Custom Search

Wednesday, February 10, 2016

ZBTrap: a Virtual Appliance for Botnet Detection

I have created a Virtualbox VM named "ZBTrap" (shortened from ZomBie Trap), which can be used to detect spam sending computers with greylisting. Anyone can download and configure this VM, and then start detecting malware-infected computers themselves.

ZBTrap is licensed under Creative Commons Attribution-ShareAlike 4.0 International License.

Warning: Even though this appliance seems to work correctly when I create and test it, I can not guarantee it will work for you. Use at your own risk.

Prerequisite: ZBTrap's operation is based on greylisting, so one or more heavily spammed domains with no active mail accounts are necessary for it to work. All incoming mail will be discarded, so don't use this for any domain which you intend to receive mail.

Built-in accounts/password:

root/cbf7b598 (root account)
zbtrap/8ad49a99

"zbtrap" is the account used for retrieving IP list of suspected zombie computers and associated spam mail headers.

Here is how to set up your own ZBTrap:

  • Download the "ZBTrap" virtual appliance (download link here). That file is almost 600MB, so be patient.
  • The appliance is in OVA format. Import it (File/Import Appliance...) into your Virtualbox manager.
  • Configure the network setting of your ZBTrap so that it is able to accept incoming SMTP connections. There are many ways to achieve this. When I tested it at home, I configured my ZBTrap to be "bridged" within my Virtualbox, so that it gets its own IP address. Then I set up my gateway to forward TCP port 25 (SMTP) of its external IP to my ZBTrap.
  • Start your ZBTrap VM. For each domain you use to detect botnets, you have to add one line to /usr/exim/grey_domains as the root user (here I assume that the domain to be added is "spammeddomain3.com"):

    echo spammeddomain3.com >> /usr/exim/grey_domains

    likewise, one line has to be appended to /usr/exim/domain_aliases, too:

    echo "*@spammeddomain3.com: greyhole" >> /usr/exim/domain_aliases

  • Point the MX of your mail domain(s) to your ZBTrap, and it should be the sole MX for those domains. In my case described above, I created a domain name mapping to the public IP of my gateway, then used that for the MX.
  • Start the SMTP daemon with the root account by issuing this command:

    /usr/exim/bin/exim -bd


Now your ZBTrap is ready to collect malware-infected computers' IP addresses.

The VM's timezone is currently set to UTC, which is important when you want to generate the IP list of the malware-infected computers for the previous day. Follow the procedure below to get the information you want.

  • If you want the IP list for a certain day, issue the following commands the next day as the zbtrap user.

    cd;
    /bin/sh ~/bin/get_expired_entries.sh > ~/expired_list.txt


    The file "expired_list.txt" contains the md5 string, message accepting time in UNIX epoch and source IP of expired messages (blocked by greylisting) from the previous day. If you are only interested in botnets' IPs, the 3rd column is what you want.
  • If you want to report these suspected bots to someone who can check and clean them, you will need the mail header. I have recorded the header data in the mail server's mainlog file, located under /var/spool/exim/log. At 00:00 UTC, log rotation script will rename the old mainlog to mainlog.01, which is our input data. Issue the following commands to match the expired_list's md5 strings to the corresponding mail headers from mainlog.01, and print them out.

    cd;
    < /var/spool/exim/log/mainlog.01 awk -v expired_list=expired_list.txt -f bin/generate_daily_logs_gl.awk > ~/conn_log.txt


    To view the mail headers from IP xxx.yyy.zzz.www, issue the following commands.

    cd;
    < ~/conn_log.txt grep xxx.yyy.zzz.www | awk -f bin/show_mail_header.awk


If you encounter any difficulties when using ZBTrap, please post your problem here. I will do my best to answer them.

2 comments:

  1. Will my server be deleted from your DB when the spam from IP stops? That was my Proxy with no password failure

    ReplyDelete
    Replies
    1. No. I don't see the need to change my suspected bot list, which was only a state of the Internet in the past.

      Delete