Bot net upgrade.

Any research, news or information regarding the wide variety of techniques criminals use to take over your computers or web servers.

Bot net upgrade.

Postby Amouse » Fri May 27, 2011 5:36 am

I am sure many saw the article Brian Krebs wrote.

http://krebsonsecurity.com/2011/01/battling-the-zombie-web-site-armies/

I have uploaded the latest logs and other info.

http://www.bencom.co.nz/bot/

The hacker/spam gang has added an extra level of obfuscation by using another army of hacked/infected machines to the mix to send commands to the php zombie army.

Previously the PHP bot net was controlled from a single machine in Asia.
Since starting up again with this new configuration the bot net has been spewing spam constantly since the 24th (NZ time).

This is a significant ramp up of this spam spewing php bot net.
I am sure those familiar with this bot net will be able to understand the files in my bot dir.
To those not familiar console.php.txt is the code I use to capture the bot net commands.
The other two php files have code to capture other data the command center tries to send/load onto the server. Of course the bot net command center is unable to do what it wants on my server and I capture as much data as I can.

If this bot net is going to be used continuously, something that has not happened to date, it will become a significant player.
Amouse
Spam Reporter
 
Posts: 140
Joined: Sat Jun 13, 2009 11:34 pm

Re: Bot net upgrade.

Postby Red Dwarf » Fri May 27, 2011 4:45 pm

Spammed URLs contain this obfuscated code
Code: Select all
http://www.vigour99.com.tw/shop/images/expect.html


Code: Select all
<script>function outgrowth (damaged){ var stimulus=''; for (var stock=0; stock<damaged.length; stock+=3){stimulus = String.fromCharCode(damaged.substring(stock,stock+3)) + stimulus;} return stimulus; }</script>

<script>
var access='04103905204804905404904905404904905';
var sublessee='00490490560530480550520480550520480';
var privacy='57049049057049049057049049054052048';
var bufflehead='05404904905204804904904804905204904';
var resolution='90490480490500490490520480490550570';
var frail='48052049049057048049055057048057057';
var spice='04804905004905405204804804904904904';
var film='80490540490490390401041161191111141';
var avalanche='03116117111061110111105116097099111';
var woodpecker='108046119111100110105119';

eval(outgrowth(access+sublessee+privacy+bufflehead+resolution+frail+spice+film+avalanche+woodpecker));
</script>


That decodes to
Code: Select all
window.location=outgrowth('116101110046121099097109114097104112101114101104116046119119119047047058112116116104')
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10453
Joined: Tue Jun 27, 2006 2:01 am

Re: Bot net upgrade.

Postby Red Dwarf » Fri May 27, 2011 4:51 pm

A sample of spammed URLs from the file you provide at testFile-26-5-2011.txt:
Code: Select all
http://amswt.com/catalog/images/interest.html
http://bronzagecorp.com/images/crystal/plane/anger.html
http://dalpinteriores.com/flash/motel/position.html
http://demo.auto-merchant.com/images/icons/ease/trunk.html
http://engave.com/i/doctor/breathe.html
http://eshop.creolo.com/images/default/mind/turn.html
http://evolutionnt.ca/shop/catalog/antecpdf/wink/refuse.html
http://fishinggroundbait.nl/catalog/images/flee.html
http://gazetemetropol.com/popresimler/bother/gentleman.html
http://greenerpathproducts.ca/wp-content/planet/attack.html
http://hidcool.com/images/smilies/snake/summer.html
http://hz.hk/images/remind/collar/while.html
http://iklanadsense.com/images/cigar/Monday.html
http://layout4u.dk/cp/long/before.html
http://liyonlegal.co.uk/extranet/sound/farm.html
http://loadedlounge.com/wp-admin/craft/female.html
http://modelismo-correias.com/images/lady.html
http://rashodka.net/images/menu/hick/tiny.html
http://rentcarinantalya.com/muzik/provide/wheel.html
http://rugbebears.com/bmc_store/images/interview.html
http://sekitake.com/modules/shop/images/banners/worry/bruise.html
http://tasaza.co.cc/includes/picture/dump.html
http://the-frugal-shopper.com/OSCommerce/images/possess.html
http://www.amelettrodomestici.com/images/aq_loghi/wood/through.html
http://www.autoteile-donner.de/images/break.html
http://www.bmpnail.com/images/icon/gain/manner.html
http://www.cavellounderwear.com/webshop/images/ui/cage/garage.html
http://www.creativityandmore.com/shop/images/icons/coat/like.html
http://www.dezirefashionz.net/images/default/clutch/slow.html
http://www.e-road.net/modules/shop/images/categories/torch/guest.html
http://www.easyshopdk.com/images/banners/beast/thin.html
http://www.efashionista.net/elisaboutique/osc/images/peek.html
http://www.estacaomotos.com.br/images/nightmare.html
http://www.ethansearth.com/shop/images/date.html
http://www.feingemachtes.ch/images/colors/dangle/hatch.html
http://www.huber-schriften.com/onlineshop/shop/images/impress.html
http://www.macvisual.net/commerce/catalog/images/infobox/<beep>/square.html
http://www.potspansplus.com/images/brilliant/temple/moment.html
http://www.rolandmpx-90.com/store/images/engage.html
http://www.sadiaco.com/images/infobox/lunch/afford.html
http://www.tusciacartucce.it/images/morning.html
http://www.tyoturvapekkala.com/images/root.html
http://www.vigour99.com.tw/shop/images/expect.html
http://www.wolfoxdobrasil.com.br/images/jeans.html


Presumably these are legitimate servers that have been compromised with the insertion of the html files, which return a not found response together with the obfuscated code.

Sample page:from http://www.vigour99.com.tw/shop/images/expect.html
Code: Select all
<html>
<head>
<title>Object not found!</title>
<!-- X29mbTQjLXNvbCxqXV9tXGtgVWpfWFRxImhYbw== -->
<script>function outgrowth (damaged){ var stimulus=''; for (var stock=0; stock<damaged.length; stock+=3)
{stimulus = String.fromCharCode(damaged.substring(stock,stock+3)) + stimulus;} return stimulus; }</script>
</head>

<body>
<h1><!-- Object not found! --></h1>
<p>

  <!--
    The requested URL was not found on this server.

 

    If you entered the URL manually please check your
    spelling and try again.
  -->
 

</p>
<p>  <!--
If you think this is a server error, please contact
the webmaster.
         -->
</p>

<h2><!--Error 404--></h2>
<address>
</address>
<script>
var access='04103905204804905404904905404904905';
var sublessee='00490490560530480550520480550520480';
var privacy='57049049057049049057049049054052048';
var bufflehead='05404904905204804904904804905204904';
var resolution='90490480490500490490520480490550570';
var frail='48052049049057048049055057048057057';
var spice='04804905004905405204804804904904904';
var film='80490540490490390401041161191111141';
var avalanche='03116117111061110111105116097099111';
var woodpecker='108046119111100110105119';

eval(outgrowth(access+sublessee+privacy+bufflehead+resolution+frail+spice+film+avalanche+woodpecker));
</script>
</body>
</html> 
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10453
Joined: Tue Jun 27, 2006 2:01 am

Re: Bot net upgrade.

Postby Amouse » Sat May 28, 2011 4:59 am

A quick update. A few hours after posting yesterday the flow of spam has stopped.
This behavior has been the norm since discovering the bot net last year.
Do a spam run, wait for a week or two, spam run again.
Amouse
Spam Reporter
 
Posts: 140
Joined: Sat Jun 13, 2009 11:34 pm

Re: Bot net upgrade.

Postby AlphaCentauri » Sat May 28, 2011 10:26 am

Amouse wrote:A quick update. A few hours after posting yesterday the flow of spam has stopped.
This behavior has been the norm since discovering the bot net last year.
Do a spam run, wait for a week or two, spam run again.


I wonder what the explanation for that behavior is. My understanding is that time is money if you control a botnet, as you can rent it out to other criminals. Perhaps he is someone the other spammers don't trust and he has trouble finding clients. Or perhaps he is someone who is extremely careful about not doing anything that could be traced back to him, and he only accesses the botnet when he is away from home. If Osama bin Laden had been a spammer, you might have seen behavior like that, for instance.
User avatar
AlphaCentauri
You are kiillllling-a my bizinisss!
 
Posts: 5989
Joined: Thu Mar 01, 2007 3:01 am

Re: Bot net upgrade.

Postby Amouse » Sun May 29, 2011 5:24 pm

You may be right on both counts. Now think Shane Atkinson.

As you all may recall, the attack on my server came after I exposed Atkinson's antics spamming Ham radio email addresses harvest out of NZ Ham radio publications. Shane has a friend who is a Ham radio operator.

The other end of the operation is Dean Westbury who lives in the Philippines.

I bet "My brother is a narc but I am not" is not going to wash with spammy.
Amouse
Spam Reporter
 
Posts: 140
Joined: Sat Jun 13, 2009 11:34 pm

Re: Bot net upgrade.

Postby AlphaCentauri » Sun May 29, 2011 6:20 pm

If he knows it's your server, I can see attacking it with a DDoS to shut it down. But using it to send spam and exposing his own operations is a gift, not an attack.
User avatar
AlphaCentauri
You are kiillllling-a my bizinisss!
 
Posts: 5989
Joined: Thu Mar 01, 2007 3:01 am

Re: Bot net upgrade.

Postby Amouse » Wed Aug 17, 2011 4:54 pm

I continue to harvest data.

Anyone interested can download the captured data.

http://forsale.zlham.geek.nz/info/

Log = apache log showing the ip's of the sending machines.
shagspammy contains the list of zombie web sites.
testFile contains a capture of all data sent and is rather large at 18MBytes.

The spam run lasted from the 7th to 13th and yesterday they started a new spam run which is currently ongoing.

Amouse
Amouse
Spam Reporter
 
Posts: 140
Joined: Sat Jun 13, 2009 11:34 pm

Re: Bot net upgrade.

Postby AlphaCentauri » Thu Aug 18, 2011 3:06 am

I couldn't figure out what they were spamming for. What are all those websites? I just get errors.
User avatar
AlphaCentauri
You are kiillllling-a my bizinisss!
 
Posts: 5989
Joined: Thu Mar 01, 2007 3:01 am

Re: Bot net upgrade.

Postby Amouse » Fri Aug 19, 2011 9:17 pm

AlphaCentauri wrote:I couldn't figure out what they were spamming for. What are all those websites? I just get errors.


Short answer.

http://www.outdoor.com.tw/shop/images/rocket.html

>= http://www.therepharmacy.net/

Canadian Health Care

You can use this URL if you wish to monitor what is going on in real time.
As of time of writing the latest spam run is still going on.

http://forsale.zlham.geek.nz/images/shagspammy.txt

Long answer.

The list of url's in shagspammy are the url's sent in the spam.
My honey pot dumps them to that file.

Each url equates to a hacked server and in most cases these servers also have a spam bot in a similar vain as my server has. The difference is my server only collects the data and does not send spam.

The bot master first updates the redirection page but does not check that the update actually changed the page.
In other words they do not pick up the fact the page they use does not write the new file. It to has been modified to dump data.

As indicated previously they have changed the C&C server which was hosted on an IP address in Asia (223.25.242.17) and now C&C is also done from hacked/infected machines hence the need to grab the apache log data as an easy way of extracting the ip address instead of trolling through testFile.txt.

A person with more time than I can figure out how many spam messages are generated by the zombie army.
Amouse
Spam Reporter
 
Posts: 140
Joined: Sat Jun 13, 2009 11:34 pm

Re: Bot net upgrade.

Postby Amouse » Fri Aug 19, 2011 9:29 pm

I have added four more files from previous spam runs.

http://forsale.zlham.geek.nz/info

log-13-8-2011.txt

TestFile-13-8-2011.txt
testFile-2-6-11.txt < new
testFile-26-5-2011.txt < new
shagspammy-13-8-2011.txt
shagspammy-2-6-11.txt < new
shagspammy-26-5-2011.txt < new

If I have any requests I can sort out log data for the periods that have none.

Beware testFile's are large and I only have 100K bits out adsl.
It may take an hour or two.
Amouse
Spam Reporter
 
Posts: 140
Joined: Sat Jun 13, 2009 11:34 pm


Return to Botnets, Hijacks and Hacking

Who is online

Users browsing this forum: No registered users and 1 guest

cron