Hunting Botnets with ZMap

Hunting Botnets with ZMap

Ricky “HeadlessZeke” Lawshae

 

 

The internet is a big place, and malware is a big problem. However, with the rise in new internet-scale scanning technologies like ZMap, we have an opportunity to make things a lot more manageable. I have been working on a pet project lately that attempts to do just that, and I wanted to take a moment to share some of the initial findings I have made.

 

A more active approach

Up to this point, most efforts to quantify botnet infections have been largely passive – monitoring “sensors” for botnet traffic as it passes by, counting hits on IDS devices, extrapolating size estimates from sample sets, etc. I thought it would be interesting to try a more active approach. Why not use ZMap to reach out directly to hosts and have them tell you right then whether or not they are infected? There are a few things you need in order to accomplish this: First, you need to write a payload that, when sent to an infected host, will elicit a recognizable response so that you will know when you have found one. Second, you need a lot of bandwidth in order to scan the entire IPv4 address space in a reasonable amount of time. With my current set up, it takes about three hours per scan, but your mileage may vary. Lastly, you need ZMap, or something similar, to send your payload out into the world. I like ZMap because it is open source, is easily extensible, and does most of what I need with little configuration.

 

Zero Access by the Numbers

As my initial proof-of-concept target, I chose the Zero Access malware. It is a P2P-style botnet where all infected hosts can communicate with each other, which suited my needs quite nicely. The P2P network is divided into “super-peers” which are internet-facing infected hosts, and normal “peers” which are not accessible except through the “super-peers” they are connected to. It has been in the news a lot lately with recent take-down attempts by both Microsoft and Symantec and is still quite prevalent and active. The payload that I composed mimicked a command that Zero Access infected hosts send to each other to request an updated list of their “peers”. Since the “super-peers” are the machines that can be reached from the internet, those were what I would be trying to find. The scan I performed for this took place on December 4, 2013 and took 15 hours to complete (3 hours for each of the 5 ports that Zero Access is known to listen for commands on). The results I got, after removing false positives, broke down like this:

 

Port

Number of Infected Hosts

16461

239

16464

3503

16465

1285

16470

2192

16471

4230

 

 

Total Unique Hosts

10500

 

The reason that the total number of infected hosts found is less than the sum of the individual ports is that some machines were listening on multiple ports. The infected hosts were spread across 114 countries, with a vast majority located in the United States: 

 

graph1.png

Distribution of Infected Hosts by Country

 

This distribution lines up pretty well with the percentages of overall IPv4 address ownership of each country, with the exception of India and Romania being slightly higher than expected, and China being much lower accounting for only 0.1% of the infected hosts found which is possibly due to that country’s firewall restrictions. Sorting the IP addresses by ISP also yielded no big surprises. The ISPs that had the biggest share of the infected hosts were based in the countries that also had the biggest share of infected hosts, though the ordering of some of the top 10 most affected was interesting with Comcast holding the dubious honor of first place by a fairly large margin:

 

graph2.png

                                                                             Top 10 Most Affected Internet Service Providers

 

In the end, I took from this little experiment that it can be a very effective approach to measuring and tracking certain types of malware, and has the potential to be even more effective at finding C&C servers.

 

Next Steps

Now that the initial growing pains of this project are behind me, there are several avenues I would like to pursue. First, continuing to scan for Zero Access peers will provide us with a good picture of the botnet over time. We will be able to see whether the infection rate is growing or dying down, watch the spread to different countries, and measure the effectiveness of future take-down efforts. Second, once I have written more probes for other types of malware, a regular schedule of scans can be put in action, giving us an ability to provide monthly or possibly even weekly updates on multiple botnets. And of course, I would like to focus on directly hunting down C&C servers as I feel like that may be where the real value of this project is. Overall, it seems like this type of approach may help in letting us be more proactive towards the malware problem, and I’ll be sure to keep everyone posted.

Comments
TrevorP | ‎01-12-2014 12:40 PM

Fascinating article

As most host (using IPv4) are NAT'ed behind their ISP I suppose you can only really get the ISP to take the next step and inform the IP address owner that they are infected?

Would IPv6 help?

HeadlessZeke | ‎01-13-2014 03:25 PM

Thanks for the question!

 

Since this project is still really in its infancy, we haven't decided what the best course of action would be as far as what to do about infected/malicious hosts that we find, though a couple of good ideas have been floated around.

 

And as for IPv6, while that would definitely solve the NAT'ing problem, it has two big problems of its own. The first is adoption. While IPv6 support is getting pretty good now and the number of devices using it is growing, it's nowhere near universal enough to give us any improvement over the numbers we're getting now. The second problem is time. If it takes hours or even minutes to scan the entire IPv4 address space, we would all be long gone before a single IPv6 scan finished. Of course, this is a very naive estimate, and I don't think we would need to hit *every* address, but still.

 

Anyways, keep the ideas coming!

martin schmitt | ‎03-10-2014 02:28 AM

It would be great if this information would fed into ThreatLinQ-World Map. Is this planed, or would it be possible?

HeadlessZeke | ‎03-12-2014 07:16 AM

That's a good idea! I'll look into it.

Franz Gleichmann | ‎04-28-2014 06:10 AM

hi,

 

i spontaneously had an idea to scan ipv6-networks (and ipv4-networks more efficiently).

 

as you previously statet, not every address has to be scanned.

the question is: how do we get those that need to be scanned?

 

my thought: an "anti-bot-net" of volunteers who provide a portion of their processing power and bandwidth to the cause of fighting botnets - they simply send known ip-addresses to a scanning host (known addresses could be addresses the volunteers may have connected to themselves or they simply captured somewhere)

 

yes, that would obviously be a big (huge (gigantic)) privacy problem, but that could be resolved by simply anonymously forwarding the IP over a random number of peers before feeding it to the "scanning host" - therefore, noone would know where the IP came from (except probably someone listening on the last mile, but if there's a sniffer there, he'd know the IP anyway)

 

so we'd had a constant stream of IPs that are known to be online from a decentralised source that could be decentrally scanned and the resulting data (what IPs are infected) then pushed to a central information hub.

 

 

i bet the whole thing has several flaws, but i just wanted to share my idea with you, possibly just as a food for thought.

 

anyway, great idea with your initial scan. keep it up :)

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author
Steve Povolny manages the Digital Vaccine team at HP TippingPoint. The team is composed of security researchers and filter/signature develo...
Featured


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.