Botnet analysis, based on “hidden” web proxies
Botnets can be quite annoying – used most of the time nowadays by criminal looking for a quick buck.
Comments botnet about drugs, clothes, boots, quick rich scheme used to be common. Lately, money laundering bots are appearind.
Anyways, that’s the story of the day:
Very interesting botnet that was creating users on an actual website I am managing, which were using credit card to fund and buy content from other people.
Let me call this botnet “PRIVAX”, because it is using proxy websites from a company, named PRIVAX, which runs in particular “hidemya**” (sorry for the A word).
Another particularity of this botnet is that (and I believe it’s a trademark of the web proxies, such as PRIVAX), is that lighttpd is running on its servers, and a simple CURL call on the IP (with a few seconds delay) can detect the webserver.
A WHOIS on the IPs would give the following information :
inetnum: 5.62.8.0 – 5.62.11.255
netname: UK-PRIVAX-20120608
descr: Privax LTD
descr: London
And in some cases, would give no information whatsoever..
Just servers from RAPIDSWITCH (Big ISP in the UK), or NTL UK, Virgin, etc. But all of them would run lighttpd.
Therefore a connection to the IP port 80 and a nice little GET / would detect the botnet;
Or someone genuinely trying to hide themselves (up to no good…).
Another factor from the bot is that it is registering using hotmail.com addresses (so it would be easy to validate registrations every time, in an automated manner).
Anyways, to show some logs :
# telnet 5.62.9.181 80
Trying 5.62.9.181…
Connected to 5.62.9.181 (5.62.9.181).
Escape character is ‘^]’.
GET / HTTP/1.0
HTTP/1.0 200 OK
Content-Type: text/html
Accept-Ranges: bytes
ETag: “547550089”
Last-Modified: Wed, 05 Feb 2014 14:38:02 GMT
Content-Length: 0
Connection: close
Date: Mon, 01 Dec 2014 17:56:39 GMT
Server: lighttpd/1.4.31
There it is!
So my script is now complete to actually ban these people from registering on my clients website, and switch money from one hand to another.
My product manager wanted to add SMS verification, but let’s be honest, thanks to twilio (twilio.com), this is actually very easy to bypass and one can create as many phone numbers as they want.
So, in summary, nothing actually is more important than a good old KYC (Know Your Customer), with sending a code by real mail, to the registration postal addresses.
This takes time and money, but if like for my client, your activity has to be very safe, you need to take these steps.