Chapter Five: Disclosure, takedown, and dead like a zombie

The SANS Internet Storm Center is a group of cyber security professionals who volunteer their time, monitors security logs, and publishes information to the Internet community. On August 4, Johannes Ullrich published this post discussing the noisy Linksys router scanning of the QuantumFilament (QF) group. It is important to note that the security bug used by QF to break in was disclosed in February 2014, and that anyone can download a copy of some sourcecode over the Internet and try to break in using the same security vulnerability. The QF operations of 2015 may, or may not, be conducted by the same people distributing the Moon worm in 2014.

But software is more unique. I knew Johannes was talking about the group I was tracking because his post mentioned the same iptables firewall rules I found in the .nttpd loader binary. Johannes also identified one of the IP addresses, 109.206.177.16, as being an active facilitator in the activity. Further, Johannes reported this address to the responsible administrators, who “shut down the affected server shortly after being notified”.

My logs indicate the IP address 109.206.177.16 was online and facilitating QF operations until August 4 at 12:17 UTC. Interestingly, this IP briefly made a zombie appearance and was active for 19 minutes the next day, from 11:02 to 11:21 UTC on August 5.

QuantumFilament was not done with this hosting company, Serverel, quite yet. A second IP address, 109.206.186.250, was in the group of five IP addresses programmed into the .nttpd version 14 binary, which was first submitted to VirusTotal in April. This strongly suggests the QF cyber operators have had access to servers at Serverel since April. Beginning at 09:15 UTC August 6, this second IP 109.206.186.250 began to facilitate QF cyber operations, both sending out command and control packets via UDP, and fulfilling download request of additional QF tools over TCP. I made the Internet Storm Center aware of this, and QF cyber operations from 109.206.186.250 ceased at 10:27 UTC on August 10.

In the next post, I will explore the pros and cons of publishing information about ongoing hacking and cyber operations.