In recent years, honeypots have seemed to fall out of favor with security researchers. The reason for this is pretty straightforward - a classic honeypot (a single IP running vulnerable services) or honeynet (a honeypot on multiple IPs) will only catch attacks that actively attempt to propagate. These attacks could be similar to a loud worm like Blaster, Gimmiv, Slammer, etc, or they could be a less noisy attack such as a bot that will only scan a local subnet.
Why am I to presume that there aren't enough researchers employing honeypots and honeynets? Simple - the botnets that use these types of attacks to spread have not had their controllers (C&Cs) fluctuate locations (IPs) in months or more. Of course, this lapse in abuse notifications is on me as well, but I hope to rectify the situation by notifying the offending upstream providers relentlessly going forward.
If one were to consider the types of information that could be generated from these devices, some of the different metrics would probably include:
- Attacks per source IP
- Attacks per CIDR/AS block
- Attacks per ISP
- Attacks per country
- Attacks per port
- Attacks per protocol
- Attacks per vulnerability (CVE/MS#)
- Attacks per X seconds
There are lots of interesting statistics and graphs that can be generated by gathering the data points for the aforementioned. One of the things I like to look at is "Attacks per ISP", as you can really see which ISPs are blocking outbound Windows protocols, and which are not. Although this is a fairly Draconian measure, the practical uses of Windows protocols over a WAN are almost nonexistant, and thus many ISPs block them at the border unless specifically requested by the customer.
However, the above statistical analysis has been done to death. What hasn't received as much research effort is the botnet channels in use once one of these attacks succeeds. Not to say that there has been no research, and in fact, the folks over at SRI do a good job of publishing some of this data, but by looking at the lack of movement of the C&C servers, there are clearly not enough eyes looking at the data.
Looking at the first set of data from my honeynet, you can see two distinct botnets. In the screenshot below, you can see the botnet channels detected from one of our devices that is monitoring a small number of IPs in an ISP's darkspace. Each line represents a separate attack. For readability's sake, the the \r (0x0D) is replaced by ::, and the \n (0x0A) by ~~.
At first glance both of these appear to be a variation of the famous Rbot toolkit. (As an aside, all the vendors call it Rbot, but if you look at the bot source code, it's really rBot)
Looking at the first botnet we see two domains - as.aswend.com and fr.aswend.com running a C&C IRC server on TCP/3921. Let's see where/how they're hosted (I'll spare you the output from 'dig' this time around)
fr.aswend.com - 76.76.19.32 - CaroNet Managed Hosting - North Carolina, USA - abuse@carohosting.com
as.aswend.com - 91.192.36.142 - CJ2 Hosting - Groningen, The Netherlands - noc@cj2.nl
As noted previously, most botnets are now using professional hosting services to run their Command and Control servers. Previously a C&C server would actually be run on one of the hacked bots that didn't have an Internet firewall, but this proved to be unstable for obvious reasons.
The next clear botnet from above is the group of www.topgameland.com, mail.tiktikz.com, www.genesisstore.sk, and mail.fucuzzy.com, all running on TCP/80.
www.topgameland.com - 209.205.196.2, 209.205.196.3, 209.205.196.12 (.12 is down)
www.genesisstore.sk - 209.205.196.2, 209.205.196.3, 209.205.196.12
mail.tiktikz.com - 209.205.196.2, 209.205.196.3
mail.fucuzzy.com - 209.205.196.2, 209.205.196.3
All these IPs are hosted in San Diego by Pacnet, although the company appears to be run out of Mexico. The email address listed in the whois record is ip@pacnet.com.mx. Again, these are bought and paid for servers solely being used to host these C&Cs; these are not hacked machines.
As I mentioned, after I confirmed the C&C servers were still up, I sent notifications for the C&C servers in this post.
If you're interested, the guys over at The Shadowserver Foundation have a great reference page for setting up your own honeypot.
To break up the text, there will be another post following this one with more of the top botnet servers.
Alex Lanstein @ FireEye Malware Intelligence Lab
Questions/Comments to research@fireeye.com
