How to take control of a dozen Russian botnets by mistake

Hi everyone,

Before to start, I would like to use a bit of my little notoriety to write you a small poem I’ve made especially for the occasion:

Roses are red
Violets are blue
I’m not responsible
if the Russian Mafia comes to you !

That being said, we can finally start!

#1 The context

[IP ADDRESS] – [07/Apr/2019: 18: 01: 28 +0100] “\x03\x00\x00/*\xE0\x00\x00\x00\x00\x00Cookie: mstshash = Admin” 200 173 “-“”-“

As any good article, this one starts with a strange line. As we can see, the query is quite different from the classic ones:

[ADDRESS_IP] – [07/Apr/2019: 18: 01: 28 +0100] “/index.html” 200 18 “-” “-“

This difference could essentially means two things: either the request is malformed or it’s an attack.

The web server is managed by a friend, he asks me my opinion about the issue because he was quite intrigued by the response code “200” in the end wich means the request has been successful.

The thing is, if the request was malformed, it would never have had well-formed characters because it is precisely malformed. It was clear to me that this was an attack. Probably a mass attack, but still an attack.

#2 A bit of information gathering

I’ve started by searching some informations about the attacker’s IP address because it was basically all we had at this stage. For some reason this mysterious address was located in Russia ๐Ÿค ๐Ÿ‡ท๐Ÿ‡บ

Nevertheless it wasn’t reported on public abuse IP lists and when we query out the IP, the server proudly display a IIS8 default website:

It must be said, the default IIS8 website looks great ๐Ÿค 

Just out of curiosity I ran a light ports scan to know which services would be running. This would help me to have a small idea on โ€‹โ€‹the server’s role.

Here is the result of the scan:

Starting at 2019-04-08 20:49 UTC
Nmap scan report for [IP_ADDRESS]
Host is up (0.019s latency).
Not shown: 989 closed ports
PORT     STATE    SERVICE       VERSION
135/tcp  open     msrpc?
139/tcp  filtered netbios-ssn
445/tcp  open     microsoft-ds  Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1025/tcp open     tcpwrapped
1026/tcp open     LSA-or-nterm?
1027/tcp open     msrpc         Microsoft Windows RPC
1028/tcp open     unknown
1029/tcp open     ms-lsa?
1030/tcp open     iad1?
1031/tcp open     unknown
1034/tcp open     zincite-a?
3389/tcp open     ms-wbt-server Microsoft Terminal Service
Service Info: OSs: Windows Server 2008 R2 - 2012, Windows; CPE: cpe:/o:microsoft:windows

#3 The “Hack Back”

In the vocabulary of cyber warfare there’s this word that comes up quite often and was popularized by the Active Cyber Defense Bill. This Bill stipulated, among other things, that the United States may reserve the right to perform a “Hack Back” if an institution is targeted by a cyber attack

But what does this word mean concretely?

In fact it’s easy as pie, it’s when the victim successfully returns the attack against its author (who is usually totally caught off guard at that moment). On the morale of the attacker, a Hack Back is as devastating as unforeseen.

A quick demonstration of what is a Hack Back ๐Ÿค 

Why am I talking about Hack Back ? Back to the results of the scan, there’s a significant amount of active services on this server including one that has particularly wreaked havoc within a company in a previous article (here)

You may guessed it if you follow me, I’m talking about:

445/tcp open Microsoft microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds 

This is Samba, which live on port 445 by default and is used primarily for file sharing between multiple computers. For instance, it’s thanks to samba that we can do this:

One Ring to rule them all, One Ring to find them,
One Ring to bring them all and in the darkness bind them๐Ÿ’

Unfortunately, since 2017, Samba is also known to be particularly vulnerable. For example, with the flaw named “EternalBlue”, we can crash a Windows executing an old version of Samba:

I didn’t miss this good old BSOD ๐Ÿค 

Another more useful example is the “EternalRomance” vulnerability that allows an attacker to take control of a computer if Samba is outdated.

You know, sometimes in movies there’s that moment when there’s a freeze frame with a voice-over telling something like: It was at this moment that everything f*cked up ! Well, here we are, it was at this precise moment that everything f*cked up !

I was just going to run a last scan just to report the IP. Absolutely truthful fact, I misstyped the script path and I lauched inadvertently the EternalRomance exploit wich ended up with this result:

Wait what ?!

For those who may be not familiar with Metasploit, it seems that the EternalRomance attack allowed me to have access to the adminitrator’s session. I was quite surprised, honestly, I didn’t really expect to break into a Russian hacker’s control and command server !

It must be said that, even if I was terribly excited, I was also a little bit scared, because I’ve entered into the wolf’s lair.

To get more confortable, I took a “screenshot” with the command of the same name:

Oh! So that’s what the behind the scenes looks like? ๐Ÿ˜ฎ

As can be seen in the screenshot, the host is likely to used as a control and command center (C&C) for several botnets. In any case, this hypothesis could explain the presence of so many open ports during the previous port scan.

If we assume that there’s a control center on each open port, it would mean that this server controls a total of 9 botnets (listening on ports 80,1025,1026,1027,1028,1029,1030,1031 and 1034). Indeed, it could make sense because most listening ports are following each other and it’s rare enough to be highlighted.

Anyway, at this point, we had enough control over the server to shutdown all the botnets once for all. Indeed, the malicious softwares used by the Russian hacker has a feature that can completely remove the infected host from the botnet. Applied to all infected hosts would definitely result in the simple and permanent dismantling of all botnets controlled by the server.

We simply chose with my friend to don’t do it.

Your reaction at that moment ๐Ÿค 

Indeed, turning off 9 botnets among all the variety of botnets on the Internet would be like taking a water glass off the ocean. In addition, the hacker could always redo other botnets elsewhere.

And then, even if the act could seem praiseworthy at first glance, there’s this little note that makes it even reprehensible: The Computer Fraud and Abuse Act.

Since we are not empowered by the nation to respond, the best thing to do was to simply report the infraction to the appropriate authorities.

However, it should be noted that, even if we had reported the infraction 4 months ago, the server is still running and operational (hence the censorship of IP addresses to prevent any Shadow Brokers wannabes).

At least, the server is now indexed by Shodan

Conclusion

I may repeat myself but I find it really damaging that the legal process is so burdensome. If a sort of law provision could be issued to legalize the *ethical* Hack Back and not “pre-textual” as in the Active Cyber Defense Bill, I honestly think that it would be a considerable step forward in our hyper connected societies where the violations of our privacy are too often common wich makes it even harder for law enforcement agencies

Seriously, just imagine a world, where the bad hackers would no longer be predators but prey. Imagine a world where spreading chaos and desolation over information systems only because it’s stylish to do so is no longer stylish. Imagine a world where xXdathackerXx would no longer attack Darbix62’s internet connection on Minecraft only because I quote “Yea I’m a real ononymous, yesterday, I hacked my middle school website so stfu” dixit the person who has simply overloaded his own connection.

I dream of a world like this ! Anyway, until this world becomes reality, you can still share the article if you liked it, it’s pretty important. You can also follow me on twitter to miss don’t miss anything !

In the meantime, stay well, be kind to your domestic plankton and see you soon !