To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
the following was written by a member of shadowserver at nal's request and posted by me so he could stay anonymous. anywhere, here's some information about witlog Kyle - --------------------------------------- WITLOG - Botnet Report "An Old Dog with New Tricks" Introduction: The botnet affectionately known as "WITLOG" to those who monitored, tracked and have thus far shut down core parts of its infrastructure twice is something of an anomaly in today's botnets. It doesn't use a sophisticated or new worm to propagate. In fact it uses old code which is freely available on the Internet to download and play with. It also didn't use any real form of encryption to hide or obfuscate its actions. The operator of the botnet, was generally a friendly individual who would talk and let you watch what he was up to. Overall I'd say that this wasn't so much an education in sophisticated botnet techniques as much as it was an education in just how poorly managed some large hosting companies are and that due to this being a pervasive element of the Internet at large that SRS is inherently broken. Background: I first became aware of WITLOG not long after having installed Nepenthes to do some malware research. The WITLOG botnet intrigued me because it used a distribution system that, in a perfect world, should have been incredibly easy to shut down. While the worm spread it relied on a Round Robin DNS entry to download backdoors, and other code via HTTP. The backdoor would then rely on another Round Robin DNS entry to connect to a small IRC network that ranged between 3 and 5 servers. The actual hosts that the names resolved to resided across the globe. Tracking & Reporting: It was obvious to me from the beginning that the weakest point in the WITLOG infrastructure was its reliance on DNS resolution. So while reporting the actual hosts used for HTTP distribution and IRC server hosting was part of the equation it was not the primary focus of my efforts. >From the onset I concentrated on hosting companies and hacked servers which were being used to serve backdoor (botnet) and adware code to infected machines which were located in the United States -- And, after quickly determining that witlog.com was used solely for a botnet getting the registrar to remove the domain. The Infrastructure: [iPowerWeb - Primary malware hosting servers used by WITLOG during its first iteration] A complete displeasure to work with. This hosting company boasts a huge customer base, offers up pictures of the President of the company posing for PR shots with Mayor of Phoenix, and "Support: 24 hours a day, 7 days a week, 365 days a year". Let me spell this out for you... B U L L S H I T. I have yet to come in contact with a more unresponsive and downright abrasive hosting company in my life. Not only were they completely unwilling to put me in contact with anyone in their NOC or anyone with any technical experience - but they would close tickets as "resolved" when they had made no contact with me whatever. I suppose it should come as no surprise, considering it was later determined that the WITLOG operator had rooted some dozen or so of their boxes. So to any iPowerWeb customers out there - best of luck. After over a month they did eventually manage to shut the WITLOG operator out of their network according to WITLOG operator himself. [OZnic.de - Hacked SRS - First used for WITLOG.com] This company also proved to be completely unresponsive to requests for information, suggestions regarding their situation, and requests for contact to discuss the situation. I have to hypothesis at this point, because I don't know what happened internally... But after reporting the situation to the BSI and Global Village GmbH OZnic.de did manage to kick the WITLOG operator off of their name servers. The WITLOG operator had obviously planned for this to happen at some point as he already had another SRS lined up in Italy to take over duties. He changed the domain from witlog.com to witlog.net and was back in business at full force. [tuonome.it - Hacked SRS - First used for WITLOG.net] Also completely unresponsive, but then, what public company wants the world to know that their registry key has probably been stolen. Eventually, thanks in no small part I'm sure to the efforts of a local .IT security expert I found on the Internet, we got the right officials in place to apply pressure to tuonome.it. And that was that. For now WITLOG appears to be done. The IRC backend will eventually die off given that WITLOG operator doesn't fire up new code using another hacked SRS. He claims to have several SRSes which are rooted (a few of which are in the United States) - but he claims he is saving them for something else. [korea] Not much to say here. I know some have had success in dealing with getting hacked servers taken off the network in Korea. I had no such luck. Completely unresponsive. The last known operating addresses for HTTP distribution were in Korea and are: Non-authoritative answer: Name: http.down.love.witlog.net Address: 222.237.76.96 Name: http.down.love.witlog.net Address: 222.237.76.91 The IRC servers really don't need to be publicized as the owners of the networks have been notified several times over, and it is still pretty well populated with hacked machines. Best of luck to all the other hunters out there. And thanks to everyone involved in applying the pressure needed to bring this one to a close. Anonymous. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2-ecc0.1.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEKFF2VFIipMnXxfYRAq1gAJ9i5Mw2EkMeXXe9TalJcObK+jukjwCfVzuL 8rPyVWbfr+HoOJw/FlcTgzE= =jjpK -----END PGP SIGNATURE----- _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
