English - 360 Netlab Blog - Network Security Research Lab at 360

English

A collection of 38 posts

BCMPUPnP_Hunter: A 100k Botnet Turns Home Routers to Email Spammers

This article was co-authored by Hui Wang and RootKiter. Since September 2018, 360Netlab Scanmon has detected multiple scan spikes on TCP port 5431, each time the system logged more than 100k scan sources, a pretty large number compared with most other botnets we have covered before. The interaction between the

70+ different types of home routers(all together 100,000+) are being hijacked by GhostDNS

note:We have informed various ISPs on the IoC list, and OVH, ORACLE, Google, Microsoft have taken down the related IPs and some others are working on it (Thanks!) Background introduction DNSchanger is not something new and was quite active years ago [1], we occasionally encountered one every once in

Fbot, A Satori Related Botnet Using Block-chain DNS System

Since 2018-09-13 11:30 UTC, a new botnet (we call it Fbot) popped up in our radar which really caught our attention. There are 3 interesting aspects about this new botnet: * First, so far the only purpose of this botnet looks to be just going after and removing another botnet

XMR CryptoCurrency

A New Mining Botnet Blends Its C2s into ngrok Service

Overview These days, it feels like new mining malwares are popping up almost daily and we have pretty much stopped blogging the regular ones so we don’t flood our readers’ feed. With that being said, one did have our attention recently. This botnet hides its C2s(Downloader and Reporter

Malicious Campaign luoxk Is Actively Exploiting CVE-2018-2893

Author: Zhang Zaifeng, yegenshen, RootKiter, JiaYu On July 18, in an officially released routine patch update, Oracle fixed CVE-2018-2893, an Oracle WebLogic Server remote code execution vulnerability. Three days later, at 2018-07-21 11:24:31 GMT+8, we noticed that a malicious campaign that we have been tracking for a

HNS Botnet Recent Activities

Author: Rootkiter, yegenshen HNS is an IoT botnet (Hide and Seek) originally discovered by BitDefender in January this year. In that report, the researchers pointed out that HNS used CVE-2016-10401, and other vulnerabilities to propagate malicious code and stole user information. The HNS communicates through the P2P mechanism, which is

Botnets never Die, Satori REFUSES to Fade Away

Two days ago, on 2018-06-14, we noticed that an updated Satori botnet began to perform network wide scan looking for uc-httpd 1.0.0 devices. Most likely for the vulnerability of XiongMai uc-httpd 1.0.0 (CVE-2018-10088). The scanning activities led to a surge in scanning traffic on ports 80

GPON Exploit in the Wild (IV) - TheMoon Botnet Join in with a 0day(?)

This article was co-authored by Hui Wang, Rootkiter and Yegenshen. It looks like this GPON party will never end. We just found TheMoon botnet has join the party. TheMoon botnet has been discussed in our previous article, in Chinese. Its activity can be seen as early as in 2014, and

GPON Exploit in the Wild (III) - Mettle, Hajime, Mirai, Omni, Imgay

This article was co-authored by Hui Wang, LIU Ya, Rootkiter and Yegenshen. In our previous articles I and II of this series, we mentioned that since the expose of the GPON vulnerabilities (CVE-2018-10561, CVE-2018-10562), there have been at least five botnet families actively exploiting this vulnerability to build their bot

GPON Exploit in the Wild (II) - Satori Botnet

This article was co-authored by Rootkiter, Yegenshen, and Hui Wang. In our previous article, we mentioned since this GPON Vulnerability (CVE-2018-10561, CVE-2018-10562 ) announced, there have been at least five botnets family mettle, muhstik, mirai, hajime, satori actively exploit the vulnerability to build their zombie army in just 10 days. We

GPON Exploit in the Wild (I) - Muhstik Botnet Among Others

On May 1st, VPN Mentor disclosed two vulnerabilities against GPON home router. Since then, at least 5 botnet families have been actively exploiting the vulnerability to build their zombie corps, including mettle, muhstik, mirai, hajime and satori. It is the first time we have seen so many botnets competing for

Botnet Muhstik is Actively Exploiting Drupal CVE-2018-7600 in a Worm Style

On March 28, 2018, drupal released a patch for CVE-2018-7600. Drupal is an open-source content management system written in PHP, quite popular in many sites to provide web service. This vulnerability exists in multiple drupal versions, which may be exploited by an attacker to take full control of the target.

Quick summary about the Port 8291 scan

Quick summary about the Port 8291 scan

Summary This 8291 scan event is caused by a Hajime botnet variant. Compared to the old Hajime, this one adds two new features: 1. Check port 8291 to determine if the target is a MikroTik device 2. Use ‘Chimay Red’ Stack Clash Remote Code Execution Loophole vulnerabilities to infect and

A Case Study: How One Big Player Could Impact the Cohive Business in China

"Who is Stealing My Power" is a series of articles on the topic of web mining that we observed from our DNSMon system. As we mentioned in this series of one, two, and three , the players in the market can be mainly divided into mining sites and content/

Memcache UDP Reflection Amplification Attack II: The Targets, the Sources and Breakdowns

In less then ten days, Memcache DDoS attack has come out of nowhere and really captured lots of attentions within the security community. When we look at the news, we see all sort of reports but hardly can get a good idea what the real situation is, for example the

Memcache DDoS: A Little Bit More

This blog is a joint effort of 360 0kee Team, 360 CERT, and 360 Netlab. Memcache UDP Reflection Amplification DDoS (hereinafter referred as Memcache DRDoS) has attracted quite some attentions from security community this week. We are not going to repeat the public known facts, and this blog will only

Who is Stealing My Power III: An Adnetwork Company Case Study

We recently noticed that one of the ad network provider started to perform in-browser coinhive cryptojacking when users visit websites which use this provider’s ad network service. As early as mid 2017, this ad network provider has been using domain DGA technology to generate seemingly random domains to bypass

The List of Top Alexa Websites With Web-Mining Code Embedded on Their Homepage

On our previous blog, we mentioned over 0.2% websites have web mining code embedded in their homepage: 241 (0.24%) out of Alexa Top 100,000 websites, and 629 (0.21%) out of Alexa Top 300,000 websites. And after some discussion, we figured it makes sense to release

Who is Stealing My Power: Web Mining Domains Measurement via DNSMon

At 360Netlab, we are continuously analyzing DNS traffic. Based on this, we have established a DNSMon detection system that analyzes various anomalies and correlations in DNS traffic. We reported a few web mining sites such as openload.co in previous article. After that, we try to use DNSMon to further

ADB.Miner: More Information

This blog is a joint effort of 360 Beaconlab, 360 CERT, 360 MobileSafe, 360Netlab and 360 Threat Intelligence Center. Overview About 48 hours ago, we reported an Android worm ADB.miner in our previous blog. This malware can replicate itself over Android devices by utilizing the opened ADB debugging interface.

Botnet Featured

Early Warning: ADB.Miner A Mining Botnet Utilizing Android ADB Is Now Rapidly Spreading

Author：Hui Wang, RootKiter, twitter/360Netlab About 24 hours ago, around 2018-02-03 15:00(GMT +8), a set of malicious code began to spread rapidly, here are some quick facts: * Timeline : the earliest time of the infection can be traced back to January 31. And the current worm-like infection was

Art of Steal: Satori Variant is Robbing ETH BitCoin by Replacing Wallet Address

The security community was moving very fast to take actions and sinkhole the Satori botnet C2 after our December 5 blog. The spread of this new botnet has been temporarily halted, but the threat still remains. Starting from 2018-01-08 10:42:06 GMT+8, we noticed that one Satori’s

Openload.co and Other Popular Alex Sites Are Abusing Client Browsers to Mining Cryptocurrency

As of December 24, 2017, we noticed a group of Alex top websites abusing client browser's computing power in cryptocurrency mining. The javascript code is based on CoinHive with tricks to completely circumvent CoinHive's own operations to avoid CoinHive's commission fee. A total of

Warning: Satori, a Mirai Branch Is Spreading in Worm Style on Port 37215 and 52869

Author: 360 netlab [Update History] - At 2017-12-05 18:56:40 UTC, 2 hours after our blog goes live, we observed the C2 sending kill scan command to the bots, and that explains why the scan activities on the two ports started to drop on a global scale. - The

Early Warning: A New Mirai Variant is Spreading Quickly on Port 23 and 2323

[Updates on 2017-11-28] * Both C2s have been sink-holed now by security community. * admin/CentryL1nk is a typo for admin/CenturyL1nk. About 60 hours ago, since 2017-11-22 11:00, we noticed big upticks on port 2323 and 23 scan traffic, with almost 100k unique scanner IP came from Argentina. After investigation,