Our Investigation team carried out an infiltration operation against an IRC botnet and reported it to CERT Vietnam to help take it down.
In order to gather valuable information about the IRC botnet's activity, we joined its Command and Control channel where we met the botmaster who was responsible for running the entire network of compromised systems. We also used this infiltration opportunity to learn the botmaster’s motives and the possible purpose of the IRC botnet.
What follows is a story of how we managed to detect an attempt to infect one of our systems, and how our curiosity led us to an unlikely interview with the botmaster of a rare, dying breed of a botnet.
Here’s how it all happened.
About this investigation
To conduct this investigation, our researcher infiltrated an IRC botnet that we captured in one of our honeypots. By conversing with the botmaster, the researcher attempted to find out what the IRC botnet is being used for, as well as whether the cybercriminals who were controlling it were involved in other activities.
After interviewing the botmaster, the researcher reported the botnet to CERT, so they could close down the command and control server of the botnet.
How we found the IRC botnet
Infiltrating a cybercriminal operation can provide valuable data about different types of malicious activities, including DDoS attacks, malware distribution, and more. That’s why our researchers use multiple cyberattack detection strategies and are always on the lookout for possible interception and infiltration opportunities.
This September, one such opportunity presented itself to one of our researchers.
Our honeypot setup
In cybersecurity terms, a honeypot is a decoy service or system that poses as a target for malicious actors. When targeted by a threat actor, the honeypot system uses their intrusion attempt to gain valuable information about the attacker.
In order to capture malware and monitor cyberattacks across the internet in real-time, we run multiple honeypot systems that are contained in isolated execution environments, otherwise known as containers. One of the honeypot systems that we run in a container is a Cowrie honeypot, which is designed to detect and log brute force attacks as well as shell interactions (attempts by a threat actor to create a malicious communications tunnel between them and the compromised machine) that are carried out by an attacker or an attacker’s script.
Initial detection: Someone is trying to infect us
In late September, we noticed an attempt to download a malicious file on one of the machines connected to our Cowrie honeypot:
The malicious file contained a Perl script that was designed to infect the host machine and allow the attacker to execute remote commands on the system.
We investigated the file and determined that the malicious program used by the attackers was likely created back in 2012 by the w0rmer Security Team, a now seemingly defunct hacker team that was linked to the infamous hacktivist group Anonymous.
While investigating the script, we learned that this malicious program is used to recruit the host machine into an IRC botnet. This really piqued our interest, because IRC botnets, while relatively widespread in the past, are considered a rarity in 2020. They’re relatively easy to take down and there are far larger botnets powered by newer technologies such as the Internet of Things (IoT).
A vintage botnet, rarely seen in the wild
By further analyzing the code, we observed that the malicious program was able to carry out DDoS attacks over UDP, TCP, HTTP, and other protocols and to execute commands that all pointed towards the program being used for distributed denial of service (DDoS) campaigns:
We could also identify the IP address and port number of the botnet’s Command and Control server, as well as the botmaster’s nicknames and the IRC channel that was used to control the bots.
This led us to believe that we have just encountered an IRC botnet – an old, dying breed of botnets rarely encountered in this age of massive networks of infected IoT devices.
Internet Relay Chat (IRC) networks use simple, low bandwidth communication methods. This makes them suitable for hosting centralized servers that can be used to remotely control massive collections of infected machines (called ‘zombies’ or ‘bots’). These collections of infected bots controlled over IRC channels are called IRC botnets and are still used by cybercriminals to spread malware and carry out small-scale DDoS attacks.
Reconnaissance: Joining the botmaster’s IRC channel
With the acquired information in hand, we jumped at the opportunity to carry out reconnaissance. We wanted to find out as much as we could about this vintage botnet and the cybercriminals behind it. Once we had collected enough data to bring the botnet down, we would report everything we discovered to the appropriate authorities.
Our researcher began reconnaissance by connecting to the IRC server address found in the malicious file to see whether the botnet server was still active.
Excited by this discovery, the researcher joined the IRC channel that was used for communication between the bots and the botmaster. What they found was a functioning IRC botnet with no less than 137 compromised systems. Most of the zombies were named “lol-XXXX” and were currently connected to the botnet’s Command and Control center, with 241 bots being the maximum number for this particular botnet:
This meant that the IRC botnet was not very significant in scale, and could in all likelihood only be used to carry out minor DDoS attacks or commit other, relatively small-scale malicious acts.
As we continued to observe the botnet over the next several days, the number of bots kept fluctuating. It was, however, decreasing over time.
The interview: Striking a conversation with the botmaster
Before taking action against the IRC botnet, we wanted to ascertain the botmaster’s motives: why were they operating this botnet? Did they run any other criminal operations as well?
Also, we needed to know what exactly the botnet was being used for. To get these answers, our researcher (BLUE) initiated a conversation with the botmaster (RED) on the IRC channel.
After a brief back-and-forth, the botmaster invited the researcher to move to Discord, presumably thinking that the researcher was a fellow cybercriminal.
As soon as the researcher entered the botmaster’s Discord channel, they noticed that it was populated by four users who were previously informed that our researcher had entered the botnet IRC server.
Not only that, but the botmaster also apparently already knew that their malicious activity was captured on a honeypot, since honeypots are widely used to detect such botnets.
Soon after, the botmaster expressed frustration with people (they used a far less charitable term) frequently stumbling upon their IRC server. They went on to state that they usually dealt with such intruders by carrying out DDoS attacks against them.
Testing, backdoors, and money
After a bit of relatively inconsequential chat, the researcher began to gently interrogate the botmaster about the purpose of the IRC botnet. The botmaster provided several answers, claiming to use the network for DDoS attacks, as well as “testing,” “backdoors,” and “money.”
While we can only speculate as to the true purpose of this relatively small and very old-school IRC botnet, the botmaster was likely using it to conduct malware tests or experiment with planting and executing various exploits on compromised systems.
An infamous cybercriminal and an aspiring YouTuber?
As the interview went on, the botmaster’s ego appeared to be growing bigger with each subsequent question. Late into the conversation, they claimed to have operated a botnet that spanned a whopping 100,000 (!) IoT devices, a very large botnet by today’s standards. With a botnet this big, they would be able to carry out large-scale DDoS attacks and launch massive spam campaigns.
And the bragging didn’t stop there. The botmaster then went on to claim to be the criminal mastermind behind the infamous DynDNS attack, the massive cyberattack that brought down countless websites across the US and Europe, including the likes of Twitter, Reddit, Netflix, CNN, and many others back in 2016.
This kind of shameless bravado is particularly common among cybercriminals. Needless to say, the botmaster did not provide any proof for their claim when asked to do so.
When asked about their current activities, the botmaster claimed to be accumulating networks of compromised devices and selling them off for $3000 to other cybercriminals.
This time, the botmaster even provided proof in the form of a promotional video. Upon further investigation, the researcher discovered more videos on the botmaster’s YouTube channel, featuring multiple ads of botnets for sale.
According to the botmaster, these botnets vary from 100 Gbps to 300 Gbps. Gigabits per second (Gbps) is used to measure a botnet’s size and memory or bandwidth capacity – the bigger the bandwidth, the bigger the DDoS attacks the botnet can carry out. The botnets advertised by the cybercriminal would have enough bandwidth to launch medium-scale targeted DDoS attacks that could cripple various online services.
Finally, the botmaster claimed that they had 7,000 compromised IoT devices/bots in their current botnet, and that the IRC botnet found by the researcher was only used for testing.
An abrupt ending
As far as conversations with cybercriminals go, this one was going quite well, and it was then that we decided to try our luck and ask the botmaster for an official interview that we would conduct anonymously. This would allow us to dig deeper into the botmaster’s motives and perhaps gain more valuable insights into their other operations.
Unfortunately, as soon as our researcher revealed his professional identity and made his request, the botmaster promptly declined and went radio silent.
Our only option from that point on was to report the IRC botnet to CERT in Vietnam, where the Command and Control server of the botnet was apparently located. We informed CERT Vietnam about the botnet on October 26, and the country's computer emergency response team is currently working to shut down the botmaster's Command and Control server.