Thursday, October 2, 2014

World War Zero Access — When Zombie botnets come alive

To kick off cyber security awareness month and, of course, the Halloween month, today we discuss how to bring botnet zombies (or zombots, as we sometimes call them) back from the dead, and why you should care.

Botnets have become big business in criminal circles, and a scourge on the Internet. At any given moment there are many botnets active, controlling millions of unwilling computers to send spam, steal personal information, or whatever someone paying the botnet controllers wants them to do.

The industry, naturally, has taken measures against these botnets. Some of them are controlled by command-and-control servers who are continuously updated at certain algorithm-generated domains; hijacking these domains effectively stops the malware from receiving new commands.

More recent botnets, such as Zeus Gameover, are more decentralized and implement their own peer-to-peer protocols to make taking them down harder. The usual approach there is to sinkhole the peers, i.e., to inject numerous bogus peers to the botnet until they overtake the real ones. This is a half-measure at best, and botnets are quickly adapting to resist this sort of attack.

Fighting botnets is hard work.

The end result is that, unless the threat is removed directly from the infected machines, the malware will linger possibly indefinitely there. This can have several consequences, one of which is posthumous reactivation even after the original owners are gone.

Case study: Zero Access

Take the Zero Access malware, for example. This was originally a kernel-level rootkit that infected machines, and acts as a delivery framework for other malicious payloads. Its communication protocol was peer-to-peer, with a backup C&C server, on a few TCP ports, with two layers of communication:

 - 'getL', 'retL', 'newL' commands, which manage the dispersion of new infected nodes;
 - 'getF', which downloads a module which executes an actual malicious payload. Files are signed using a 512-bit RSA key.

Sometime around 2012, Zero Access upgraded their protocol: they switched to UDP, and switched packet encryption from RC4 with a hardcoded key to a custom 'cipher':

    void encrypt(unsigned char * msg, size_t msg_size) {
      uint32_t k = 0x66747032;
      for(size_t i = 0; i < msg_size; i += 4) {
        store32_le(msg + i, load32_le(msg + i) ^ k);
        k = rotate_left(k, 1);

This later version of Zero Access also upgraded the RSA key to sign payloads to 1024 bits. Besides that, the protocol didn't change much, beyond some basic IP filtering to prevent sinkholing.

A 2013 survey  by Christian-Rossow et al found around 50,000 Zero Access 1 nodes stilll around; other more recent crawls by Peter Kleissner show that this number has remained somewhat stable. Indeed, there are still many Zero Access 1 bots floating around, which have not upgraded to version 2 for one reason or another. Hijacking these nodes to do one's bidding is one RSA-512 key away:

-----END PUBLIC KEY-----
Is this a problem? Not at all. The first 512-bit key was factored 15 years ago by a team at CWI. It did take many machines and months of work. In the ensuing decade, however, this task became incredibly easier. Today, with tools like GGNFS, msieve, or CADO-NFS, you can factor keys of this size (and higher) in just a couple of days on a beefy machine. And we did. For all intents and purposes, every remaining old Zero Access node is controllable by anyone who has a spare machine to do this.

To show we did in fact factor the key, here is a Base64-encoded RSA-PSS signature for the message 'Braaaaaaaaaains!':

You can verify the signature with the following Python script:

    from Crypto.Signature import PKCS1_PSS
    from Crypto.Hash import SHA
    from Crypto.PublicKey import RSA

    pub = '''-----BEGIN PUBLIC KEY----- 
    -----END PUBLIC KEY-----'''
    pk  = RSA.importKey(pub)
    verifier =

    msg = 'Braaaaaaaaaains!'
    sig = '''HnwaZghZhtiPJ+OHbTnNDAVcg/yvciDdmBi+SRoKwWXV4k

    print verifier.verify(, sig)

What does this imply? An organization infected with a dead botnet's malware can be specifically targeted, by combining botnet crawling with WHOIS information. The malware could then be taken over for information extraction. Keep in mind that botnets are not solely after monetary profit, by way of credit card info. They often are rented to the highest bidder, and can be used for corporate espionage, spam, or as a delivery platform for more advanced intrusions.

This is less farfetched than you think. Among the many Snowden revelations of the last year, one of them was that the NSA has been busy taking over botnets for their own purposes, going as high as 140,000 hijacked peers.
It is safe to assume that they are not the only organization doing this. Until the infections themselves are killed by their respective organizations, this is a latent risk.

Crypto is hard

The buck does not stop here. Malware has routinely used cryptography in its operation for a while, be it C&C communication, encrypting files for ransom, or to authenticate payloads. Like every other software, however, malware also regularly gets it wrong, with hilarious effects:

The point here is that malware authors make cryptographic mistakes just like any other developer, and this can often translate to direct control of the infected machine by entities other than the author. In other words, even if the original authors are taken down, even if the original command and control servers disappear, so long as the malware is still present, in a dormant state, it is still a significant risk to the whole ecosystem.

But wait, there's more. The most common algorithm and key length in all the malware we have analyzed is 1024-bit RSA. This was once impregnable, like RSA-512 before it, but 1024-bit keys have already reached end-of-life status and are gradually becoming factorable, if they are not already (by well-funded agencies).

Arjen Lenstra estimated, back in 2009, that RSA-1024 was probably secure against community efforts (that is, relatively underfunded) until around 2014. A few years from now, we may see many of these botnetseven if abandoned by thenbecome alive again by the first attacker to factor those keys.
Yes, master...I will do your bidding


Botnets have always been quick to adapt to new landscapes, and are increasingly harder to fully take down as a result of the industry's attempts to do just that. Some of the more advanced malware today is not far from being an APT. In fact, some malware is APT. Therefore it is very dangerous to dismiss infections, even from allegedly inactive botnets, as low-risk. Most of them are equipped with information-stealing capabilities, and can fall into the wrong hands, even after the original owners are gone.

How can you know if your organization is plagued by malware or zombots? One way is by listening in to our breach intelligence feed, Vantage, which continuously monitors the Internet for common botnet activity, among other threats.

So be careful, because the next time you hear trick or treat, it might be a new zombie horde knocking at your ports! Happy Halloween Month ;)