Hunting Botnet(Mirai .etc) Control Servers by using ZoomEye

by Heige of KnownSec 404 Team 03/09/2019

The notorious Mirai Botnet has been building through lot’s IOT devices vulnerabilities since 2016. And with the open source of mirai, it also spawned many similar botnets. Many of them are active on the Internet by exploiting vulnerabilities in new iot devices. These botnets are considered to be behind the scenes of the DDos attack.

As a well-known cyberspace search engine, ZoomEye has been paying attention to the threat information of these malicious attacks. Just last month, ZoomEye announced cooperation with NewSky Security and Bad Packets Report IoT malicious threat intelligence.

Well known, these data are mainly passively obtained through honeypots.Observing that there are some common traits among the control servers used to host this malware for download,So we can actively capture these botnet’s control servers through cyberspace search engines and crawler systems.

Next, I will show you how to search these control servers through ZoomEye.

1. Using the web server root directory without configuring the home page file causes directory traversal.

title:”Index of” +bins https://www.zoomeye.org/searchResult?q=title%3A%22Index%20of%22%20%2Bbins
title:”Index of” +bins.sh https://www.zoomeye.org/searchResult?q=title%3A%22Index%20of%22%20%2Bbins.sh

2. Using the anonymous access to the ftp server.

Many botnet control servers are available for download via anonymous ftp.This conclusion can be obtained by information published by many researchers such as https://twitter.com/0xrb .

Nearly 300,000 ftp servers providing anonymous access on ZoomEye: https://www.zoomeye.org/searchResult?q=%22Anonymous%20user%20logged%20in%22

Then we search for the botnet’s control servers by searching the .sh file provided by the anonymous ftp server: https://www.zoomeye.org/searchResult?q=%22Anonymous%20user%20logged%20in%22%20%2Bsh

3.Using the ZoomEye’s BotnetC2Scan results

For servers with default home page files in the web server root directory, we don’t see the directory and file information. So we can’t use the “1”.

default home page

Of course, we noticed that there are some specific secondary directory names(like /bins/) that can be traversed in the root directory of these servers, or that specific file names(like /bins.sh) exist in the root directory. Based on these characteristics we have developed a specific scanner : BotnetC2Scan

Now BotnetC2Scan works very well and can search for relevant data through ZoomEye: https://www.zoomeye.org/searchResult?q=BotnetC2Scan

We have noticed that many of the targets searched by the above methods have been tagged with “Malware”, which is mostly derived from the data provided by Newsky Security. Well done! Of course, there are some data that are not covered, and we will be tagged with “Malware”. I have to mention that these changes in goals are very fast and are likely to be shut down soon. This depends on how often the search engine crawls the data scan.

At the end of the article,I want to thank all of our Knownsec 404 Team members. especially to Lul ,Suig and Hedx of ZoomEye team.

If you have any questions about ZoomEye, please contact me:https://twitter.com/80vul