How do I catetgorize IPs into Botnets?

Step 0-Get Attack Patterns

LongTail uses the clock times ssh login attempts occur, along
with the source and destination IP addresses to group ssh
login attempts into “Attack Patterns”. After these attack
patterns are created, a word count of the attack pattern
and an MD5 checksum of the attack pattern are created.

While LongTail uses MD5 checksums, and stores the infomation
required in several files, this demonstration uses
2 letter checksums for ease of understanding, and bundles
all of the information into a single line in a table.

Table 0 shows the (hypothetical) results of
aggregating ssh login attempts into attack patterns.

Table 0
Checksum IP Address Number of Lines
in Attack Pattern
Botnet
Name
AZ Address-0 15
BZ Address-1 10
CQ Address-2 15
QW Address-3 15
IO Address-4 11
LL Address-5 75
AZ Address-6 15
BZ Address-7 10
AZ Address-8 15
BZ Address-9 10
BZ Address-0 10
PQ Address-0 3
PZ Address-10 1

Step 1-Eliminate “Small” Attack Patterns

While there are several types of attacks possible, it is easiest
to elimintate IP addresses that use single ssh login
attempts. For instance, multiple botnets try “root:root”
and “root:123456” as account and password pairs. Under
the methodology LongTail currently uses it is impossible
to categorize those botnets together. LongTail currently
eliminates any attack patterns that contain 3 or less attempts.
LongTail is also currently unable to categorize botnets
that use a large period of time between single ssh login attempts.
(Also known as “Slow Scan” attacks.)

Table 1 shows the results after elminating those
attack patterns.

Table 1
Checksum IP Address Number of Lines
in Attack Pattern
Botnet
Name
AZ Address-0 15
BZ Address-1 10
CQ Address-2 15
QW Address-3 15
IO Address-4 11
LL Address-5 75
AZ Address-6 15
BZ Address-7 10
AZ Address-8 15
BZ Address-9 10
BZ Address-0 10

Step 2-Sort Attack Patterns by Checksum

The next step is to sort the data by checksum. The
next example shows that there are 6 different checksums
in 10 lines of data. (AZ, BZ, CQ, IO, LL, and QW).

Table 2 shows the sorted data

Table 2
Checksum IP Address Number of Lines
in Attack Pattern
Botnet
Name
AZ Address-0 15
AZ Address-6 15
AZ Address-8 15
BZ Address-9 10
BZ Address-0 10
BZ Address-7 10
BZ Address-1 10
CQ Address-2 15
IO Address-4 11
LL Address-5 75
QW Address-3 15

Step 3-Name Botnets That Are Using Identical Attack Patterns

Table 3 shows that IP addresses using attacks with the checksum of AZ are now part of Botnet 1,
and that IP addresses using attacks with the checksum of BZ are now part of Botnet 2.

Table 3
Checksum IP Address Number of Lines
in Attack Pattern
Botnet
Name
AZ Address-0 15 Botnet 1
AZ Address-6 15 Botnet 1
AZ Address-8 15 Botnet 1
BZ Address-9 10 Botnet 2
BZ Address-0 10 Botnet 2
BZ Address-7 10 Botnet 2
BZ Address-1 10 Botnet 2
CQ Address-2 15 Not able to be classified
IO Address-4 11 Not able to be classified
LL Address-5 75 Not able to be classified
QW Address-3 15 Not able to be classified

Step 4-Determine If There Are Different Botnets With Identical Source Addresses In Common

Table 4 shows that the two botnets share an identical source IP
address.

Table 4
Checksum IP Address Number of Lines
in Attack Pattern
Botnet
Name
AZ Address-0 15 Botnet 1
AZ Address-6 15 Botnet 1
AZ Address-8 15 Botnet 1
BZ Address-9 10 Botnet 2
BZ Address-0 10 Botnet 2
BZ Address-7 10 Botnet 2
BZ Address-1 10 Botnet 2
CQ Address-2 15 Not able to be classified
IO Address-4 11 Not able to be classified
LL Address-5 75 Not able to be classified
QW Address-3 15 Not able to be classified

Step 5-Combine Botnets With Identical Source Addresses In Common

Table 5 shows that Botnet 1 and Botnet 2 have now been merged into a
single botnet (Called Botnet 1). Longtail combines them by combining
the second botnet with the first botnet.

Table 5
Checksum IP Address Number of Lines
in Attack Pattern
Botnet
Name
AZ Address-0 15 Botnet 1
AZ Address-6 15 Botnet 1
AZ Address-8 15 Botnet 1
BZ Address-9 10 Botnet 1
BZ Address-0 10 Botnet 1
BZ Address-7 10 Botnet 1
BZ Address-1 10 Botnet 1
CQ Address-2 15 Not able to be classified
IO Address-4 11 Not able to be classified
LL Address-5 75 Not able to be classified
QW Address-3 15 Not able to be classified

Step 6-Repeat Step 4 Until No More Botnets Are Combined

What’s The Difference Between a Botnet and a Botnet Fragment?

As far as LongTail’s software is concerned, they are the same thing.
In reality, any botnet found that only has a few IP addresses is probably
(but not provably so) part of a larger botnet. As a practical matter
though, botnet fragments have a tendency to eventually use the same
attack pattern as a larger botnet and are then merged into the larger
botnet. Some of the botnet fragments may never be merged into a larger
botnet if for some reason they go offline. (For example, they are detected and deleted
by the person who is responsible for the IP address that the botnet
was using.)

What the heck is “wubao” and “jiamima” in ssh Brute Force Attacks?

According to my sources in Hong Kong,

> wubao = 誤報, means something wrongly reported
> jiamima = 加密碼, can mean ‘add password’ or ‘encryption code’

None-the-less, these two passwords are the first ones tried from sshPsycho when they start attacking a server.

I think that this shows that sshPsycho doesn’t have a centralized server to record which IP addresses they already have taken control of.

>>>>>>Ericw