Botnet is still active because of complex legal procedures

Aug 25, 2016 01:45 GMT  ·  By

A German man is most likely behind a series of compromised WordPress websites that are linked together into a botnet and controlled with the help of a hidden IRC channel.

It's currently unknown how these sites are being compromised. According to WordFence, a vendor of security products for WordPress, the hacker works by adding a PHP file with 25,000 lines of code to all websites he manages to gain access.

This file is a bot client which connects to an IRC (Internet Relay Chat) server and listens to instructions posted in the main chat. Whenever the botnet's owner logs in and gives out a command, all infected websites execute it.

While WordFence has not elaborated on the bot client's technical capabilities, such botnets can be used to launch DDoS attacks, brute-force attacks, insert SEO spam on the compromised websites, or send spam email from the underlying compromised servers.

A four-year-old mystery resolved

The 25,000 bot client file contained configuration details, such as the IRC server's IP address, port, and channel name (#1x33x7). Researchers took a look at what was in the botnet's control panel, which being an IRC chat room, allowed them to connect freely.

After gaining access to the IRC channel, WordFence researchers managed to crack a long-lasting mystery: the botnet's password.

code
var $admins = array
(
             'LND-Bloodman' => '2cbd62e679d89acf7f1bfc14be08b045'
             // pass = "lol_dont_try_cracking_12char+_:P"
             // passes are MD5 format, you can also have multiple admins
);
This particular botnet was secured with a hashed password string: 2cbd62e679d89acf7f1bfc14be08b045, which allowed the botnet owner to authenticate each command they passed inside the main IRC chat room.

Webmasters that noticed their hacked websites, often asked for help in cracking this password, but to no avail. A Google search reveals requests as early as December 2012, meaning the crook's botnet has been around for almost four years.

Because researchers had access to the main IRC window, they've seen the crook issue out commands, and authenticating with the password in its cleartext version: 1x33x7.0wnz-your.************[REDACTED].

Hunting down the botnet's operator

On this same chat room, researchers found a list of infected websites, shown as the chat room's users, with technical details about the compromised platform as usernames.

The list of hacked sites included everything from Apache servers on FreeBSD to rarer cases of Windows Server 2012 or Windows 8.

In the user list, they also found two accounts belonging to the botnet's master: LND-Bloodman and da-real-LND.

IRC chat rooms allow participants to run basic "whois" commands that reveal details about other users. Running a whois query for the crook's accounts showed two IP addresses and a possible email address containing the crook's first name.

Botnet operator is based in Germany

The IP address was from Germany. The Bloodman account and the IRC channel's name 1x33x7, also used by the attacker as an alternative username, pointed investigators to various social media accounts on Twitter, YouTube, and YouNow. These accounts confirmed that the crook is a German-speaking man.

Further incriminating evidence was found on his YouTube channel, where he published a video where he bragged about his botnet. This video linked his real life persona with the usernames used in the source code of the botnet's client file.

With the botnet's password in hand and his real identity established WordFence could now take down his botnet and report his criminal activity to German authorities.

On its blog, in the comment fields, a WordFence spokesperson said it did not notify authorities about the botnet's presence, mainly because it would be too time-consuming for the company.

Furthermore, the Computer Fraud and Abuse Act (CFAA) also prevents the company from taking down the botnet without consent from authorities, so at the time of writing, the botnet is still active.

The crook's IRC channel
The crook's IRC channel

Photo Gallery (2 Images)

Whois info on the crook's accounts
The crook's IRC channel
Open gallery