Hi there folks,
This thread is inspired by @Ven0mRat , whose question was similar but drifted in the wrong direction.
The idea is to get a healthy discussion going and exchange experiences and knowledge. I myself am not a malware kind of guy. I’m only trying to prepare the groundwork for the discussion part here so if there is any misinformation please correct me!
So let’s get directly into it!
Most if not all should be familiar with what a botnet is and stands for. If not here’s a short primer:
a network of private computers infected with malicious software and controlled as a group without the owners’ knowledge, e.g., to send spam messages.
Probably one of the most recent examples was Mirai or Hajime, which was nicely dissected by @0x00pf. This example of a botnet primarily targeted IoT/Embedded devices. In this particular case, the actors/malware scanned IPv4 addresses with the specific telnet port 23 in mind. When a device was found that also accepted telnet connections a corresponding malicious node attempted several username and password combinations from a hardcoded list of credentials. Upon being granted entry, the architecture and structure of the target were examined and a target-specific infection commenced by utilizing the system utilities mostly provided by BusyBox.
So one way would be to scan the internet/a targeted IP range for open ports and let the botnet-malware do the rest when finding a potential entry point.
A full analysis report can be found from e.g.: rapiditynetworks
Zeus to my knowledge has been around for quite a while now and is primarily known as a trojan. This piece of malware was used in e.g. a botnet known as Kneber. An infected machine does send out a HTTP GET request to a C&C server fetching a binary blob that serves as a configuration file to further drive forward the infection. This configuration file was not unique and was able to enable a different kind of functionality-subset on different infected machines. Keylogging was almost always one of them. The initial infection was/is mainly done by drive-by downloads or phishing schemes.
In this example, the user that is operating a machine is the weakest link that is abused compared to the autonomous operation of Hajime/Mirai.
Questions open for Discussion:
In case of an autonomous botnet/malware like Hajime was:
- What do you scan the internet for?
- Which ports except telnet would you go for?
In case of a botnet that relies on initial user interaction to infect a machine:
- Where do you hide your malware and how?
- Phishing vs drive-by downloads
- Which is most likely more successful in modern times and how can you trick a user today?
- In case of one successful infection, do you hide from there or are you trying to spread as fast as possible in a local net to grow the botnet with the risk of getting detected way faster?
The structure and objective of your botnet/malware are vital on how it will spread and how it behaves.
I hope this short introduction sparks some interest in many of you and results in a healthy discussion about the questions above and hopefully others too!