Interfree.it Botnet Activities

Interfree.it is an Internet Service provider how give to his users a free email and a free web site hosting space. Interfree.it is also providing a free sub domain for each created account (ex : http://yourname.interfree.it).

Since the start of our Honey Net in Feb. 2009 we have directly observe that some malware scripts where located on Interfree.it and participate actively to a bonnet construction and propagation.

Interfree.it server, how is hosting the major botnet script, has the IP 213.158.72.68. Since Feb. 2009 to end Jun 2010, Interfree.it botnet is composed of few different malware hosters, has generate 2 807 events and 169 attackers have call the botnet files located on the hosters servers.

Italy, US and Russia are the countries how are the most participating to the botnet activity in term of events. Italia and US are the countries how are hosting part of the botnet since more than 100 days. Interfree.it botnet could be considered as a small botnet.

May 2010 was the more active month in term of events, May 2010 the month with the most distinct attackers and March 2010 the month with the most detected hosters.

Since April 2010 we can see that the activity of the botnet is increasing.

Interesting point the FileAve.com, the Kortech.cn and the Interfree.it Botnet are linked together between some few hosters. Just check the available Afterglow visualization of the interaction between the two botnets.

I have generate some stats and graphs, with all the associated raw datas how are available here.

Kortech.cn Botnet Activities

Kortech.cn is a Chinese website, located in Shangai China.

Since the start of our HoneyNet in Feb. 2009 we have directly observe that one “Tier RFI” where located on Kortech.cn and participate actively to a bonnet propagation.

Kortech.cn server, how is hosting the major botnet script, has the IP 218.5.74.92. Since Feb. 2009 to end Jun 2010, FileAve.com botnet is composed of 39 different malware hosters, has generate 8 134 events and 353 attackers have call the botnet files located on the hosters servers.

China, Germany, Colombia and South Korea are the countries how are the most participating to the botnet activity in term of events. China, South Korea, Germany and US are the countries how are hosting part of the botnet since more than 100 days.

March 2010 was the more active month in term of events, April 2009 the month with the most distinct attackers and March 2010 the month with the most detected hosters. Since December 2009 we can see that the activity of the botnet is increasing.

Interesting point the FileAve.com Botnet and the Kortech.cn Botnet are linked together between some few hosters. Just check the available Afterglow visualization of the interaction between the two botnets.

I have generate some stats and graphs, with all the associated raw datas how are available here.

FileAve.com Botnet Activities

FileAve.com is a free file hosting with no download limits, the maximum available storage per account is 50 Mb. FileAve.com is also providing a free subdomain for each created account (ex : http://yourname.fileave.com). FileAve.com is owned and operated by Ripside Interactive, a premiere web host since 1999.

Since the start of our HoneyNet in Feb. 2009 we have directly observe that some malware scripts where located on FileAve.com and participate actively to a bonnet construction and propagation. FileAve.com as a free file and subdomain hoster is composed of actually around 80 suspicious web sites (site:fileave.com ext:txt intent:rfi).

FileAve.com server, how is hosting all the botnet scripts, has the 64.62.181.43 IP. Since Feb. 2009 to end Jun 2010, FileAve.com botnet is composed of 75 differents malware hosters, has generate 10 349 events, and 642 attackers have call the botnet files located on the hosters servers.

South Korea, US and Colombia are the countries how are the most participating to the botnet activities in term of events. Turkey, France, Thailand and China are the country how are hosting part of the botnet since more than 100 days.

March 2010 was the more active month in term of events, Jun 2010 the month with the most distinct attackers and April 2010 the month with the most detected hosters.

Since Feb. 2010 we can see that the activity of the botnet is increasing, cause of the mutation of all classic RFI scanners to multi functions scanners.

I have generate some stats and graphs, with all the associated raw datas how are available here.
Dedicace to lbhuston

ByroeNet / Casper Bot Search – e107 RCE scanner

Emerging Threats has provide, the 9 July, new Snort signatures (2011175 and 2011176) related to emerging attack attempts. These two signatures are categorized into the USER AGENTS recognition category, and identified as Remote File Inclusion scanners (see the discussion on ET mailing-list). The detection is done on “Casper Bot Search” and “MaMa CaSpEr” strings in the User-Agent part of HTTP header.

Directly in production these rules have fire tonnes of alerts, more than usual, something interesting was happening. I decided then to investigate more about theses alerts and checked all the ET mailing list conversations. Mike Cox has provide the source code of the scanner, the 8 July and directly when I saw it, tilt !

As I saw and says since many months the traditional RFI scanners are mutating constantly to include more and more functions and attack vectors (RFI, LFI, XML-RPC, RCE, targeted applications exploits).

This new scanner is only an evolution of the BaMbY multi functions scanner dated from 28/05/2010. Now the scanner is named “ByroeNet” and released the 17/06/2010. The ByroeNet scanner was first seen on Internet the 17/06/2010 on t7.fileave.com/e107.txt, so directly exploited just after his creation.

The major modification of the BaMbY fork is the integration of a scanning and exploiting module for e107 CMS. The !e107 (cmde107 – e107scan) scanner module, with support of dorks, is trying to exploit the 24 May 2010 e107 RCE released exploit. But between his traditional RFI scanner module and dorks, the scanner could also exploit the 31 May 2010 e107 RFI released exploit.

ByroeNet scanner is defining different hard coded user agents how are modifiable :

For sub cmdxml : my $userAgent = LWP::UserAgent->new(agent => ‘perl post’);

For sub cmde107 : $access->agent(“Mozilla/5.0”);

For sub e107scan : $ua->agent(‘Mozilla/4.76 [ru] (X11; U; SunOS 5.7 sun4u)’);

For sub xmlcek : my $userAgent = LWP::UserAgent->new(agent => ‘perl post’);

For sub xmlxspread : my $userAgent = LWP::UserAgent->new(agent => ‘perl post’);

For sub lfiexploit : my $agent = “”;

For sub cmdlfi : my $hie = “j13mbut /dev/stdout\”); ?>j13mbut”; $browser->agent(“$hie”);

After investigating our Honey Net HTTP logs, from 15 Jun to 12 July, I find these different user agents how are targeting e107 CMS.

You can find the default ByroeNet hardcoded user agents :

  • Mozilla/5.0
  • Mozilla/4.76 [ru] (X11; U; SunOS 5.7 sun4u)
  • perl post

But also Casper customized user agents :

And some new others customized user agents :

As you can see the user agents are only reflecting the “Crew” or “Team” how is using the “ByroeNet” scanner.

To have more interesting stats, we can see which user agent was the more prolific and the first seen.

[TABLE=13]

Casper Bot Search is really the more prolific user agent, but the others user agents must also be considered.

For conclusion, the mutation of traditional RFI scanner is clearly demonstrated, and I don’t think that such ET rules are really effective, cause each “Crew” or “Team” is dedicating they attacks by customising the user agents (same as a graffiti tagger). Emerging Threats rules shouldn’t not focus on user agents but more on attack vectors, cause user agents are to volatile.