It’s very rare that we researchers get
a chance to explore the inner workings of a botnet command and control
server. Detailed insight into the botnet server or command component
can give us valuable information about the motives of the botnet and
possibly the bad guys behind it. But granting access to these command
and control servers often depends on the will of the hosting providers.
So what happened in this case?
Recently, while I was casually
monitoring logs from our MAX network to find out the current geo locations for Pushdo CnCs, I got these results for the last 30 days.
SOFTLAYER TECHNOLOGIES INC, USA
LIMESTONE NETWORKS INC, USA
THEPLANET.COM INTERNET SERVICES INC, USA
Seeing SoftLayer in the above ISP list was something which made me
quite excited. SoftLayer has a good history of dealing with abuse
requests so I knew that taking these servers offline would not be a big
deal. But this time I was hoping for something more. Keeping in mind
the good relationship between FireEye and SoftLayer, we requested that
they grant us access to one of the CnCs. Nick Hale from the SoftLayer
abuse department responded very quickly based on evidence provided by
FireEye, and made a decision to give us access to this notorious server
for a limited time before shutting down all the cnc servers. Before we
get into the details of what was discovered, I’d like to take a moment
to thank SoftLayer, and especially Nick Hale, who offered full
cooperation on the matter. More actions like this from victimized ISPs
will definitely keep the bad guys on their toes.
Apart from all this, an interesting thing we noticed was that the
C&C servers hosted at other providers were also down the next day.
This is probably a combination of the providers shutting them down or
the bad guys abandoning the servers (as a result of the C&C
shutdown at Softlayer). As of Jan 18, 2010. All of the US servers
mentioned above are shutdown. Only two servers located in ‘Netherlands’
are still up and running at the time of writing this article.
These are the live servers:
WHOIS for 126.96.36.199 is like this:
inetnum: 188.8.131.52 – 184.108.40.206
descr: P.O. Box 93054
descr: 1090BB AMSTERDAM
remarks: Please send email to “firstname.lastname@example.org” for complaints
remarks: regarding portscans, DoS attacks and spam.
remarks: assignment LEASEWEB 20080723
status: ASSIGNED PA
source: RIPE # Filtered
Back to the real story. Infiltrating Pushdo was not something to do
simply for the sake of fun. There was some serious motivation behind
Motive # 1
Grab the server component and all related files. This information was essential to understand this botnet’s internals.
Motive # 2
Try to investigate who are the guys behind Pushdo, including their
origin and business model. According to Soflayer records these server
were based out of Germany (Berlin). Softlayer provided us with further
details such as company and name of registered owner. A quick search on
Google for those did not reveal anything meaningful. It’s not a
surprise since these guys normally use stolen credit cards for
purchasing such servers, leaving no clue behind.
What I found inside Pushdo’s CnC? What was running as a CnC server?
Did I get any clues abut the guys behind? I would like to discuss all
this in my next article. Stay tuned..
This post originally appeared on the FireEye Malware Intelligence Lab blog.