Botnets are Go …
Botnets are Go …
If you run a Web server, you will see that botnets are a particular problem. Within the Web logs, you will often see continual scanning from botnets, and where it can be expensive to employ anti-bot technology. They are can also, sometimes, lead to false positives, such as where multiple valid requests from a number of sites at the same time can look like botnet activity. These valid requests could then be blocked for their IP address (or at least, blocked for a hold-down period).
Along with this, there are good bots, such as the Google bot, so you often want to be selective in the bots you allow. But, overall, they typically consume a good deal of bandwidth and CPU time, and are either there to “steal” data, or harvest credentials (and that could be used at some time in the future).
A popular one on my site is the PHP and WordPress bots:
2022-06-19 01:17:39 10.0.0.106 GET /wp-includes/ID3/license.txt - 443 - 172.71.102.42 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/95.0.4638.69+Safari/537.36 - 404 0 0 89
2022-06-19 01:17:39 10.0.0.106 GET /feed/ - 443 - 172.71.102.42 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/95.0.4638.69+Safari/537.36 - 404 0 0 109
2022-06-19 01:17:39 10.0.0.106 GET /xmlrpc.php rsd 443 - 172.71.102.42 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/95.0.4638.69+Safari/537.36 - 404 0 0 124
2022-06-19 01:17:39 10.0.0.106 GET /blog/wp-includes/wlwmanifest.xml - 443 - 172.71.102.42 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/95.0.4638.69+Safari/537.36 - 404 0 0 129
2022-06-19 01:17:39 10.0.0.106 GET /web/wp-includes/wlwmanifest.xml - 443 - 172.71.102.42 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/95.0.4638.69+Safari/537.36 - 404 0 0 88
2022-06-19 01:17:39 10.0.0.106 GET /wordpress/wp-includes/wlwmanifest.xml - 443 - 172.71.102.42 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/95.0.4638.69+Safari/537.36 - 404 0 0 88
2022-06-19 01:17:39 10.0.0.106 GET /wp/wp-includes/wlwmanifest.xml - 443 - 172.71.102.42 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/95.0.4638.69+Safari/537.36 - 404 0 0 89
2022-06-19 01:17:41 10.0.0.106 GET /2020/wp-includes/wlwmanifest.xml - 443 - 172.71.102.42 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/95.0.4638.69+Safari/537.36 - 404 0 0 88
2022-06-19 01:17:41 10.0.0.106 GET /2019/wp-includes/wlwmanifest.xml - 443 - 172.71.102.42 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/95.0.4638.69+Safari/537.36 - 404 0 0 95
2022-06-19 01:17:41 10.0.0.106 GET /2021/wp-includes/wlwmanifest.xml - 443 - 172.71.102.42 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/95.0.4638.69+Safari/537.36 - 404 0 0 92
2022-06-19 01:17:41 10.0.0.106 GET /shop/wp-includes/wlwmanifest.xml - 443 - 172.71.102.42 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/95.0.4638.69+Safari/537.36 - 404 0 0 94
2022-06-19 01:17:41 10.0.0.106 GET /wp1/wp-includes/wlwmanifest.xml - 443 - 172.71.102.42 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/95.0.4638.69+Safari/537.36 - 404 0 0 88
2022-06-19 01:17:42 10.0.0.106 GET /test/wp-includes/wlwmanifest.xml - 443 - 172.71.102.42 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/95.0.4638.69+Safari/537.36 - 404 0 0 90
2022-06-19 01:17:42 10.0.0.106 GET /site/wp-includes/wlwmanifest.xml - 443 - 172.71.102.42 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/95.0.4638.69+Safari/537.36 - 404 0 0 89
2022-06-19 01:17:43 10.0.0.106 GET /cms/wp-includes/wlwmanifest.xml - 443 - 172.71.102.42 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/95.0.4638.69+Safari/537.36 - 404 0 0 88
As we can see, this bot is scanning for manifest files, and which contain a good deal of information about the setup of applications. Unfortunately for the bot, I don’t run WordPress or PHP, and thus the HTTP response code is always 404 (file not found). But, this doesn’t bother the botnet, as it just blinding goes about its business probing for ways in.
A bit of Pan-chan
But now there’s a more serious threat in terms of a peer-to-peer botnet and an SSH worm that is affecting Linux servers — aka, Panchan — and named after its author (Pan-chan). The bot has been analysed and reversed engineered by researchers at Akamai. It has been written in Golang and uses the inherent concurrency in Golang to spread and install malware — typically crypto miners — on targets. Overall, Golang is a useful language for malware writers, as it allows native code to be produced for a range of systems. It also integrates with many common system calls.
A key focus for Panchan is detection avoidance, and where it drops crypto miners — XMRig and nbhash — into a memory-mapped file, and then tries to detect if these files are monitored. If so, it kills the processes.
The bot is fairly simple in its construction, and communicates with other peers with plaintext on TCP port 1919. A sample is:
Within its code it does a very simple SSH dictionary attack and, if successful, tries to harvest SSH keys. For its dictionary attack, it uses simple names to generate the username and password, such as for “ubuntu,” “root” “user” ‘‘debian” and “pi”. With SSH key harvesting, the bot reads the ~HOME/.ssh/id_rsa to discover private SSH keys and ~HOME/.ssh/known_hosts files to discover hosts that it can connect to.
It also has a “god mode” and where a special key will open up an administration panel. This panel is written in Japanese, and this, and other signs (such as its targets being mainly in Asia), perhaps hint to the geo-location of the writer:
Within Golang, the code is compiled into a binary form, and which often then integrates many functions from libraries. In the case of Panchan, it contained over 3,700 functions. Akamai used the pclntab structure [here] in Golang to then map the pointers to function calls to their names, and thus they discovered the names of the functions used.
Conclusions
The malware is not that sophisticated, and can easily be avoided by detecting traffic on TCP port 1919, and by having strong passwords on SSH. It seems that its initial targets have been in weakly defended networks, such as in the education and telecommunications sectors.