When Spambots Attack — Each Other!
So, you’ve read plenty about when botnets attack. You’ve also seen plenty about when spambots attack, though it’s usually only in the form of spam email flooding in the course of spambot offspring performing the functions for which their creator intended. There’s even been plenty of press about when Botnets Battle Over Turf, attacking each other. So, let’s delve into one example of why that is, and take a terse look at one such set of attacks.
Over the past two days we’ve seen a reasonably large number of attacks in ATLAS that exhibit a common target set, and appear to be traceable to bot on bot attacks, or more interestingly, attacks targeting competitive bot building infrastructure. Based on the data, one might surmise that some of the Storm bot herding folk appear to be perturbed with their MPack brethren automating uninstalls of competitive root kits on compromised assets, in particular that of wincom32.sys (employed by the Storm Worm). I nice explanation of the host-level attributes of these rootkits as it relates to this post is available from the Symantec folks here.
According to Symantec, Trojan.Srizbi, after compromising a host and doing a few nifty things, attempts to connect to URLs on abr.srizhopa.biz or bu.srizhopa.biz in order to download a zip file that contains configuration files to send spam. Given this, if you’re a bot herder and MPack activity as of late has been depressing your bot herds, you might look at this and say, “Hrmm.. You know, if I were to take those srizhopa.biz hosts offline, I might just be able to buy myself some time to tighten things up from an operations perspective, and perhaps even come up with a longer-term plan to counter MPack’s unwarranted virulence”.
So, what next… Well, easy enough, let’s just lookup the IP addresses of abr.srizhopa.biz and bu.srizhopa.biz and have our bots attack them. So, what’d some of this attack traffic look like? Let’s have a gander..
Note: When I first looked at this both these hostnames were mapped to a single IP address, 22.214.171.124, the other targets were correlated via looking at attack flows directed at more than one target.
Over the past 48 hours we saw 85 discrete attacks directed towards three IP addresses that appeared in some way associated with these spambot wars. Attack counts and targets are as follows:
Attacks Target IP Address
All of these attacks were ICMP Ping Floods (40-byte ICMP Echo request packets). The maximum packet per second (pps) from any of these attacks was 91.09 Kpps, the maximum bits per second (bps) from any of these attacks was 43.73 Mbps. Summing the totals of the max_pps and max_bps from each of the attacks in order to quantify their effective scale yields an aggregate max_bps of 1.194 Gbps, and max_pps of 2.484 Mpps. That’s more than enough attack traffic to cause pain for most targets, with a likely result of negative impact to some innocent bystanders as well (aka. collateral damage).
These attacks don’t appear to be spoofed as they exhibit relatively fixed source address sets. They could be easily mitigated by filtering on ICMP Echo Request packets towards the targets, but given the number of attacking sources and the scale of the attacks, such filtering policy would likely need to be implemented well upstream from the targets themselves. In addition, source-based filters are likely implausible in most hardware today, given the large base of unique attack sources observed across the aggregate attack set. So, dropping all ICMP Echo Requests (if possible) towards the targets is the most likely mitigation technique, but could have negative side effects of breaking Ping-based diagnostics tools. The attacks would perhaps be a bit more effective if they weren’t scoped to 40-byte packets, though larger packets would allow for additional attack flow discrimination, enabling more granularity on the mitigation front.
Of course, given that these are bots attacking malware distribution sites, I suspect the miscreants involved on the receiving end of this particular incident aren’t overly keen about talking to their ISPs regarding possible subscription to DDoS mitigation services.
When correlating target data I saw another 15 attacks towards 126.96.36.199 from January 29-30, 2007. These were ICMP Ping flooding attacks as well, and quite likely related to a similar feud.
If you’re wondering, that domain that was hosting the malware distribution sites, srizhopa.biz, is registered to a one “johhnie walker” of “19 avenue drive, New York, 02002”, with, as you may guessed, bogus phone numbers, zip codes, etc..
The good news is that the existence of the srizhopa.biz domain seems to have disappeared completely from DNS over the past day or so, which for the attackers is even more effective than flooding them with attack traffic. For the target, they’ve likely just moved on.
So there you have it, another edition of spamwars and THEIR impact on OUR assets.