Monday, 19 January 2015

Discovering and remediating an active but disused botnet

On a network I help manage, we kept getting malicious DNS alerts for “luna1.pw” on an appliance we had installed. Due to the way the network was configured, we were able to see the name request coming in but no traffic activity. This was unusual because the appliance was configured to monitor all traffic but why was it not picking up anything further than what it was reporting? Why didn’t the supposed malware connect? Resolving the domain lead to an answer:



This explains why the alerts were only coming up as DNS and not capturing any traffic to the domain. The question now is: who owns it?



So the domain doesn’t exist any longer. This became even more unusual because why would malware be connecting to a non-existent domain? Did the domain become lapsed? Did the botnet get shutdown? Well, it did as it turns out that the specific malware using the domain also used other domains and were shut down.
Since the domain was no longer in the possession of anyone and I was seeing attempts to reach it, I decided that the best course of action was to acquire the domain so DNS could be controlled and to also satisfy a curiosity if the malware was still active. The domain was purchased and then immediately I pointed the domain at a server I had in a data centre operated by a friend of mine.



Using ‘tcptrack’, I was able to see that there were a number of machines still looking for this domain. They were all attempting to connect to connect to my machine on port 2009. Now we can just use ‘nc’ to listen on that port to see what is being requested.


Quite the password for this IRC server it was once being controlled by.

I then compiled a simple IRCd and then watched as they all connected.


Immediately I had hundreds of machines ready to do my bidding if I so chose. I let it sit for a bit and at its peak, I had about 325 machines. All of them were identified with their OS, country, and then a random code. Here are some statistics on where the machines were located:

  • Argentina, 5.00%
  • Brazil, 0.45%
  • Chile, 5.91%
  • Colombia, 1.36%
  • Malta, 0.45%
  • Mexico, 73.18%
  • Peru, 2.73%
  • Spain, 14.55%
  • Venezuela, 1.36%

Once satisfied with the reconnaissance, I went and pointed the domain at an internal server and discovered the location of the machine and had it remediated as usual.

An abuse complaint did however come in during the time I was investigating the issue so while the domain had since fallen out of use, someone was still monitoring it. The domain has since been pointed to the ShadowServer guys for them to remediate any machines that are still remaining.

1 comment:

  1. for the countries listed seem spanish botnet, do you know where they are attacking?

    ReplyDelete