Recently, in the analysis of the black production of Botnet, adlab and Yundi of Qiming star found that there are a lot of black sparrow attacks in BillGates Botnet, one of the most popular and infected botnets in Linux / Unix server.
In the analysis of "death" Botnet, adlab found that there was a three-level hacker attack mode in "death" Botnet, and proposed the concept of "black bird" attack for the first time, and released a long in-depth analysis report "black bird attack - uncover the ultimate controller behind death botnet".
The report points out that the ultimate controller controls more than 1000 sub botnets in total, and tracks the identity information of the three level hackers (big black bird, black bird and Mantis).
BillGates BOT is one of the four largest botnets in China (the other three are boer_family, remote trojan.nethief and yoddos_family). It has carried out many large-scale DDoS attacks with over 100gbps attack traffic.
The zombie is popular on Linux / Unix platform, and then it is modified and applied to the infection of Windows platform. BillGates bot also supports kernel mode DDoS attacks on the Linux / Unix platform.
BillGates BOT is one of the four largest botnets in China (the other three are boer_family, remote trojan.nethief and yoddos_family). It has carried out many large-scale DDoS attacks with over 100gbps attack traffic.
The zombie is popular on Linux / Unix platform, and then it is modified and applied to the infection of Windows platform. BillGates bot also supports kernel mode DDoS attacks on the Linux / Unix platform.
One of the most important features of BillGates zombies is that they have a black sparrow attack interface. A large number of hackers use this interface to attack the downstream hackers.
In the process of analyzing BillGates Botnet, we also found another interesting attack way of black sparrow attack: stealing the beam and changing the pillar, a new attack way of black sparrow using technical means to replace the original black sparrow.
We found the original BOT generator to produce the zombie according to the zombie samples we found. There is a original black sparrow C & C in all the zombie programs generated by the generator, but some hackers found this situation and used the memory patch technology [because the original BOT generator is virtualized through the virtual machine protection shell, the memory patch technology can be very good Replace the original black sparrow C & C with its own C & C and sell it to another group of hackers to use them to help them infect broilers.
Detailed analysis report will be released at the ADLab v_adlab public official account: v_adlab and official website: adlab.venustech.com.cn.
Since the original black sparrow (replaced black Sparrow) exists in the template file of BillGates zombie, we trace and analyze the original black sparrow and find that the black sparrow controls at least 166 Mantis botnet. According to the domestic sampling monitoring data provided by the telecom cloud bank, we analyze:
The sampling data of the telecom cloud bank is obtained by sampling and monitoring the TCP connection traffic according to the current resolution address 144.48.172.147 of C & C and port 6001 of C & C.
According to the statistics of traffic data obtained by sampling, there are more than 8000 infected server hosts in China. It is worth noting that this is not the total amount of bilgates botnet control, but only the number of servers infected by one of the many bilgates black finches.
Finally, we have drawn the following distribution map of infection through the provinces where these infection machines are located:
The map data is provided by telecom cloud bank
As can be seen from the figure, the zombie servers controlled by the black bird are mainly distributed in Beijing, Zhejiang, Henan and Guangdong. In addition to Qinghai and Taiwan, no cases of infection have been detected in the whole country, and other provinces have different degrees of infection.
In the depth analysis report of adlab of Qiming star, the discovery of the black bird and the original black bird, and the realization of the technology of stealing the beam and changing the column are described in detail. Finally, the image of the original black bird and its Mantis downstream is analyzed
Through our tracking analysis of the mantis, we found that it is the same person as a black bird named Yanke in the "death" botnet.
So the hacker named Yanke uses at least two kinds of zombie programs, bilgates zombie and "death" zombie, as attack weapons to develop the botnet.
In two types of botnets, the hacker is in two different roles. In the "death" Botnet, the hacker, as the black bird, implanted the mantis in the back door. At the same time, the hacker himself was also implanted by the big black bird. In the BillGates Botnet, as the mantis, he did not know that his attack weapon was implanted in the back door. Therefore, we update the hacker's business card as follows:
Two
The original black sparrow made privacy protection for itself. According to its C & C analysis history and the sample information associated with the used servers, we made a simple portrait analysis, and finally traced out the following hacker business card:
Through our long-term analysis of the BillGates zombie program, we found that almost all of the BillGates zombies have this type of back door, and we found that although many security teams have done in-depth technical analysis on the BillGates zombie, they have ignored the powerful black sparrow.
The analysis report focuses on the analysis and disclosure of a type of black sparrow phenomenon in the bilgates Botnet, and makes a detailed analysis of the attack methods of black sparrow.
Of course, there are countless such black finches in the BillGates zombie family. They use the attack resources of ordinary hackers to develop their own chickens to achieve the purpose of profit. It also makes such efficient black eating attacks popular among hackers, making the hacker industry chain more complex and chaotic.
END