Anything you do on the internet leaves the traces. It is stored in system logs, application logs, browser history.
This applies to any individual as well as for the other machines, even the bots from botnets.
I have investigated the network behavior of certain group of bots, belonging to one botnet. They left the traces in the system logs.I generated the graph from the network log data, modified the target IP addresses so I could publish it without disclosing the actual network sensors location.
I used the open source intrusion detection system called Snort, to assign the signature to each attack. The most significant advantage of using the Social Network Analysis approach is that it is possible to analyse not only individual occurrences of malicious actors, but also to sum them up to gain more context.
This helps to learn answers to elementary questions, like:
– What IP’s are the most dangerous and should be blocked?
– What systems should be considered as suspicious?
– What systems should be investigated further, reported to their owners for abuse?
– What is the nature of malicious activities performed by set of systems, correlated in time and also by the attack signatures?
Just by quick look on the picture, it is possible to see on the right big light group of offenders, scanning for MSSQL databases on port 1433:
The other groups of attacks are a bit more obvious on picture below. We can see already that the threat actors can be grouped based on the similarity of the use of certain set of signatures, suggesting there is some form of coordination in the attack like in case of Command and Control of bot nets.
Introductory image of this post shows as big resolution as the tool allowed, to see various trends in attacks performed by this group of zombie systems. If zoomed in, it gives quite clear information about the trending network attacks. These are not targeting for any particular individual or organisation, yet.
Instead, these are basically the mass scanners, who are attempting to seek vulnerable systems. These scans are usually automated with use of the botnet and both this infrastructure and results of these scans are subject of interest in dark web markets.
Vulnerable systems are then compromised and used to spread the botnet, mine crypto coins or contribute by any other way to the intentions of the botnet administrators.
So, why is the MSSQL scanning one of the most prevalent signatures?
There is roughly around 16 000 MSSQL databases, accessible from the internet, according to the Shodan. Most of these holds usernames, passwords, credit card details, sensitive data in general.
The second most prevalent scanning was for the SSH service. Run usually on Unix – based systems, this service is most of the time the tool for the remote administration of the target system. By breaking in, the attackers could gain a lot of profit.
Scanners in this study are not much smart, although they usually already implemented target scanning randomization and honeypot detection to make the detection more difficult to spot.
I selected the single most offensive system from the data set as a node with the most ongoing edges. Meaning the system with numerous attacking signatures detected by the IDS. Next step is to check the scope of its damage, see which systems might be compromised.
Now that we know what are we looking for, we can aim for the specific IP, getting all detected activity, relating with this host on the network:
MATCH p=(ip:IP)-[r:FLOW_SNORT*]->() WHERE ip.ip=”85.255.xx.xx” RETURN p
CYPHER query above generates list 4 thousands of possible compromised systems, out of several milion possible systems in the database.