Jaku: Analysis of a botnet

In May 2016, the Special Investigations team at Forcepoint revealed the existence of a botnet campaign that is unique in targeting a very small number of individuals while in tandem, herding thousands of victims into general groups.

The discovery, known as Jaku, offers vital insight into the workings and characteristics of a botnet, as well as specific understanding of a targeted attack that differs from the scattergun approach of broader botnet activities. It also sheds light onto why the victims of botnets are targeted, and how their usage of pirated or counterfeit software and movies leaves them vulnerable to attack.

What is Jaku?

Botnets are resilient, redundant and highly pervasive attack methods. They are repeatedly deployed by major threat actors, such as organised crime, by sponsored attackers acting as proxies and by rogue states via their agencies. In the case of Jaku, this resilience is strengthened by herding thousands of victims into becoming botnet members. But unusually in the case of Jaku, in parallel, a targeted operation is executed on a very small number of unique individuals. These individuals include members of International Non-Governmental Organisations (NGOs), Engineering Companies, Academics, Scientists and Government Employees.

The operators prepared smaller botnets. These, potentially being grown to just the right size to form a resilient infrastructure. This means that should one botnet drop, there are six or seven more, ready to ensure the remainder of the campaign can continue to operate, strengthening its resilience and effectiveness. The figure of 19,000 is a conservative estimate of the number of victims at any one time.

The discovery process

As a research team we gather and analyse industry data on a regular basis. We do this because we want to provide protection for our customers based on discoveries across the industry. The Jaku discovery came in part from reading an earlier Dark Hotel report put out from Kaspersky. By integrating our initial analysis with other sources, a set of IPs and domains were investigated, some of which ran web servers. A handful contained a file called ‘near.jpg’.

What caught our attention was that one of the near.jpg files was 451 MB in size. A sizeable image to be served by a small web server. The initial discovery was really that simple –looking into an images directory and seeing an unusually large .jpg file within it.

We investigated the server further. We discovered that the file was not a JPEG image file at all. In reality, it was an SQLite database. Within the database there were a couple of interesting tables named ‘child’ and ‘history’. Through this we were able to track every victim’s Unique Identifier, their public IP address and their personal information that had been gathered by the malware, as well as the last time that information had been beaconed back to the command and control centre.

Within this information we found the use of numerous foreign languages including Japanese and Korean. None of us being naturally gifted at Asian languages, automated translation from Japanese and Korean into English eventually led to some fairly bizarre animated pornography and a significant amount of copyright theft in the form of videos and cracked software. More worryingly, there were passport and visa images as well as many other documents potentially containing personal information. We were basically able to see what the bad guys had been able to gather from the victim machines.

Where this began to get tricky was we discovered there were actually several command and control centres, rather than just one, but we could track where these were coming from – namely Thailand, Malaysia, Brunei and Singapore.

Deeper discoveries

The more we investigated, the more we realised this was no normal botnet. This lead to the discovery of a server that contained a large PNG file, which turned out to be an encrypted payload buried within something that actually did look like an image file. This file contained malware that surprisingly specifically checked for Bitdefender anti-virus. Critically, the malware had modified RC4 encryption code that one of our team was able to reverse engineer and decrypt. Someone had clearly forgotten rule number one of writing your own crypto which is: Don’t write your own crypto, someone will crack it.

We then discovered that the threat actors behind Jaku were also using secure file deletion techniques that uses an algorithm very similar to the Department of Defense (DoD) erase pattern. It took us some time to track down exactly what the algorithm was but discovered it was the Secure File Shredder, originally written by John Underhill, but written in C rather than C+. The code even had the same errors as Underhill’s original, which told us there was a trend towards code reuse.

We also discovered something that we have never seen before, with the attackers using an open source library called UDT as a covert challenge, as well as using DNS. Outside of the supercomputing world this is a very unusual piece of code, which was likely used to provide command and control communication while remaining stealthy and resilient.

Finally, while proofreading a draft of the report late one night we discovered the boundary of a HTTP POST request which, when we searched it online, brought up just four hits on the whole of the Internet. We found a ++ header file file that led us to source code, with Korean comments, taken from a Korean blog site written in Korean in 2011 – which meant that we could say, with some certainty, that whoever wrote this was a native Korean speaker.

Who are the victims?

We saw a strange, unexplainable variants in the geographic distribution of botnet victims, but could pinpoint that they were being targeted both geographically and linguistically. We don’t know specifically how, as data came in from all over the world, but the fact that there were no victims all across Russia, other than a scattering in Moscow, suggests this could be a language-focused attack.

We also found that the number of corporate victims was low and the attackers were allowed much less dwell time within corporate systems, than non-corporate systems. Less than 1% of computers affected were a member of a Microsoft Windows domain, and the vast majority of victims appear to be people using unlicensed versions of software and cracked versions of Codex used to watch illegally downloaded movies. Indeed, more than half of the victims’ computers were running counterfeit copies of Microsoft Windows.

Within the results we only found two Forcepoint customers. One was a large manufacturing firm that only had two laptop users who, when they worked on the road or at home, did not connect to their corporate VPN. This meant their Forcepoint protection was not enforced and as a result the entire company’s infrastructure was exposed. The second customer was an international civil engineering company that went through a merger and acquisition a few months previously and the organisation they had subsumed brought existing problems with it when they conjoined the networks.

Dedicated effort

Finding, tracking and shutting down attack modes and methodologies with such capabilities can be a formidable task, which no single organisation can do alone. It requires the close collaboration and intelligence-sharing activities of both private organisations and government agencies and we have worked closely with the likes of the Korean, Japanese, Canadian, Dutch and UK CERTs as well as Europol, Interpol and the UK NCA on the Jaku investigation.

The Jaku discovery has taught us that there are thousands of computers sitting, waiting unwittingly to perform DDOS attacks, spear phishing attacks and spam campaigns. On a smaller scale, some of these victims are within the corporate space and their compromises prove that it only takes one or two weak links to bring down an entire organisation’s security defences.

The people infected by the Jaku botnet did so because they did not care about their personal hardware or using cracked versions of Windows software and Codex for videos, and probably were not using any anti-virus software or firewall. However, within that we discovered a surgical level of precision targeting and have contacted the right agencies to help those victims.

The level of effort that the people controlling these botnets went to, from using three forms of covert command and control to the reuse of codes, clearly indicates that they see great value in what they are doing. But a baffling element of this investigation is why the attackers would publish their C2 databases to the general public and still leave it there two weeks after our report has been made public.

There are unanswered challenges in the Jaku investigation, such as figuring out why certain locations have been targeted with certain linguistics by the attackers, and we are keen for this to be a call to action for people to help us. We’re not here to hide this data, other than any sensitive personal information we discovered, but we want to answer any outstanding questions around these findings. So if anyone feels they can help, we’d encourage them to come forward. After all – Intelligence is a process and one which needs collaboration to be truly successful.