Tencent Security Platform Department will detect all kinds of botnets in the process of work. This paper will analyze the architecture of a typical botnet.
"Big talk journey to the west" I'm going to die anyway, you can help me. I've heard that if a knife comes out quickly and accurately, people will not die immediately after being cut open, and their eyes can still be seen. Do me a favor, hurry up, dig out my heart and let me have a look, will you? "
It's inevitable to be attacked. If the detection is fast, we can find out what the enemy has done, control its spread and harm the network in time, and it's not too late to mend it.
1. Botnet propagation
Botnet or worm, an important feature is the ability of automatic propagation. Here we introduce two kinds of common modes of propagation.
1.1 vulnerability propagation
In order to obtain a large number of accused zombie chickens quickly, attackers will update the attack module in time. The author has an experience that every time a new wave of attack techniques is detected, it may be seen by checking the recently disclosed vulnerabilities.
At the same time, as a large-scale attack behavior (even aimless) of Botnet, it can almost be predicted that 100% of its behavior and attack mode will be detected, so they will not use the latest 0day.
One day is the most economical way to weigh the two, and it prefers the types that can directly execute commands, such as struts 2 rce, JBoss deployment file repository War deployment, cve-2012-1823 (php-cgirce), etc.
1.2 automated attack tools
Vulnerabilities are common, and servers with software that has vulnerabilities are not common, but human weaknesses are always unavoidable. For example, weak password problem, now the oldest weak password guessing attack still exists, SSH \ FTP \ RDP \ telnet and so on, in addition to Tomcat management background and other passwords. Now more and more fast network speed, more and more strong hardware performance makes it more and more efficient.
2. Botnet architecture
Next, I will talk about a botnet captured recently. Its functional characteristics are very representative. The following is the analysis of each functional module.
2.1 Downloader
Responsible for receiving the controller's instructions, downloading and updating the function module.
2.2 propagation relay station
In order to hide themselves and avoid the whole botnet being destroyed, botnet makers can't concentrate the source of communication in one place, so they often set up relay stations on broilers.
In this case, it will build a simple web server to implement.
2.3 controlled terminal
As a zombie puppet, the most important thing is "obedience". This case uses IRC channel. Here, he preset two domain names as the server communication address, and the IP resolved by the domain name can be changed at any time. Ircbot randomly connects to any server.
This ircbot has several basic functions, such as DDoS, command execution, suicide, server replacement, and disable all packets.
2.4 broiler function
Ircbot is all those ancient functions. The following are often unique to different botnet.
(1) Vulnerability scanning attack
In this case, rce of PHP CGI (cve-2012-1823)
vir:~/tl/aa/tmp # ls
ChangeLog Makefile TODO bm.h inst ipsort ipsort.sgml php.c pnscan.1 pnscan.o version.c ws
LICENSE README bm.c bm.o install-sh ipsort.1 php pnscan pnscan.c pnscan.sgml version.o
vir:~/tl/aa/tmp # head php.c
/* Apache Magica by Kingcope */
/* gcc apache-magika.c -o apache-magika -lssl */
/* This is a code execution bug in the combination of Apache and PHP.
On Debian and Ubuntu the vulnerability is present in the default install
vir:~/tl/aa/tmp # cat ws
#!/bin/bash
while [ 1 ]; do
# ___A=`echo $(( (($RANDOM<<15)|$RANDOM) % 255 + 0 ))`
___A=`echo $(( $RANDOM % 255 + 0 ))`
___B=$(( ((RANDOM<<15)|RANDOM) % 255 + 0 ))
./pnscan -w"HEAD / HTTP/1.0\r\n\r\n" -r"Server: Apache" -t 1000 $___A.$___B.0.0/16 80
#echo $___A.$___B
#sleep 20
done
(2) Mining slaves
Today's "hackers" are not in the era of advocating freedom and extreme technology. Money is their ultimate goal. So we also found "excavators" in this Botnet, and the insane hackers simultaneously mine protocoin and primecoin for two kinds of anonymous money on the Internet to fully squeeze the system performance.
Protocoin excavator
Primecoin excavator
(3) Right of withdrawal
In this case, the attacker is not satisfied with the common permissions obtained by web vulnerability, but also obtains root permissions through system vulnerability and social workers (Information Collection).
Tools for system rights raising and loopholes
Crawling conf for password root guessing
Based on the above analysis, we can see that the botnet is widely spread by using cve-2012-1823 vulnerability, and the accused broiler is used to mine two kinds of network currencies to fully extract the system resources of broiler.
Botnet architecture
3. Deal with botnet threat
Statistics of Botnet attack attempts
The above is the trend statistics of Botnet attack attempts detected recently. Botnet has its life cycle from establishment to extinction. If it is found early, it can timely repair the loopholes, establish blocking strategies, and avoid the spread of its hazards.
Botnet life cycle
In daily security work, through the analysis of intrusion detection data, we can perceive the evolution of Botnet and the attack trend of 0day \ 1day \ nday. When botnet has not formed scale in its early stage, it will be strangled in the cradle if it combines with the industry security alliance to attack in time. The forms of cooperation may include, but are not limited to, the following:
Tencent has a large scale of its own business and servers. As a huge target "shooting range" and a large distributed "honeypot", we can fully tap its data potential to help the industry jointly improve the security level, but compared with the whole Internet environment, it is insignificant. TSRC is willing to work with the industry to fight against botnets and jointly safeguard Internet security.
TSRC is willing to work with the industry to fight against botnets and jointly safeguard Internet security.