hunting botnet attacks and reporting to the host

I like to demystify things for people who aren’t completely tech savvy, hopefully using words that are human readable, although anything having to do with information security (infosec) is going to read a bit geeky. To that end, this is an attempt at a human readable example of the tracking down of an ip address that was attacking our network today. Let’s start with THE FACT that your network admin CAN give you visual open source tools. This is important if you want accountability and awareness. Like this:

Most networks (hopefully) have endpoints that include firewalls and extensive logging And frequently the logs are redundant for verification purposes. Usually the virewalls using tools like OSSEC to help decipher what is going on. We run multiple tools for network monitoring, but my “go to” is ElasticStack (also called an ELK stack) because the whole team can visualize things in Kibana and bring it to our attention if we happen to take 5 minutes off for lunch.

Looking at the wazuh plugin tab in Kibana I noticed an increase in rule id : 31303 which is a Critical NGINX error.

The log file includes this snippet:

Graph of OSSEC Network Security Alerts Over Time
A visual graph from OSSEC visualized by an ElasticStack

When we drill down into the logs in Kibana it parses things out to be a little easier to read. This matters because we need the detail to report the bad ip address.

FROM THE LOGS: SSL_do_handshake() failed (SSL: error:1417D18C:SSL routines:tls_process_client_hello:version too low) while SSL handshaking

So who is the bad guy? Who owns this IP address? Arin.net answers that for us either with the owner or by pointing you to a different registrar that can tell you the owner. In my situation is was a US based IP address 23.100.232.233

Straight up, most of us in InfoSec actually prefer using the command line because we can filter the data faster that way. If you can't "see" it in a report in my experience it rarely happens. Still, a typical command would be something like this if I wanted to help out my SEO manager prioritize which 404 pages to fix first:
grep '404' /log/file/path/nginx/access.log | sed 's/, /,/g' | awk {'print $7'} | sort | uniq -c | sort -n -r | head -100

Now back to our story of finding the botnet hitting our endpoints. Mr. 23.100.232.233

We go to arin.net. The ARIN URL is: https://search.arin.net/rdap/?query=23.100.232.233 which shows the owner and further delegates.

It goes on to show that the owner is Microsoft.

Source Registry: ARIN
Kind: Org
Full Name: Microsoft Corporation
Handle:
MSFT
Address: One Microsoft Way Redmond WA 98052 United States


And it continues:
To report suspected security issues specific to traffic emanating from Microsoft online services, including the distribution of malicious content or other illicit or illegal material through a Microsoft online service, please submit reports to:* https://cert.microsoft.com.

Perfect! They are telling us exactly how to report the problem to Microsoft. Now we want to be a bit more helpful so let’s try to figure out what it is in more detail. There are many tools, just google “ip address reputation” and you will get something.

We have the data from the logs so let’s try to find out what the attack is. Google for other options, but I picked this one today:

https://www.abuseat.org/lookup.cgi?ip=23.100.232.233

RESULTS OF LOOKUP
23.100.232.233 is listed
This IP address was detected and listed 4146 times in the past 28 days, and 137 times in the past 24 hours. The most recent detection was at Fri May 31 17:35:00 2019 UTC +/- 5 minutes
This IP is infected (or NATting for a computer that is infected) with an botnet that is emitting email spam. The infection is probably necurs.

necurs is also known as: WinNT/Necurs.A, Mal/Necurs-A (Sophos), RTKT_NECURS.SMA (Trend Micro), Trojan.Hosts.5268 (Dr.Web), Trojan.Win32.Genome.aglua (Kaspersky), Trojan.WinNT.Necurs (Ikarus), Win32/SpamTool.Tedroo.AS (ESET)... etc...

Microsoft told us exactly how to report it, so we can go to: https://cert.microsoft.com and enter all of our data with confidence. And they are far more likely to take action having the exact data, logs, and type of attack in detail.

For those of us managing large and numerous websites that are constantly under attack, we have seen a HUGE increase in attacks over the last 10 years.

Y’all, we really are in a cyberware, and while the Navy gets Ships, the Airforce gets Planes, The Army gets the tools they need. But in the US, most of the cyber warfare defense is literally left up to private companies and private individuals who are not part of any organized force nor provided assets to fight the war. Kind of scary, huh?