en - 360 Netlab Blog - Network Security Research Lab at 360 (Page 4)

en

A collection of 111 posts

Import 2022-11-30 11:16

Old Botnets never Die, and DDG REFUSE to Fade Away

DDG is a mining botnet that specializes in exploiting SSH, Redis database and OrientDB database servers. We first caught it on October 25, 2017, at that time, DDG used version number 2020 and 2021, and we noticed that the botnet has two internally reserved domain names that had not been

HNS Botnet Recent Activities

Author: Rootkiter, yegenshen HNS is an IoT botnet (Hide and Seek) originally discovered by BitDefender in January this year. In that report, the researchers pointed out that HNS used CVE-2016-10401, and other vulnerabilities to propagate malicious code and stole user information. The HNS communicates through the P2P mechanism, which is

Botnets never Die, Satori REFUSES to Fade Away

Two days ago, on 2018-06-14, we noticed that an updated Satori botnet began to perform network wide scan looking for uc-httpd 1.0.0 devices. Most likely for the vulnerability of XiongMai uc-httpd 1.0.0 (CVE-2018-10088). The scanning activities led to a surge in scanning traffic on ports 80

GPON Exploit in the Wild (IV) - TheMoon Botnet Join in with a 0day(?)

This article was co-authored by Hui Wang, Rootkiter and Yegenshen. It looks like this GPON party will never end. We just found TheMoon botnet has join the party. TheMoon botnet has been discussed in our previous article, in Chinese. Its activity can be seen as early as in 2014, and

GPON Exploit in the Wild (III) - Mettle, Hajime, Mirai, Omni, Imgay

This article was co-authored by Hui Wang, LIU Ya, Rootkiter and Yegenshen. In our previous articles I and II of this series, we mentioned that since the expose of the GPON vulnerabilities (CVE-2018-10561, CVE-2018-10562), there have been at least five botnet families actively exploiting this vulnerability to build their bot

GPON Exploit in the Wild (II) - Satori Botnet

This article was co-authored by Rootkiter, Yegenshen, and Hui Wang. In our previous article, we mentioned since this GPON Vulnerability (CVE-2018-10561, CVE-2018-10562 ) announced, there have been at least five botnets family mettle, muhstik, mirai, hajime, satori actively exploit the vulnerability to build their zombie army in just 10 days. We

GPON Exploit in the Wild (I) - Muhstik Botnet Among Others

On May 1st, VPN Mentor disclosed two vulnerabilities against GPON home router. Since then, at least 5 botnet families have been actively exploiting the vulnerability to build their zombie corps, including mettle, muhstik, mirai, hajime and satori. It is the first time we have seen so many botnets competing for

Botnet Muhstik is Actively Exploiting Drupal CVE-2018-7600 in a Worm Style

On March 28, 2018, drupal released a patch for CVE-2018-7600. Drupal is an open-source content management system written in PHP, quite popular in many sites to provide web service. This vulnerability exists in multiple drupal versions, which may be exploited by an attacker to take full control of the target.

Quick summary about the Port 8291 scan

Quick summary about the Port 8291 scan

Summary This 8291 scan event is caused by a Hajime botnet variant. Compared to the old Hajime, this one adds two new features: 1. Check port 8291 to determine if the target is a MikroTik device 2. Use ‘Chimay Red’ Stack Clash Remote Code Execution Loophole vulnerabilities to infect and

A Case Study: How One Big Player Could Impact the Cohive Business in China

"Who is Stealing My Power" is a series of articles on the topic of web mining that we observed from our DNSMon system. As we mentioned in this series of one, two, and three , the players in the market can be mainly divided into mining sites and content/

Memcache UDP Reflection Amplification Attack II: The Targets, the Sources and Breakdowns

In less then ten days, Memcache DDoS attack has come out of nowhere and really captured lots of attentions within the security community. When we look at the news, we see all sort of reports but hardly can get a good idea what the real situation is, for example the

Memcache DDoS: A Little Bit More

This blog is a joint effort of 360 0kee Team, 360 CERT, and 360 Netlab. Memcache UDP Reflection Amplification DDoS (hereinafter referred as Memcache DRDoS) has attracted quite some attentions from security community this week. We are not going to repeat the public known facts, and this blog will only

Who is Stealing My Power III: An Adnetwork Company Case Study

We recently noticed that one of the ad network provider started to perform in-browser coinhive cryptojacking when users visit websites which use this provider’s ad network service. As early as mid 2017, this ad network provider has been using domain DGA technology to generate seemingly random domains to bypass

The List of Top Alexa Websites With Web-Mining Code Embedded on Their Homepage

On our previous blog, we mentioned over 0.2% websites have web mining code embedded in their homepage: 241 (0.24%) out of Alexa Top 100,000 websites, and 629 (0.21%) out of Alexa Top 300,000 websites. And after some discussion, we figured it makes sense to release

Who is Stealing My Power: Web Mining Domains Measurement via DNSMon

At 360Netlab, we are continuously analyzing DNS traffic. Based on this, we have established a DNSMon detection system that analyzes various anomalies and correlations in DNS traffic. We reported a few web mining sites such as openload.co in previous article. After that, we try to use DNSMon to further

ADB.Miner: More Information

This blog is a joint effort of 360 Beaconlab, 360 CERT, 360 MobileSafe, 360Netlab and 360 Threat Intelligence Center. Overview About 48 hours ago, we reported an Android worm ADB.miner in our previous blog. This malware can replicate itself over Android devices by utilizing the opened ADB debugging interface.

Botnet Featured

Early Warning: ADB.Miner A Mining Botnet Utilizing Android ADB Is Now Rapidly Spreading

Author：Hui Wang, RootKiter, twitter/360Netlab About 24 hours ago, around 2018-02-03 15:00(GMT +8), a set of malicious code began to spread rapidly, here are some quick facts: * Timeline : the earliest time of the infection can be traced back to January 31. And the current worm-like infection was

Import 2022-11-30 11:16

DDG: A Mining Botnet Aiming at Database Servers

Starting 2017-10-25, we noticed there was a large scale ongoing scan targeting the OrientDB databases. Further analysis found that this is a long-running botnet whose main goal is to mine Monero CryptoCurrency. We name it DDG.Mining.Botnet after its core function module name DDG. Currently we are able to

Art of Steal: Satori Variant is Robbing ETH BitCoin by Replacing Wallet Address

The security community was moving very fast to take actions and sinkhole the Satori botnet C2 after our December 5 blog. The spread of this new botnet has been temporarily halted, but the threat still remains. Starting from 2018-01-08 10:42:06 GMT+8, we noticed that one Satori’s

Openload.co and Other Popular Alex Sites Are Abusing Client Browsers to Mining Cryptocurrency

As of December 24, 2017, we noticed a group of Alex top websites abusing client browser's computing power in cryptocurrency mining. The javascript code is based on CoinHive with tricks to completely circumvent CoinHive's own operations to avoid CoinHive's commission fee. A total of

Warning: Satori, a Mirai Branch Is Spreading in Worm Style on Port 37215 and 52869

Author: 360 netlab [Update History] - At 2017-12-05 18:56:40 UTC, 2 hours after our blog goes live, we observed the C2 sending kill scan command to the bots, and that explains why the scan activities on the two ports started to drop on a global scale. - The

Early Warning: A New Mirai Variant is Spreading Quickly on Port 23 and 2323

[Updates on 2017-11-28] * Both C2s have been sink-holed now by security community. * admin/CentryL1nk is a typo for admin/CenturyL1nk. About 60 hours ago, since 2017-11-22 11:00, we noticed big upticks on port 2323 and 23 scan traffic, with almost 100k unique scanner IP came from Argentina. After investigation,

CLDAP is Now the No.3 Reflection Amplified DDoS Attack Vector, Surpassing SSDP and CharGen

Author: Xu Yang，kenshin With our DDoSMon, we are able to perform continuous and near real-time monitoring on global DDoS attacks. For quite a long time, DNS, NTP, CharGen and SSDP have been the most frequently abused services in DDoS reflection amplification attacks. They rank respectively 1st, 2nd, 3rd and

IoT_reaper: A Few Updates

Here is a quick follow up post regarding to our initial blog. IoT_reaper Sample History The historical delivery of the IoT_reaper samples we observed through our honeypot are as follow: It is noticeable that most malicious samples for IoT_reaper are located at the following URL: * Downloading URL:

IoT_reaper: A Rappid Spreading New IoT Botnet

On 2017-09-13 at 01:02:13, we caught a new malicious sample targeting IoT devices. Starting from that time, this new IoT botnet family continued to update and began to harvest vulnerable iot devices in a rapid pace. The bot borrowed some code from the famous mirai botnet, but it