Botconf Author Listing

Fodcha is a new DDoS botnet family targeted Linux IoT devices. After it was firstly detected in January 2022, 4 versions of 250+ samples have been observed by us, from which over 140 C&C domains were extracted. Most of the C&C servers have been successfully contacted by our command tracking system, with over 39K unique victims detected from the 114M received attacking commands.

The data we collected includes various interesting information such as botnet scales, operations exploits, and attack methods. Detailed studies have been carried on the collected data in terms of C&C communications, attack methods, and victims. Attempts of estimating the botnet scales were also done by analyzing real attacking traffic from Fodcha. By reading an accidentally obtained copy of Fodcha C&C panel source, we even had the chance to investigate how the botmasters managed their botnets and sold their attacking service to others. We think the analysis we did would help to better detect and mitigate similar threats in the future.

Mirai was soon open-sourced after overwhelming several high-profile targets including Krebsonsecurity, OVH, and DYN in Autumn 2016, which leads to a proliferation of Mirai variants in the past 2 years. For better fight against Mirai botnets, effective variant classification schemes are very necessary. Currently, Mirai variants are usually classified with their branch names (e.g., JOSHO, OWARI, MASUTA) which come from a command line of “/bin/busybox ” found in the Mirai sample. While the default name is “MIRAI”, the was usually replaced with an author interested one (e.g., MASUTA, SATORI, SORA) in later variants.
However, we think branch-based classification scheme is too coarse-grained to reveal: 1) the variances in single variant of different stages, and 2) the connections among different branches. In this talk, we would like to present our classification schemes concluded from 32K+ collected samples and 1,000+ extracted CNCs. Our schemes are mainly based on the data of configurations, supported attack methods, and credential dictionaries, which are all extracted from the samples. For example, we successfully classify Mirai samples into 106 variants based on the combination of supported attack methods. We also successfully connected multiple branches based on the keys used in configuration encryption. To summarize, the content of this talk is as follows:
1)We will demonstrate the idea of automatically extracting configurations, supported attack methods, and credential dictionaries from samples for classification purpose.
2)We will propose a fingerprint technique to recognize Mirai attack methods (e.g., syn_flood, http_flood) with information extracted from samples without reverse engineering work.
3)We will introduce a set of classification schemes based on the extracted data, and will investigate popular Mirai branches with proposed schemes.

It’s worth mentioning that since the used data is processor-independent (e.g., x86, x64, ARM, MIPS, SPARC, PowerPC), our schemes can classify the same variant’s samples even if they are for different CPU architectures.

DDoS botnet tracking can be used to watch botnet assisted attacks in real time together with the details including the botnet families, C&C servers, attack types, and attack parameters. Such information helps us to learn current DDoS attacks and improve existing detection and mitigation solutions. To achieve better tracking, we need to figure out: 1) what coverages the tracked attacks have among the real ones; 2) how many active DDoS bot families are still out of our telescope.
To answer those 2 questions, both the real attacks and a method to correlate them with the used botnet families (or attacking tools) are necessary. Our studies show that DDoS bots differ from each other not only in their C&C protocols, but also, in most cases, in their packet generating algorithms (PGA for short) which are used by the bots to generate the enormous number of attacking packets according to the received commands. Therefore, it’s possible to boil the observed attacks down to the bot families by analyzing their PGA’s.
In this presentation, I would talk about how to use honeypots to collect the real DDoS attacks with spoofed source IP’s. The method to break down PGA, as well as the techniques to profile PGA from the collected attacking packets, would be introduced. In the final part, I would present some real examples we have found.