • Based on UDP
  • Own application layer protocol
  • Own acks, reliability control
  • Support for transferring large data blocks
  • Download modules over protocol
  • Download third party software over protocol (also update)
  • Configurable max upload per second for each peer
Features (server):
  • Multithreaded design with variable number of threads selection for maximized performance
  • Ability to configure frames per seconds to fine tune servers CPU usage / latency ratio
  • Ability to configure servers overall max upload
  • GEOIP client localization (accurate country info on clients)
  • Automated modules distribution to clients without needed modules
Features (master):
  • Multiple server connect instances possible
  • Debug console
  • Console on/off for each instance
  • Client dump window
  • On-join commands
  • Timer commands
  • One-time commads
  • Various conditions for commands, can be used together (check screenshots)
  • Console style commanding, from where any command can be issued (for “PROs”)

Are the Mariposa guys really arrested, or are those the ones who just do the front-end job[as in, communicate with the bots/zombies]? Is “http://bfsystems.net” part of the Mariposa network, or rather their commercialized version of Mariposa?

Whois data for BFSYSTEMS.NET:

 Whois Server Version 2.0
 Domain names in the .com and .net domains can now be registered
 with many different competing registrars. Go to http://www.internic.net
 for detailed information.
    Domain Name: BFSYSTEMS.NET
    Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
    Whois Server: whois.PublicDomainRegistry.com
    Referral URL: http://www.PublicDomainRegistry.com
    Name Server: NS11.LOVINGHOSTING.COM
    Name Server: NS12.LOVINGHOSTING.COM
    Status: ok
    Updated Date: 07-mar-2010
    Creation Date: 31-oct-2009
    Expiration Date: 31-oct-2011
 >>> Last update of whois database: Mon  15 Mar 2010 16: 23: 41 UTC <<<

67.43.3.69 falls in the IP range of DailyDNS:

 network: Class-Name: network
 network: ID: NETBLK-SPARKDAILYDN.67.43.3.69/32
 network: Auth-Area: 67.43.0.0/20
 network: Network-Name: SPARKDAILYDN-67.43.3.69
 network: IP-Network: 67.43.3.69/32
 network: IP-Network-Block: 67.43.3.69-67.43.3.69
 network: Organization;I: SPARKDAILYDN
 network: Org-Name: spark.dailydns.com
 network: Street-Address: po box 211
 network: City: wilbur
 network: State: wa
 network: Postal-Code: 99185
 network: Country-Code: US
 network: Tech-Contact;I: thecrazedking@aol.com
 network: Abuse: abuse@sourcedns.com

Domains Per Host indicates 1000’s of hosts on the same IP[67.43.3.69].

  • Is Mariposa still up & Running and do we still see traffic to newer Mariposa compromised hosts? The answer is “YES”.
  • Have the arrest of those 3 guys changed anything relating to the working of Mariposa? The answer is “Not Really!”.
  • What are the various justifications for the current situation:
    • Could be that the botnets are modularized and sold to many places.
    • Open-source botnets make it harder for security community.
    • Your Botnet is My Botnet concept of Torpig makes it harder.
    • Metamorphic & Polymorphic code makes it harder to prevent research against botnets.
    • Competition in the botnet community: “Mine is better & bigger than yours”.
    • Commercializing Botnets to the Underground community to help them knock off more systems.
  • Why would they do it open-source when they can commercialize it? Botnet modules can be taken by someone else and improvised to their situations or to their creativity, when the modules are open source. Someone always see’s what someone else doesn’t. Botnet community is using this mentality in a way to make their botnets stronger, grow bigger & difficult to detect and prevent.

We are not sure about Butterfly networks or who is behind it, but their website & content looks too Spooky to make a mention over this blog. If you guys from Butterfly networks feel that this isn’t true, kindly shoot us an email to contact.fingers@gmail.com and we will retract the post. Also, give a possible explaination as to how commercializing your UDP flood services would help anyone. Pentesters should also know their testing limits. Botnets getting sold to Pentesters is not going to help them test if their customer’s are protected against botnets. It might infact compromise their customers & make them part of the Zombie networks.

Hoping that this post was helpful in opening your eyes. Thank you for choosing Botnet Analytics!

Posted in Uncategorized

Leave a Reply