Successful spreading and operating of botnets

discussion
botnet

#1

Hi there folks,

Disclaimer

This thread is inspired by @Ven0mRat , whose question was similar but drifted in the wrong direction.
The idea is to get a healthy discussion going and exchange experiences and knowledge. I myself am not a malware kind of guy. I’m only trying to prepare the groundwork for the discussion part here so if there is any misinformation please correct me!

So let’s get directly into it!
Most if not all should be familiar with what a botnet is and stands for. If not here’s a short primer:

Botnet:

a network of private computers infected with malicious software and controlled as a group without the owners’ knowledge, e.g., to send spam messages.


Mirai/Hajime

Probably one of the most recent examples was Mirai or Hajime, which was nicely dissected by @0x00pf. This example of a botnet primarily targeted IoT/Embedded devices. In this particular case, the actors/malware scanned IPv4 addresses with the specific telnet port 23 in mind. When a device was found that also accepted telnet connections a corresponding malicious node attempted several username and password combinations from a hardcoded list of credentials. Upon being granted entry, the architecture and structure of the target were examined and a target-specific infection commenced by utilizing the system utilities mostly provided by BusyBox.

So one way would be to scan the internet/a targeted IP range for open ports and let the botnet-malware do the rest when finding a potential entry point.

A full analysis report can be found from e.g.: rapiditynetworks

Zeus

Zeus to my knowledge has been around for quite a while now and is primarily known as a trojan. This piece of malware was used in e.g. a botnet known as Kneber. An infected machine does send out a HTTP GET request to a C&C server fetching a binary blob that serves as a configuration file to further drive forward the infection. This configuration file was not unique and was able to enable a different kind of functionality-subset on different infected machines. Keylogging was almost always one of them. The initial infection was/is mainly done by drive-by downloads or phishing schemes.

In this example, the user that is operating a machine is the weakest link that is abused compared to the autonomous operation of Hajime/Mirai.

Questions open for Discussion:

  • In case of an autonomous botnet/malware like Hajime was:

    • What do you scan the internet for?
    • Which ports except telnet would you go for?
    • …?
  • In case of a botnet that relies on initial user interaction to infect a machine:

    • Where do you hide your malware and how?
    • Phishing vs drive-by downloads
      • Which is most likely more successful in modern times and how can you trick a user today?
    • In case of one successful infection, do you hide from there or are you trying to spread as fast as possible in a local net to grow the botnet with the risk of getting detected way faster?
  • …?

Conclusion

The structure and objective of your botnet/malware are vital on how it will spread and how it behaves.
I hope this short introduction sparks some interest in many of you and results in a healthy discussion about the questions above and hopefully others too!

Toys


(Leader & Offsec Engineer) #2

Hmmm…

I think if I was going to make a botnet, it would probably abuse vulnerable wordpress plugins. So many sites are running out of date wordpress plugins, and chances are if they’re running out of date wordpress plugins they aren’t doing any other sort of security for their site.

Also, the reach is MASSIVE as so many sites are running wordpress.

Inject code into the index.php script to include something and run in a random interval, maybe once every 30 times the page loads, and then call back to the c2 for further instruction. Being php, you can do a lot natively without ever touching bash.

This is a tough one, but for C2 I think I would likely use some sort of social media stego or something. Call out to Twitter or Imgur and have a hardcoded decryption string. Being PHP the ability to reverse engineer would a bit easier?

The other thing I’d love to utilise is javascript injection in clients. Imagine that, you visit a compromised website and now javascript on your browser is being used selectively to open new phishing pages or fingerprint your browser. Also the very evil potential of how many of these sites have credit card numbers and other very sensitive information.

Spreading method? I think I would probably obtain a cryptocurrency paid VPS and crawl the internet for vulnerable hosts, build up a list, and then flashworm it.

For those unfamiliar, a flashworm is when you infect a large amount of hosts extremely quickly because of how exponential growth occurs. The first host would infect 2 hosts, and then that host would infect 2 hosts, and so on. Very quiet, yet very quick growth.

Doing that would also avoid detection from services like https://greynoise.io (when the botnet is spreading), and only dirty the disposable VPS’s in the initial discovery phase. You would loose a lot of hosts (with boxes going up and down constantly), but you would be a bit more stealthy as a result.

I’m looking forward to what other people would do if they were a bad-guy. This is how I’d do it :smiley: What does everybody think?


#3

If I was a malware writer I would probably place my target against specific IoT devices with the intent of building a botnet that could offer DDoS attacks on demand, it seems like quite a lot of people are interested in booting servers of all kinds, so if I wanted to make money the black hat way, that would be my choice (although some reconnaissance functions to determine if the local network looks interesting enough for further local infections would be welcome as well).

Why? Because IoT is spreading everywhere around the world but most of these funny little devices are still poorly secured. This makes it so that there are countless potential targets, and as time goes on one could write additional modules to the malware to allow it to spread on new devices and exploit new flaws automatically (I wouldn’t stop at trying common user-password combinations).

Mirai helped spread some security awareness amongst embedded software and IoT developers, but let’s not forget that not many people don’t like to (or don’t know how to) update firmwares or change default passwords, and some others simply buy a cheaper device in order to save a few bucks even if it means having to deal with a product of less quality, which often means less security in place.

The ports I would target depend on the devices I would intend to hit, because if I wanted to start a project like this I would do a lot of homework to find a bunch of devices that fit my purposes, say a specific brand of routers, smart homes, thermostats, the list would grow more and more as time goes on in order to expand the botnet and prevent it from dying. I should add that I mentioned those devices because I found a good amount of them just by port scanning random IP ranges. I’ll let you guess by yourself whether they were secured in any way or not.

From my humble experience I have noticed how a lot of these devices like to say a lot about themselves when connecting to them through HTTP and sometimes Telnet, so port 23 and 80 would be my main targets, of course including any other ports needed for the exploitation phase (proprietary protocols are interesting targets I would love to study more about), making banner grabbing, selection, and exploitation to take control over the device completely automated, the way it should be.

I’d actually really like to write a PoC botnet that could spread thanks to the wonders of IoT once I get my hands on an interesting device, if I do end up turning this dream into reality (a “reality” that will be heavily tested on apposite virtual labs) you will be the first to know.