Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:37 PM
Connect Directly

LulzSec Went After Qakbot, Mariposa Bots

Meanwhile, Anonymous offering bot-herding, other hacker training for its recruits via IRC, security expert says

Had the now-defunct LulzSec hacking group had its demands met earlier this month for getting botnet intelligence from startup Unveillance, it could have wrested control of a portion of the infamous Qakbot's command-and-control infrastructure that's under the purview of the security firm.

The bots Unveillance had sinkholed are Qakbot-infected machines as well as some Mariposa-infected machines, which could have been a treasure trove of botnet firepower for the hacking group, security experts say. Qakbot is a Trojan that spreads like a worm, and its goal is to steal financial accounts and ultimately help siphon money. The botnet has been spotted on the rise, most recently infecting 1,500 Massachusetts state PCs and possibly exposing personal information of some 250,000 state residents.

Karim Hijazi, CEO and president at Unveillance, which uses sinkhole servers to pose as botnet servers that capture communique from orphaned bots, says his firm controls a large portion of the Qakbot botnet's command-and-control infrastructure via its sinkhole servers. "I believe [LulzSec] wanted it for use for a variety of reasons," Hijazi says. "Fraud, information-stealing, reverse-proxy, [etc.]."

In addition, Unveillance sinkholed some Mariposa bots, which LulzSec was also interested in obtaining. Although law enforcement controls the Mariposa command-and-control servers themselves, there are still plenty of machines worldwide infected with the bot malware. "We still see over 4 million events/communications from infected machines part of Mariposa per hour and over 100,000 unique IP addresses an hour," Hijazi says.

LulzSec wanted Mariposa for DDoS purposes, says Pedro Bustamante, senior research adviser for Panda Security. "It’s important to note that even if LulzSec [was able] to completely hack Unveillance and take over their systems, this will not have an impact on LulzSec getting access to the Mariposa botnet," Bustamante says. "The reason is that the DNS records for the Mariposa command-and-control servers are under the control of law enforcement, and are only being redirected to Unveillance for sinkholing purposes ... we can change the DNS records for the main C&C domains and point them somewhere else as to minimize the impact" of any theft of those existing Mariposa bots, he says.

Clues to LulzSec's botnet intentions began to surface last month, when Unveillance discovered some unusual traffic patterns around its network. On May 25, Hijazi noticed something funny was going on with his email account as well. "An email I saw on my phone was showing as already-read on my computer," even though he had not opened the message yet, he recalls.

Minutes later, he witnessed an email in his inbox go from "unread" to "read" and then back to "unread" again. "That was a really compelling event," he says. Between that and the unusual traffic trying to get past Unveillance's firewalls, something was definitely going amiss: "It was lockdown time," he says.

In the wee hours of the morning, Hijazi received an email with his Infragard password in the subject line, and a message asking if he wanted "to talk," and signed "Love, Friends." He gathered his team at 4:30 a.m., and they began brainstorming and shoring up security.

It wasn't until later in an online chat with the hackers that Hijazi learned what the attackers really wanted: "They ... [were] saying, 'We want your botnet information' or they would 'dox' us," he says. Among their demands was Qakbot information and its sinkholes: "They wanted [me] to convey ownership of the domain for DDoS'ing. They wanted command and control of those DDoS botnets," Hijazi says.

When Hijazi refused, they demanded money, but he replied that his firm was a start-up and didn't have any money. "On Friday, they dumped my emails online, and InfraGard was taken down," he says.

While Anonymous -- from which LulzSec originally spun off -- has been best known for using "crowdsource" distributed denial-of-service (DDoS) attacks using the Low Orbit Ion Cannon (LOIC) tool, the group also has relied on established botnets to take down websites it targets.

Meanwhile, Hijazi says the AntiSec operation headed by Anonymous is hosting a new hacker training school via an IRC chat room for new recruits. "New information about their 'new' AntiSecPro hacker training school shows intent to use the ZeuS source code to train new recruits [bot-herders] how to compile and deploy a ZeuS botnet," Hijazi says.

Aside from the Zeus training and offering source code for Zeus, the "#school4lulz" training includes language injection via HTTP, IDS evasion, SQL injection techniques, botnet C&C protocol selection, takeover mitigation, social engineering skills, war-driving, and how to find an individual's personal information online, Unveillance says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-25
An XML external entity (XXE) injection vulnerability was discovered in the Nutch DmozParser and is known to affect Nutch versions < 1.18. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML ...
PUBLISHED: 2021-01-25
When handler-router component is enabled in servicecomb-java-chassis, authenticated user may inject some data and cause arbitrary code execution. The problem happens in versions between 2.0.0 ~ 2.1.3 and fixed in Apache ServiceComb-Java-Chassis 2.1.5
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated blind OS Command Injection.
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a NULL Pointer Dereference that leads to a DoS in discoveryd