Shulou(Shulou.com)05/31 Report--

This article mainly shows you "what is the meaning of MyKings", the content is easy to understand, clear, hope to help you solve your doubts, the following let the editor lead you to study and learn "what does MyKings mean" this article?

MyKings is a multiple botnet made up of multiple sub-botnets. Since the end of April 2017, the botnet has been actively scanning 1433 and other ports on the Internet, and after infiltrating into the victim host, it spreads malicious code for many different purposes, including DDoS, Proxy, RAT, Miner, etc. The Institute of Network Security named it MyKings, in part because of the botnet's master domain name, * .mykings [.] pw.

MyKings is not a new botnet. There were several analyses of the botnet components before the Institute of Network Security (see section for details), but before this disclosure, none of the analyses formed a complete jigsaw puzzle, nor did they see any effective action to curb the spread of the botnet.

On May 23, 2017, 360 Cyber Security Research Institute contacted the Sina security team for the first time and then took several rounds of joint action. The Sina security team shut down the online URL of MyKings and provided the relevant access logs to the Institute of Network Security. Joint action has effectively curbed the spread of the botnet and hopes to clear the way for other joint operations. The uplink URL that is closed is as follows:

Figure 1

Mykings itself is modular, the composition is very complex, this Blog is an overview, the specific technical analysis of the content of the two PDF documents at the end of the article.

The infection range and epidemic degree of MyKings

According to the statistics of the number of access source IP of the above-mentioned closed URL at the end of May 2017, there are a total of 1183911 independent source IP, distributed in 198 countries and regions around the world. Among them, there are four countries and regions with more than 100000 IP sources, namely Russia, India, Brazil and China.

Figure 2

Figure 3

In addition, in terms of domain name popularity, the most popular domain name is up.f4321y.com:

The domain name DNS is requested more frequently than 2.5m/ every day.

The domain name is ranked in popularity, with a history high of 79753, and is currently stable between 80, 000 and 90, 000.

Figure 4

The composition of MyKings

MyKings is a hybrid of multiple sub-botnets, and its brief structure is shown in the following figure.

Figure 5

Figure 6

As shown in the above two pictures:

After infiltrating the victim's host using Scanner (msinfo.exe) scanning, an attacker will automatically attempt to download malicious code. The IP part of the download URL is encoded in the controlled Blog page

The IP address encoded in the Blog page points to Dropper (ups.rar), a configuration item that can be dynamically adjusted by an attacker in the cloud; some Blog pages have been closed by the aforementioned joint action

Downloads of malicious code and corresponding startup scripts are provided on the Dropper server, which can also be dynamically adjusted by attackers in the cloud.

The Institute of Network Security observed that the downloaded malicious code were Mirai, Proxy,RAT and Miner.

After clarifying the above structure, the Institute of Network Security can divide the entire MyKings into multiple botnets and mark the characteristics of each sub-botnet one by one as follows:

Figure 7

The building relationships between the sub-botnets are shown in the following table:

Figure 8

From the above two tables, 360 Network Security Research Institute can draw the following conclusions:

Botnet.-1/1/2/3/4 has its own independent uplink control terminal, which only needs botnet.0 support during the construction process. After the completion of the construction, the operation phase can be independent and no longer dependent on each other.

Botnet.0 underpins the building process of most other sub-botnets. Considering that the network security research institute does not see any other malicious behavior in all the code of botnet.0, the network security research institute tends to think that botnet.0 is a network that focuses on the promotion of malicious code.

The promoter of botnet.1.proxy is not botnet.0, but botnet.-1, which is an exception. However, the above promotion only lasted for a short time in the early days, and the main malicious code promotion is still done by botnet.0.

MyKings.botnet.0.spreader

Botnet.0 is a botnet in the core position, in addition to spreading other botnets, the botnet does not have other malicious acts, focusing on scanning the construction of resources and the establishment of other botnets. The botnet has the following characteristics:

Large scale of server infrastructure

Actively improve infection code and capabilities

Provides a well-defined programming interface for subsequent botnet input

Infrastructure capabilities of botnet.0

Botnet.0 has the ability to mobilize 2400 host IP addresses to initiate a scan in a few hours. If the Institute assumes that each host IP address costs 30 yuan ($5), it means that botnet.0 has invested more than 70, 000 yuan ($12000) at one time.

Based on such a powerful server infrastructure, botnet.0 currently contributes a major part of the 1433 port scan across the entire Internet. The scan on all ports 1433, according to the scanmon system (scan.netlab.360.com) of the Institute of Network Security, peaked in 30~40m/d, is currently stable in 1.5m/d, and port 23 (Mirai / Hajime) is between Bozhong.

The 2400 + host IP addresses mentioned earlier for one-time mobilization include:

123.207.0.0Compact 161150

122.114.0 base 161,255

The Network Security Research Institute detected that the above hosts centrally initiated the scan around 08:00:00 on April 25, 2017.At that time, the scan of port 1433 that can be seen on the scan.netlab.360.com is as follows.

Figure 9

It can be observed that there was a huge surge in the scan on port 1433 since 8:00 that morning. Before the explosion, the daily scan event was about 5m/d, and then it suddenly increased to 30~40m/d.

Looking at the ranking of these active IP in Class C segment (/ 24), 99 of the top 100 Class C segments came from the above two Class B segments. Considering that the behavior of these IP address segments is consistent and the time window is concentrated, the Network Security Institute classifies these IP addresses into the resource pool of MyKings.

Figure 10

Scanning and penetration capabilities of botnet.0

The scanning behavior of botnet.0 is initiated by its msinfo.exe process. The process will pull the wpd.dat configuration file on the cloud, initiate the scan with the cloud mechanism, and constantly improve its scanning capability with the change of version.

The ports and services scanned are as follows:

O 1433 MSSQL

O 3306 MySQL

O 135 WMI

O 22 SSH

O 445 IPC

O 23 Telnet, mirai botnet

O 80 Web, CCTV Devic

O 3389 RDP, Windows remote Desktop

Scanning target IP addresses: the generation mechanism is becoming more and more complex

O in previous versions, there were only two kinds of target IP that msinfo.exe used to scan: obtained from the cloud configuration file wpd.dat, and randomly generated locally according to the IP of the public network exit.

O in the latest sample, a more complex local random generation algorithm is added, and a batch of reserved address segments are avoided.

Scanning method: evolve continuously until Masscan is integrated

O in earlier versions, TCP Connect and TCP SYN scanning methods are supported, corresponding to the two scanning modules implemented in Trojans.

O in the earlier version of msinfo.exe, both scanning methods were written by themselves, in which the TCP Connect module used the CUT_WSClient class in the TheUltimate TCP/IP function library, while the TCP SYN scanning module used RAWSocket-related DLL files and manually constructed the packets.

O in the latest sample, the well-known network-wide port scanner Masscan is integrated in the TCP SYN module, and the target IP is configured as 0.0.0.0amp 0 to initiate high-speed scanning of the whole network.

Scanning load

O weak password dictionaries are rich, nearly 100 are for Telnet and MSSQLServer

O after obtaining the service permission, the Palyload for further attack intrusion is also very powerful, in which the SQL statement for injection utilization against MSSQL Server is formatted with nearly a thousand lines.

Subsequent botnet access interface provided by botnet.0

The access interface provided by botnet.0 to the subsequent botnet is concise and clear, so that from the point of view of other botnets, the installation package will be downloaded and executed only if you configure the download address of the installation package according to the requirements of the access interface and the script that needs to be executed after the installation package is downloaded. As for the various technical details of the scanning and commissioning phase, they can be handled by botnet.0 without paying attention to them at all.

The above access interface includes:

Flexible cloud profile: the cloud profile wpd.dat used by msinfo.exe, the core Trojan of botnet.0.spreader, is an encrypted XML document, which specifies the C2 address to download the Mirai sample after successfully breaking the Telnet, the network service port to be scanned, the password required to break each port, some commands to be executed when invading each network service, and the target IP range to be scanned. These configurations can be flexibly changed according to the requirements of the subsequent botnet.

Msinfo.exe of modular programming architecture: the Crack module can define a Task_Crack_XXX subclass by inheriting a base class Task_Crack and realizing a set of functions such as connection, burst, command execution and so on, and then realize the attack module against a new network service. The Crack module corresponds to the network service port to be scanned defined in the wpd.dat configuration file, and can flexibly change the Crack function for different network services.

Other auxiliary cloud profiles: ups.exe, another auxiliary Trojan used by msinfo.exe and botnet.0.spreader, will involve other cloud configuration files, such as update.txt, ver.txt, my1.html, test.html, kill.html, clr.txt, etc. These can also be flexibly configured to make it easier for attackers to control what samples need to be downloaded and what commands to execute in the next stage.

Other sub-botnets promoted

Other botnets promoted by botnet.0 include:

Botnet.-1.mirai

Botnet.1.proxy

Botnet.2.rat

Botnet.3.miner

Botnet.4.rat

The 360 Institute of Network Security uses serial numbers to mark the order and suffixes found for the first time to identify the use of the sub-botnet.

Botnet.-1.mirai

Cnc.f321y.com (123.51.208.155) is a mirai botnet, and its homologous relationship with MyKings has been demonstrated in Kaspersky's early articles.

The first attack instruction issued by the Institute of Network Security traced back to the C2 was issued on 2016-12-20.

Figure 11

2016-12-20 20 36123.51.208.155VR 23 | http_flood | 118.193.139.184V 54321

It is worth mentioning that on the victim's IP address 118.193.139.184 in the instruction, there were several C2 domain names that were also controlled by MyKings:

2016-04-0115 pc.kill1234.com 55 pc.kill1234.com 56 2016-12-27 19:14:42 193.139.184

2016-04-2413 xq.kill1234.com 07 xq.kill1234.com 50 2016-12-27 19:02:22 118.193.139.184

Botnet.1.proxy

Botnet.1.proxy is a network of agents. This network is not created directly by botnet.0.spreader, but indirectly through botnet.-1.mirai. 360 Network Security Research Institute observed that the above establishment process took place between 2017.05.05 and 2017.05.17.

Figure 12

Botnet.0.spreader is delivering a special set of mirai samples to establish botnet.-1.mirai

In addition to running mirai's own behavior, botnet.-1.mirai will also download a series of do.arm samples

After the do.arm series samples are running, the socks proxy will be established locally and the generated random password will be sent back to 211.23.167.180

At this point, the botnet.2.proxy with 211.23.167.180 botnet.2.proxy as the core has been established.

In order to confirm that the above proxy network will be used, the Institute of Network Security simulated a bot to provide a password to botnet.2.proxy C2. After that, botnet.2.proxy issued a test request to bot simulated by the Institute of Network Security, requesting to use proxy to obtain www.baidu.com web pages.

Figure 13

As shown in the figure, the actions performed by botnet.2.proxy include:

Provides a user name: fixed as admin

Provide the password:? This password was randomly generated and provided to botnet.2.proxy before the Institute of Network Security. Here the password is masked to reduce the exposure risk of the IP working in the Network Security Research Institute.

Require access to http://www.baidu.com

After getting the response page, botnet.2.proxy silently no longer contacted bot, which is controlled by the Institute of Network Security.

Botnet.2.rat, a RAT botnet

Botnet.2.rat has been disclosed in the Cyphort documentation, and the summary information is as follows:

Was established directly by botnet.0.spreader.

Delivery sample sha256sum:e6fc79a24d40aea81afdc7886a05f008385661a518422b22873d34496c3fb36b

The sample contains C2 pc.5b6b7b.info

The above situation is consistent with the observation of 360 Network Security Research Institute.

Botnet.3.miner a mining network

The characteristics of botbet.3.miner observed by the Institute of Network Security include:

MinerPool:pool.minexmr.com:5555

WalletID:

1. 47Tscy1QuJn1fxHiBRjWFtgHmvqkW71YZCQL33LeunfH4rsGEHx5UGTPdfXNJtMMATMz8bmaykGVuDFGWP3KyufBSdzBb2-> Total Paid: 2000 + xmr

2. 45bbP2muiJHD8Fd5tZyPAfC2RsajyEcsRVVMZ7Tm5qJjdTMprexz6yQ5DVQ1BbmjkMYm9nMid2QSbiGLvvfau7At5V18FzQtel-> Total Paid: 6000 + xmr

MinerPoolPass:x

The mining botnet is mentioned in the documentation of the velvet lab, but no feature details are given, and it is impossible to determine whether botnet.0 has promoted only one mining network.

Botnet.4.rat another RAT botnet

Botnet.4.rat has not been exposed by other security vendors. The summary information is as follows:

Download link: http://104.37.245.82:8888/nb.dat

The sample contains C2 nb.ruisgood.ru

Recent situation

Scanning traffic for port 1433 has declined significantly since January 17, 2018.According to the tracking of this Botnet by the Botnet Research Institute, 67.229.144.218, one of the main C2 supporting the Botnet, is out of service. Then, in the early morning of January 23, 2018.360, the Network Security Research Institute found a new C2 IP online: 67.229.99.82.

In addition, the cyber security research institute found that the group is also updating other infrastructure behind Botnet.

Download the new sample FTP server ftp://ftp.ftp0118.info/, password test:1433

New sample & Cloud profile Server down.down0116.info

New Sina blog account and 3 new Sina blog Post.

During the period from January 17, 2018 to January 21, 2018, there was an obvious trough in scanning traffic for port 1433, which the cyber security research institute suspected was directly related to the group's infrastructure changes:

Figure 14

The above is all the contents of this article "what does MyKings mean?" Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.