6.0 KiB
Researching Botnets
There is a vast number of botnets featured in this repo, and there is an even larger number of them not catalogued here. This document should hopefully shed some light on what is featured in this collection, and what you can do with this information.
What is in this repo?
This information is subject to change, but is generally what was initially collected when this repo was created.
TL.BOTNET
These are botnets that may be merged with TL-TROJAN at a later date. There is a variety of Trojans and other malware with a distinct botnet component.
TL.EXPLOIT_SCAN
This is a collection of Exploits, and Vulnerability Scanners used by botnet maintainers.
Scanners are to generate lists of vulnerable IPs by checking whether or not they exhibit characteristics of a vulnerable device. In some cases, a scanner may perform the initial loading of a payload (eg. downloading a script), or other tactic to get an initial foothold, but this is not always the case.
Exploits are the exploits that are actually performed on a list of devices. They are usually python scripts, and either scan at random looking for a vulnerable IP, or they process a list of IPs generated by a Scanner to attempt to exploit them. Exploit scripts may at times contain a number of coding errors, that are a dead giveaway for those inspecting the scope of a single botnet.
TL.IRC
This is a collection of IRC based botnets. This type of botnet relies on an IRC server for command and control. They are less common now than they were before, largely due to more modern C2 options available. Many early QBOT variants were IRC based, and you may see some similarities in code to other botnets.
TL.JS
This is collection of nodeJS based botnets. They use a command and control architecture developed in nodeJS.
TL.LISTS
This information is available upon request.
TL.MIRAI
This is a collection of nearly every Mirai variant available until May 2019. There may be additional variants out there, but given the sample size, there are enough individual samples for a reasonable analysis.
Each variant is sorted by name, and within each folder, there may be different versions of a given variant.
Some variants may contain custom versions of exploits, with elements such as useragents, bot names, or other details that can aid in fingerprinting a given version.
TL.MISC
This collection contains sub collections that don't quite fit into any of the other categories. There are miscellaneous bots, tools, clients/servers, configs, and other ephemera that may be useful for research, but overall don't stand out enough on their own.
There is also a BIN.Archive folder in TL.MISC that contains some sample binaries from various bot campaigns in 2019 for research purposes.
TL.P2P
This collection contains some earlier versions of QBot malware that doesn't quite fit into the QBot category. They may be more unique forks, or contain elements from a completely different class of botnet. The variants in here are typically much older, as P2P refers to the method of self-replication, that was superseded by the slang term "self-rep". They may be treated as QBot-like, for research purposes, but they are not typically deployed as often in the wild due to relying on older self replication methods like simple telnet bruteforcing.
TL.QBOT
This collection contains many variants of the QBot family of malware. Dating all the way from 2014, when the first iterations appeared under the Lizkebab/Torlus names, up until today. The source is largely unchanged, but given the ease of set up, and the "stability" of the source, this family of bots will likely be around in some form for a while.
TL.TOOLS
This collection contains various tools and resources that have been included with many botnet source releases.
Additional Information
In QBOT_HISTORY.md, we briefly touched on the history of a major family of botnets that was originally popularized when it was deployed by LizardSquad, and other groups, to perform some well-known DDoS attacks around 2014/2015.
Botnets in TL.BOTNET provide less of a historical resource, and more of an exhibition of some diversity in modern botnets. Many of the families included, such as ZeuS, have to continue to find new vectors through which to propagate. The source codes for these are much more complex than the IoT botnet families, and target consumer operating systems, rather than embedded.
Informing the Present
There are many ways to use the source code in this repo to understand the state of botnets today. A multitude of tools and services exist for analyzing malware and how it spreads.
Using Greynoise
GreyNoise has built a system that listens for traffic across the internet, and records them for researchers, corporations, and others, to understand the background noise of internet, and determine what they should be paying attention to. Using GreyNoise, we can take what we have learned from these botnet sources, tools, and exploits, and track what is still active in the wild.
With botnets, much of what we can see primarily relies on how the bots are attempting to self-replicate, or how malicious actors are scanning to determine whether or not a given system is exploitable.
GreyNoise has tagged a lot of malicious outgoing traffic based on various exploits that have been used in the malware contained in this repo. Taking a look at their cheatsheet, you can see that there are many ways to explore the dataset, and look up where certain types of malware may be operating from.
Inhale
Inhale is a tool written by @netspooky that was used to aggregate and classify a majority of the files you see in this repo. It uses a number of static analysis techniques to enumerate data from a given file, and store that information for further analysis. You can find out more information about using it here.