Botnet - The Real Zombie Apocalypse 

Friday, March 19, 2021, 01:36 AM - Tech and Security
Posted by Norbert
Zombie Botnet
“Most people don't believe something can happen until it already has. That's not stupidity or weakness, that's just human nature.”
― Max Brooks, World War Z: An OralHistory of the Zombie War


I run this website from a local server and I think I can say with some authority that the internet is flooded with portscans and bulk exploit attacks every second of every day. So much so, that if the internet were a radio signal, they would be the "white noise" in the background. Before I even had a placeholder page up during development the log file on this server was showing large blocks of spammy attempts to get into phpmyadmin, apache config, and a host of other generic "exploits" that haven't been effective since 2004. I could show you a log just from today (but I won't), from this little nothing blog, of hundreds of hits from botnets all running exploits from over a decade ago for hardware that largely doesn't exist anymore. With this level of saturation, chances are you have been portscanned at least once today. There are millions of "zombie" devices that have been silently compromised and added to underground "armies" like the ones CINS tracks, from PCs to phones to smart fridges and TVs. If it has an OS of any kind and any level of networking capability, that unpatched device can and eventually will be compromised and added to a botnet and no one will ever know until it's called into action.

How often do you update the firmware on your TV or some brands of adjustable bed? Probably never. Your network-connected printer, your LED smart-light controller, or that old home media server you've had for years now? I'm guessing the same. They are vulnerable, if not already part of a botnet. Any vulnerability identified and unannounced may never get patched, and even if it is, hardly anyone is downloading and applying that patch. One day, someone's going to pick up the puppet strings and unleash one of these zombie hordes in an institutional attack... and beds, fridges, TVs, home security systems, cameras, CPAP machines, smartwatches, dog collars and everything else imaginable will answer the call. The damage a targeted distributed denial-of-service (DDoS) attack from these botnets could do would be staggering.

The majority of these botnet scans and probes come from Chinese, Eastern European, and Russian IP addresses which is all the more concerning. Either they're owned by these nations, or these nations have been a target because of lagging IT infrastructure, a general lack of technical knowledge in poor and rural communities, and aging hardware with a complete lack of modern encryption that is no longer supported by the manufacturer. Any new vulnerabilities found in old hardware by industrious hackers will be forever exploitable until every model of that Thing on the internet is taken offline. In many poorer nations, this will take decades or longer and these botnets may exist in these places, quite literally, for half a century probing the world for new devices they can assimilate. They may never combine and out themselves with an obvious attack because it would be wasteful for one of these entities to expend their collected devices, their armies, in this way.

Instead, they sit quietly in your living room, listening. Scooping up little bits of data. Names, places, perhaps a credit card, a birthday or the name of a bank... Your TV could be watching you as much as you're watching it, and statistically, it probably is. It may even be clicking on website ads in the background as part of a "click farm", sending ad revenue to it's controller.


IoT, or the Internet of Things


As u/bawdyanarchist on this reddit post points out, it's estimated that 20% of the hashrate of the Monero network could be botnets. As Monero is easily mineable on just a CPU, most older hardware can still run the algorithm so even if your ancient but connected device has no way of spying, it can still mine and make completely anonymous and untraceable cryptocurrency for its controller. The only way you'd ever know your home devices were mining cryptocurrency is if they begin running unreasonably hot or your electricity bill skyrockets, and since Monero mining intensity can be controlled, none of these outward red flags would ever be noticed.

The Attacks


The most common attack on the internet looks like this in a web server log:
50.84.252.74 - - [08/Mar/2021:13:40:26 -0500] "GET /HNAP1/ HTTP/1.1" 404 588 "http://www.norbert-the-great.com/" "Mozilla/4.0 (compatible; MSIE 4.01; Mac_PowerPC)"

It's looking for a misconfiguration in a d-link router described here and was patched 11 YEARS ago. That's how old these botnets are, and how long they've hidden in the dark corners of the internet, spreading silently through the multitudes of devices that make up the "Internet of Things". The original controller may not even be alive anymore, but they still run... We've patched the attack routines they try to execute, but we've obviously failed to prevent the means by which the attacks are propagated and how new bots are added to these networks. I block the incoming IPs as I can and trust outside collective blocking lists to aid me, but it's a losing battle.

Here are a few more examples and note that they are only three attempts long because my server bans bad requests after three in a short period of time. Some of these attacks would continue for 10 lines or more.

61.147.67.88 - - [25/Feb/2021:21:31:38 -0400] "GET /w00tw00t.at.blackhats.romanian.anti-sec HTTP/1.1" 404 588 "" "ZmEu"
61.147.67.88 - - [25/Feb/2021:21:31:38 -0400] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 588 "" "ZmEu"
61.147.67.88 - - [25/Feb/2021:21:31:39 -0400] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 404 588 "" "ZmEu"
This is clearly either from some scanning software named "ZmEu" or that's the name of the botnet or group running it. Originating out of Romania, being named ZmEu would seem appropriate for such an entity. The "ZmEu" figures prominently in many Romanian folk tales as the manifestation of the destructive forces of greed and selfishness. This script, however, first identifies itself (why?) to the server and then proceeds to spam every known phpmyadmin setup location hoping that a site admin didn't delete the setup files. Perhaps not as intimidating as its namesake.

211.115.195.15 - - [28/Feb/2021:10:43:25 -0400] "GET /user/soapCaller.bs HTTP/1.1" 404 588 "" "Morfeus Fucking Scanner"
It's pretty obvious the name of this scanner and it's looking for a file called soapCaller.bs. This Article from State of Security explains this exploit and it was written 12 YEARS ago.

"The scans check for “soapCaller.bs” and then “/user/soapCaller.bs”. Returning a 200 result code (The HTTP 200 OK success status response code indicates that the request has succeeded.) did not bring any additional traffic or attacks from the original source within 96 hours of the initial scans. In fact, returning the 200 did not seem to cause any change in behavior of the scans or any additional attacks from any source. Likely, this means that vulnerable hosts are being cataloged for later mass exploitation."

140.118.110.85 - - [26/Feb/2021:17:22:23 -0400] "GET /phpTest/zologize/axa.php HTTP/1.1" 404 588 "" ""
140.118.110.85 - - [26/Feb/2021:17:22:24 -0400] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 588 "" ""
140.118.110.85 - - [26/Feb/2021:17:22:24 -0400] "GET /pma/scripts/setup.php HTTP/1.1" 404 588 "" ""
I call this one the "Zologize" attack and it's just another phpmyadmin probe. There are so many of these that I could list 30 or more attacks that repeat all day, every day and when you stare at server logs for enough years, you start to recognize patterns in these attacks. Like when a certain IP address range suddenly stops attacking you, and another range begins at that exact moment. Then in 6 months, the first range swaps back in with a modified attack. There is even a modern botnet called "ZHtrap" that sets up a honeypot listening for these attacks, knowing they're coming from already vulnerable and infected machines. It then "steals" these bots from their original, older, botnet by re-infecting them and then employs them in destructive DDoS attacks.

The majority of these botnets, though, sit silent and waiting. As the "feeler" bots slowly get outed and blocked by the IT community, they activate more from reserve in groups of 100 or so to continue probing for more devices to add. It's very borg-like, and highly effective. No one wants to talk about it, openly, because there's nothing we can do as of right now. How would we even begin to execute a worldwide updating or patching of all outdated technology going back to the 80s? We're not supposed to discuss it, but it's a serious topic behind many closed doors.

As of this writing, "Purple Fox" malware infections have increased 600% to 90,000 in just the past year. This is the fastest growing botnet today and has researchers understandably worried. First detected in 2018, this Techcrunch article describes how this worm silently invades and secures modern Windows machines. As a set-it-and-forget-it worm, no active attacks from the actual botnet need to happen at all anymore and no one knows what its purpose is yet. Amit Serper from security firm Guardicore says, “We assume that this is laying the groundwork for something in the future.”

| 1 | 2 | Next> Last>>