While analyzing some of the attacks we see on the Wordfence Web Application Firewall, we discovered code that an attacker was trying to upload that was part of a botnet. In case youโre not in the information security space, a botnet is a network of โbotโ or โzombieโ machines that is controlled from a central command and control or C&C server.
In the case of this botnet, it was controlled via a chat service called IRC or Internet Relay Chat. IRC is a popular way of controlling botnets because you can have all the โbotโ or zombie machines connect to the chat server and join a channel to receive broadcasts. This allows the botnet owner to simply sign into the chat server andย broadcast commands to all the zombies which they run at the same time.
The code below shows a typical hack attempt where the attacker is trying toย inject their botnet code into a targeted WordPress site. Wordfence blocks this attack and any attack that includes this botnet code.
Once a WordPress site is compromised with this attack, the infected serverย connectsย to anย IRC chat server, ready to receive commands and do the botnet ownerโs bidding.
The owner might use those zombie WordPress sites to attack more sites. Or he might use them to launch a distributed denial of service or DDoS attack on someone, overwhelming them with traffic. He could also simply deface all the sites in his botnet with SEO spam.
The hashed password is shown next to LND-Bloodmanโs username above. Weโve blurred the encoded command and control server IP address. The content length is over 25K so this is a reasonably long script.
The Wordfence team decided to analyze the botnet code and try to identify who was running the botnet.
Going After the Command and Control Servers
During our analysis of the malicious code, we found five IP addresses of IRC command and control servers (C&C servers) for this botnet. Two of them were down. Three were still up.
We created modified zombie code to connect to the C&C servers and do further analysis. Our code was designed to save all files it was commanded to download. It would also log all commands sent to it and not actually do anything malicious.
The botnet ownerโsย nickname/handle appears to be Bloodman.
One of the things we were hoping to get by doing this is Bloodmanโsย password that he uses to control his botnet. He had built his botnet zombie code so that whenever he sent a command to the zombies via the C&C server, it included a password.
The zombies would hash that password, compare the hash to what is stored in the code and if it matches, would know itโs Bloodmanย sending the command and would run the command.
The hash we found in the code, as you can see in the above image, is:
2cbd62e679d89acf7f1bfc14be08b045
Googling this hash shows that the malware with this password has been seen before. A blogger saw an attack containing this hashย in September last year.
The oldest Google resultย mentioning this hash is from December 2012 and is a request to crackย the hashย and turn it into the password which is still unsuccessful. This indicates with a high degree of certainty that Bloodmanย has been active and using this password since December 2012.
If one can reverse this hash, you can simply sign into any IRC server that Bloodmanย is using and have immediate control of hisย botnet.
We connected to all three of hisย C&C servers and after watching and waiting for about 48ย hours we hit the jackpot. Heย signed in and sent a command to the botnet. We captured his password. The first part of it is:
1x33x7.0wnz-your.************
ย
Weโve intentionally starred out the rest of the password (which is long) to prevent anyone else from taking control of these botnets.
This allowed us to take control of his botnet if we wanted to. It turns out Bloodman alsoย refers to himself as 1x33x7.
At this point we connected to one of the botnet servers:
Weโve blurred out any IP addresses or identifying information. The server is named to look like some kind of FBI honeypot. Considering itโs actively hacking WordPress sites, weโre guessing itโs a joke on the hackerโs part.
Joining the channel #1x33x7 where all the bots hang out shows us the following when we ask for a list of users:
There are 31 infected machines shown excluding the three users. And there is also LND-Bloodman hanging out in the channel.
The format of the nicknames shows some information about the compromised system including what web server software itโs running.
Running IRCโs โwhoisโ command on a few of the zombies shows that some of them are FreeBSD unix boxes. Others are running Windows Server 2012 or Windows 8 โ both identify as โWindows NT 6.2 Build 9200.โ
Running โwhoisโ on the two Bloodman accounts gave us two IP addresses and a possible email address with a first name.
At this point we have enough information to go โactiveโ and take control of the botnet and shut it down. The botnet has enough functionality for us to first delete any infected code and then kill the processes running on remote machines, thereby destroying the part of the botnet that is connected to this command and control server.
We chose not to shut down the botnet for two reasons:
Firstly the Computer Fraud and Abuse Act does not allow us to hack the hackers. So even though we had passively connected to this hackerโs command and control system, going active and changing the system could land us in some hot water with the FBI. We would rather observe and report because that is all the law allows unless you work for the military or a military agency in the United States.
Secondly, we were concerned that we may not have all the information and we may actually do harm by trying to disinfect remote machines.
We donโt think thatย shutting down a single C&C server or even all three C&C servers and their respective bots would do much good. Bloodmanย would simply regroup and reinfect new sites with new C&C servers.
Attribution โ Who is doing this?ย
To try to determine who controls this botnet, we started with both usernames that appear in the source code: Bloodman and 1x33x7. ย One of those usernames pointed us to a Twitter account. ย The Twitter account contains a german slogan โI am rootโ and various images of what is probably the botnet ownerโs face.
The Twitter account links to a YouNow profile which is a live video broadcasting service โ it uses the same username.
The YouNow profile linked to a YouTube account that uses the secondย username, which contains plenty of identifying information and a video of the botnet controller bragging about his botnet. He speaks German, likes to play with fireworks and we know what car he drives and have images of various German roads.
In addition to the open source intelligence above, we mined public data leaks and found a user profile on a hacker website that includes one of the usernames and the IP address the user last signed in from. That IP address is in Germany and belongs toย Deutsche Telekom. Providing this to the authorities would probably reveal his full identity from ISP logs.
Conclusion
This is a small botnet with under 100 infected machines when you combine all the C&C servers together. This individual is launching under 2000 attacks per week. While they are inconvenient and consume resources, they are all blocked by the Wordfence Firewall.
We are working with net block owners to let them know about machines, particularly C&C servers that are on their network and are likely compromised.
We think that discussing the tactics, techniques and procedures of attackers, both small and large helps us allย better understand what we are protecting our WordPress sites against and how to do a better job.
The post Hacking a WordPress Botnet appeared first on Wordfence.