A few months ago we started tracking a botnet (arbitrarily named LazyAlienBikers) whose origins we did not know and whose malware was undetected. Later on it would come to be associated with MEvade malware. What’s interesting about this particular botnet, and how has it evolved?
Through analysis of our various Big Data systems [*pauses for groans*, but what else would you call a collection of massive data sets that allows us to discover advanced threats without having to see the malware first] we were able to identify the important details – parse out the related C&C infrastructure, identify traffic patterns, cluster component-related indicators, scope the victims, map out additional infrastructure, follow the herd as the threat evolved, etc. On occasion we even stumbled across related binaries…
After building a sufficiently confident case that our customers wouldn’t want any piece of this action, we started flagging compromised devices for our customers, raising awareness, (and blocking these communications where customers wanted us to) and doing more escalation and follow-up, and that was it for a while – and so we continued to watch the threat evolve, work on attribution and continue to protect our customers. Finally, at long last, other people started taking notice, especially when the bots started their fateful march on the Tor network. This certainly was not the first botnet we’d seen use Tor but the size of it was beyond obvious.
To me, the most interesting aspect of this operation is how the evolution backfired.
Background
Size:
Initially we estimated LazyAlienBikers to control several million infected nodes (not less than 1.4 million or more than 5 million). The wide range is due to a vast array of confounding variables including systemic bias from sampling methodology:
– Differing infection rates amongst fixed broadband versus mobile versus non-broadband subscribers
– …amongst North America verses Africa verses Asia
– …IP churn rate, device to IP ratios
– …callback frequency from one variant/component to the next
– …etc.
More recently, the switch to Tor and the overwhelming deviation in Tor project metrics seems to corroborate the range and suggest that the actual number is toward the higher end.
Behavior:
LazyAlienBikers is present in over 80% of enterprise networks we monitor. The behavior of the infection varies significantly from one asset to the next and from environment to environment.
For example:
% of Infected Enterprises Behavior
20% – Malware infections failing to establish a connection to the control server (at least while in the monitored environment)
44% – Connected to C&C Control Server, but essentially lay dormant, doing little more than updates from time to time
22% – Active infection, identifying paths with small amounts of successful data exfiltration
14% – Active infection, with vast quantities of data exfiltration
NOTES: Some customers took immediate corrective actions or had Damballa Failsafe blocking enabled. While 14% of customers had significant data exfiltration, only select devices were observed exfiltrating significant data.
Timeline:
We started tracking the botnet this year, but due to its size there’s evidence to suggest it started further back . It has evolved over time, in terms of both the C&C infrastructure, protocol, and of course malware used. Some significant recent dates in the evolution:
• June 28: Microsoft first distinguished MEvade from other malware families. Sample coverage was still sparse, but MS deserves credit for being the first (and subsequently most consistent) amongst AV scanners to provide any distinctive coverage at all.
• July 11: The LAB threat actor changes domain usage tactics to focus more on dyndns providers such as Afraid, No-IP, and ChangeIP. These are used for multiple functions such as using SSH to connect over standard http(s) ports and dropping new malware binaries.
• August 19: Ramps up Tor usage.
• September 6: AV industry at large is talking about it, thanks to Fox-IT, Trend, and others…
• September 9: Many samples still seem to go undetected by major AV vendors. Including, sadly, some of the oldest samples. Those that are detected are often only with the most aggressive heuristics and/or cloud reputation (which isn’t a bad thing in and of itself, but means not all of their enterprise configurations and environments are covered).
So there’s the background. This was a pretty substantial botnet to be so ignored for so long, the hallmark of a successful threat actor. So what changed? Why did a botnet nobody else seemed to notice for a very long time suddenly take front page? Essentially, they were too good.
To learn about the motivation and network behavior then read the full article from Damballa
For more information on LazyAlienBikers/MEvade, visit
Mark Gilbert, Security Researcher Damballa