Analysis of Zombie Network Samples Attacking DeepSeek by Antiy Technology

Analysis of Zombie Network Samples Attacking DeepSeek by Antiy Technology01 OverviewRecently, the domestic AI large model DeepSeek has been subjected to large-scale cyber attacks, resulting in multiple service interruptions. This has attracted attention from the domestic security industry. According to a monitoring report from Qihoo 360’s XLab, it was found that the zombie networks RapperBot and HailBot launched DDoS attacks against DeepSeek. To more effectively assess the risks and support the prevention of related attacks, Antiy CERT extracted the zombie trojan samples used by these two zombie networks from the “Cyber Brain” platform sample library for further analysis.02 Sample Analysis

2.1 The Origins of RapperBot and HailBot — Mirai

Both RapperBot and HailBot are products of the source code leak of the Mirai botnet. The Mirai botnet was first discovered in 2016 and quickly attracted widespread attention. Its name comes from the Japanese word for “future.” Unlike traditional botnets that primarily target Windows systems, Mirai infects and controls network cameras, home routers, and other IoT devices to build a botnet system. In 2016, it came to light due to the “DYN incident,” and the three authors of Mirai, Paras Jha, Josiah White, and Dalton Norman, are all Americans. The three operated a company called Protraf Solutions LLC, which claimed to provide DDoS attack protection but actually used the botnet to launch DDoS attacks for extortion and profit. In 2018, they were sentenced to five years of probation, 2,500 hours of community service, and ordered to pay $127,000 in restitution, and to voluntarily forfeit any cryptocurrency obtained during the criminal period.

Mirai specifically targets IoT devices for automated penetration, such as routers, network cameras, and digital video recorders (DVRs), which often fall outside the security operation perspective or are home devices, commonly having issues like unchanged default passwords or simple passwords, and outdated firmware versions. Through password cracking and vulnerability exploitation, Mirai gains access to these devices and uploads malicious code to run on them, turning them into controlled zombie nodes. A notable feature of this botnet is its modular design and self-updating capability, allowing it to quickly adapt to changing security environments and add new attack methods. Once infected, devices will automatically execute scanning tasks and attempt to spread the malware to other devices, thereby building large botnet clusters.

On September 30, 2016, the source code of the Mirai botnet was publicly leaked on GitHub. Attackers have customized and modified the source code, resulting in multiple variant families, including RapperBot and HailBot. The modification methods include but are not limited to replacing the control domain name (to evade security vendor bans), disguising login authentication mechanisms (to mimic legitimate device traffic), and obfuscating communication protocol fields (such as modifying the structure of the heartbeat packet to bypass detection rules). Due to the high reusability of the source code, global black market groups can build “same-source heterogeneous” botnet clusters at low cost—these variants may present differences in surface functionality, but their core infection logic, C2 command structure, and attack modules are inherited from the original Mirai architecture, making it difficult to trace the associations of the controlling organizations behind them.

2.2 RapperBot Botnet

RapperBot is a botnet developed based on the Mirai source code, with multiple versions capable of running on different architecture processors such as ARM, MIPS, SPARC, and x86. It was named “RapperBot” because an early sample contained a link to a rap video.

Analysis of Zombie Network Samples Attacking DeepSeek by Antiy Technology

Figure 2-1 RapperBot early sample containing a link to a rap video

The string in the code “follow me on instant gram @2tallforfood, pause it. Fuck Bosco.” translates to “Find me on Instagram @2tallforfood, pause it. Fuck Bosco,” where @2tallforfood is an account of a singer on the YouTube channel ALL URBAN CENTRAL, which has only two videos before 2021: @2TallForFood – Diamonds Is Lit (Official Video) and @2tallforfood – I Am Da Bag (Official Video). The song “Fuckbosco” is another title by this singer, who is relatively obscure, with video views not exceeding 500 at the time of this report.

The YouTube channel ALL URBAN CENTRAL was established in 2014 as an American music entertainment channel, primarily featuring music rap and hip hop, as well as celebrity news. It has about 3 million subscribers, and most of its videos are under 6 minutes, with a total view count exceeding 2 billion. It generates revenue through subscriptions and ranks around 4000 in the music category in the US.

Analysis of Zombie Network Samples Attacking DeepSeek by Antiy Technology

Figure 2-2 Video linked in the early sample of RapperBot

2.2.1 Sample Tags

Table 2-1 RapperBot early version sample tags

Virus Name

Trojan/Linux.Mirai[Backdoor]

MD5

9E331675D780AF4585857B1F95B40CBB

Processor Architecture

i386

File Size

66.47 KB (68068 bytes)

File Format

ELF

Digital Signature

None

Packing Type

None

VT First Upload Time

2022-06-17 08:10:19

VT Detection Result

38/64

Table 2-2 RapperBot new variant sample tags

Virus Name

Trojan/Linux.Mirai[Backdoor]

MD5

BEC7596CFB1225900673398ABB24FFA8

Processor Architecture

i386

File Size

80.47 KB (82400 bytes)

File Format

ELF

Digital Signature

None

Packing Type

None

VT First Upload Time

2024-07-02 02:21:30

VT Detection Result

37/63

Note:Due to the strong preprocessing capabilities of Antiy’s AVL SDK antivirus engine, it can detect transformed derivative samples with fewer high-quality rules. As of the writing of this article, the detection results for RapperBot samples are all Mirai, hence this note.

2.2.2 Propagation Methods

2.2.2.1 SSH Brute Force

Some variants of the RapperBot botnet family propagate through SSH brute force. In early samples, the credential list was hardcoded in the file, while later variants changed to obtaining the credential list from the C2 server. After successfully brute-forcing the SSH server, RapperBot executes shell commands to replace the ~/.ssh/authorized_keys file on that server, thus maintaining remote access to the victim server.

Analysis of Zombie Network Samples Attacking DeepSeek by Antiy Technology

Figure 2-3 Part of the SSH brute force credential list hardcoded in the file

2.2.2.2 Telnet Default Password Probing

Some RapperBot botnet variants probe devices using default Telnet passwords, with target device keywords, default usernames, and passwords hardcoded in the file.

Analysis of Zombie Network Samples Attacking DeepSeek by Antiy Technology

Figure 2-4 Telnet username/password table hardcoded in the sample file

From the hardcoded information attempted for brute force in related samples, it can be seen that the targets of these RapperBot variants are mostly common network devices and IoT devices.

Table 2-3 RapperBot built-in user probing login services, usernames, passwords, and possible associated devices(The table content is based on DeepSeek’s organized output and has been manually revised, hence this note)

Service/Module

Username

Password

Possible Associated Services/Brands/Device Types

tc login

dnsekakf2$$

“” (empty)

DASAN customized network devices

tc login

dnsekakf2$$

dnsekakf2$$

DASAN customized network devices

tc login

user

1234

DASAN customized network devices

tc login

admin

TeleCom_1234

China Telecom customized devices

tc login

admin

TJ2100Npassword

Tejas Networks TJ2100N optical modem or gateway

tc login

admin

admin

Various mainstream network devices

tc login

&unk_19130

1234

Possible IoT devices such as cameras

soc1

default

Default

Various industrial products and software

soc1

default

password

Various industrial products and software

TAG

default

password

Suspected IoT devices

PXICPU

default

password

Some industrial embedded controllers devices

TX25

default

password

Suspected wireless devices

PK

admin_404A03Tel

zyad5001

ZyXEL (合勤) routers

PK

admin_404A03Tel

Centurylink

ZyXEL (合勤) routers

PK

admin_404A03Tel

QwestM0dem

ZyXEL (合勤) routers

PK

admin

Centurylink

ZyXEL (合勤) routers

PK

admin

QwestM0dem

ZyXEL (合勤) routers

PK

admin

zyad5001

ZyXEL (合勤) routers

abloom

nobody

“” (empty)

Abloom brand IoT devices

abloom

admin

Abloom

Abloom brand IoT devices

abloom

root

Abloom

Abloom brand IoT devices

SAP

nobody

“” (empty)

SAP testing environment or IoT devices

SAP

admin

Admin

SAP NetWeaver application server

RG-

ftp

Video

Network video recorders (NVR) or IP cameras

buildroot login

default

Default

Various embedded Linux systems

mico

root

“” (empty)

Embedded systems

2.2.3 Behavior Analysis

The early versions of RapperBot support fewer types of DoS attack methods, including TCP STOMP attacks and UDP flood attacks. The new variants of RapperBot support similar commands to the early samples but can execute a wider variety of DoS attacks.Table 2-4 Comparison of command functions between early versions and new variants

Command Code

RapperBot Early Version Functions

RapperBot New Variant Functions

1

Maintain connection status

Online packet

2

Stop DoS attack and terminate

Response packet

3

Execute DoS attack

Heartbeat packet

4

Stop DoS attack

Execute DoS attack

5

None

Stop DoS attack and terminate

6

None

Close C2 connection

When attackers conduct DoS attacks, they execute the corresponding functional functions by selecting pre-set sequence numbers to carry out specific DoS attacks. This indicates that the commands supported by RapperBot samples primarily focus on initiating DoS attacks, and throughout its development from early to present, the developers have gradually improved RapperBot’s DoS attack capabilities to support large-scale DDoS attack activities.Table 2-5 RapperBot new variants support various DoS attacks

Attack Command

DoS Attack Type

Attack Description

0

UDP flood attack

Consumes the victim’s network bandwidth by sending a large number of UDP packets.

1

UDP packet forgery

Attackers send a large number of forged UDP packets to the target server, tricking the server into responding and consuming the victim’s network bandwidth.

2

GRE-IP flood attack

Consumes the victim’s network bandwidth by sending a large number of GRE protocol data encapsulated with IP network packets.

3

GRE-Eth flood attack

Consumes the victim’s network bandwidth by sending a large number of GRE protocol data encapsulated with Eth network packets.

4

SYN flood attack

By sending a large number of SYN packets, the server creates a large number of half-connection requests, consuming system memory and CPU resources.

5

ACK flood attack

Consumes the victim’s network bandwidth by sending ACK packets with random source ports, destination ports, and data.

6

ACK-PSH flood attack

Establishes a connection with the server by sending ACK responses with PSH flags, sending a large number of requests to consume the victim’s network bandwidth.

7

TCP flood attack

Consumes the victim’s network bandwidth by sending a large number of TCP packets.

8

HTTP flood attack

Attackers send a large number of HTTP messages to the target server, consuming the victim’s network bandwidth and server resources.

2.3 HailBot Botnet

HailBot is a botnet developed based on the Mirai source code, capable of running on different architecture processors such as ARM, x86, x64, and MIPS. It is named HailBot because it outputs “hail china mainland” to the console during runtime.

2.3.1 Sample Tags

Table 2-6 HailBot early version sample tags

Virus Name

Trojan/Linux.Mirai[Backdoor]

MD5

C4526600A90D4E1EC581D1D905AA6593

Processor Architecture

x64

File Size

68.6 KB (70,295 bytes)

File Format

BinExecute/Linux.ELF[:X64]

Digital Signature

None

Packing Type

None

VT First Upload Time

2024-02-23 06:43:16

VT Detection Result

41/66

Table 2-7 HailBot new variant sample tags

Virus Name

Trojan/Linux.Mirai[Backdoor]

MD5

2DFE4015D6269311DB6073085FD73D1B

Processor Architecture

ARM

File Size

74.7 KB (76,572 bytes)

File Format

BinExecute/Linux.ELF[:ARM]

Digital Signature

None

Packing Type

None

VT First Upload Time

2024-09-23 18:35:26

VT Detection Result

42/63

Note:Due to the strong preprocessing capabilities of Antiy’s AVL SDK antivirus engine, it can detect transformed derivative samples with fewer high-quality rules. As of the writing of this article, the detection results for HailBot samples are all Mirai, hence this note.

2.3.2 Behavior Analysis

HailBot outputs “hail china mainland” to the console during runtime, which clearly has the intent to frame China, and its expression is obviously inconsistent with Chinese language logic.Analysis of Zombie Network Samples Attacking DeepSeek by Antiy Technology

Figure 2-5 HailBot outputs specific strings to the console

When Mirai series zombie programs go online, they send online data packets to the C2 server. The original online data packet of Mirai is four bytes long, with the content |00 00 00 01|, while HailBot modifies it to eight bytes |31 73 13 93 04 83 32 01|, allowing the C2 server to recognize that its traffic comes from HailBot, while also evading detection by security scanning mechanisms that use the original online packet.

Analysis of Zombie Network Samples Attacking DeepSeek by Antiy Technology

Figure 2-6 HailBot sends eight specific bytes when connecting to C2

HailBot spreads by exploiting vulnerabilities, including the long-used CVE-2017-17215 vulnerability, which exists in the UPnP (Universal Plug and Play) service of specific versions of routers. Attackers can exploit this vulnerability by sending specially crafted HTTP requests to execute arbitrary code on the device.Analysis of Zombie Network Samples Attacking DeepSeek by Antiy Technology

Figure 2-7 HailBot vulnerability exploitation payload

The early versions of HailBot have three TCP attack methods and one UDP attack method, while the latest version has upgraded to five TCP attack methods and three UDP attack methods, providing attackers with more options and combinations for attacks, thus posing a greater threat.

Table 2-8 Old version HailBot commands

Command Number

Function

Impact

0

TCP flood attack

Consumes the victim’s network bandwidth by sending a large number of TCP requests of 500 to 900 bytes.

1

UDP flood attack

Consumes the victim’s network bandwidth by sending a large number of UDP requests.

2

GRE IP flood attack

Consumes the victim’s network bandwidth by sending a large number of GRE protocol data encapsulated with IP network packets.

3

SYN flood attack

By sending a large number of SYN packets, the server creates a large number of half-connection requests, consuming system memory and CPU resources.

Table 2-9 New version HailBot commands

Command Number

Function

Impact

0

TCP flood attack

Creates connections and sends a large number of TCP requests of 500 to 900 bytes, consuming the victim’s network bandwidth.

1

SSDP flood attack

Utilizes the Simple Service Discovery Protocol (SSDP) to send a large number of “discovery message” requests, causing the victim to respond and consuming the victim’s memory and CPU resources.

2

GRE IP flood attack

Consumes the victim’s network bandwidth by sending a large number of GRE protocol data encapsulated with IP network packets.

3

SYN flood attack

By sending a large number of SYN packets, the server creates a large number of half-connection requests, consuming system memory and CPU resources.

4

UDP flood attack (512 bytes)

Sends a large number of 512-byte UDP requests, consuming the victim’s network bandwidth.

5

UDP flood attack (1024 bytes)

Sends a large number of 1024-byte UDP requests, consuming the victim’s network bandwidth.

6

TCP STOMP flood attack

Creates connections and sends a large number of 768-byte data packets, consuming the victim’s network bandwidth.

7

TCP ACK flood attack

Consumes the victim’s network bandwidth by sending ACK packets with random source ports, destination ports, and data.

In addition, HailBot has also changed its encryption methods. In early versions, HailBot used a simple XOR algorithm to encrypt strings such as C2 addresses and attack payloads, with the XOR bytes being constants hardcoded in the program.

Analysis of Zombie Network Samples Attacking DeepSeek by Antiy Technology

Figure 2-8 Early version HailBot encryption algorithm

In subsequent versions, HailBot switched to the chacha20 stream cipher encryption algorithm for string encryption, increasing the strength of string encryption and reducing static characteristics of strings, making them harder to detect and analyze.Analysis of Zombie Network Samples Attacking DeepSeek by Antiy Technology

Figure 2-9 HailBot chacha20 round operation code

03 Summary

In summary, the attack modes of HailBot and RapperBot primarily rely on the massive zombie nodes (botnet clusters) they control, continuously consuming the target host’s bandwidth resources, TCP connection pool capacity, and CPU power required for connection processing by sending forged request data packets at high frequency. This attack method, while belonging to the traditional DDoS (Distributed Denial of Service) category, remains one of the core threats to internet infrastructure today. The fundamental contradiction lies in the fact that the defender’s resources naturally have limits (such as computing performance and network throughput), while the attacker can continuously expand the scale of the botnet at almost zero marginal cost through automated scanning and malicious code injection, creating an asymmetry of resources between the attacker and defender.

After the global explosion of DeepSeek, it experienced exponential growth in user numbers, API call volumes, and concurrent requests in a short period, causing the underlying infrastructure to remain in a high-load critical state. Against this backdrop, the addition of large-scale DDoS attacks (such as massive text generation requests launched through botnets) directly triggered a surge in service response delays, API rate limiting, and even cluster overload crashes, severely impacting user experience and business continuity.

For internet resource service providers, methods to prevent DDoS attacks are relatively mature and require a deep integration of resource investment and routine security operations, necessitating cooperation among service providers, infrastructure providers, and regulatory agencies. This includes deploying more resilient distributed, multi-region, multi-link service architectures, using load balancer devices and strategies, enhancing bandwidth and hardware facilities, and improving system throughput capacity; as well as improving security monitoring, traffic cleaning, and dynamically adjusting relevant security policies.

For the security operations of government and enterprise institutions, strengthening protection to prevent devices from becoming zombie nodes is also a contribution to curbing the spread of botnets. Timely detection and handling of infected nodes is a very important task. From the analysis in this article, the basic security governance of terminals and IoT devices is key, including changing default passwords, controlling access policies for network devices and IoT device management ports, and timely firmware patch upgrades. On the endpoint and cloud side, it is necessary to deploy security products with effective protection capabilities, such as antivirus, EDR, CWPP, etc., to build a solid security foundation.

For regulatory agencies, DDoS governance involves a large amount of resource coordination, especially international governance collaboration, which further increases the difficulty of governance. There is a need to improve stronger technical resources and system capabilities at the national security and public safety levels.

While improving basic protection and security governance, we also need to further focus on researching the risk evolution of new technologies. The development of new technologies is always bound to the dynamic evolution of security threats in three ways: bringing new threats, promoting the escalation of traditional threats, and becoming targets of attacks themselves. Generative artificial intelligence and large model technologies are no exception, as they have driven the automation level of traditional attack techniques, rapidly matured deep forgery attack techniques, and themselves have become high-value targets.

Compared to traditional web services (such as CGI dynamic pages or search engines), the computational power consumption of generative AI in a single interaction is significantly higher, and the open API interfaces are easily abused by attackers as computational resource black holes. The business characteristics and risk scenarios of large model platforms present significant particularities, which require us to be more vigilant about computational resource attack risks. To support high-concurrency inference requests and long-context interactions, platforms need to deploy large-scale GPU clusters and real-time scheduling systems. Attackers can design low-traffic, high-impact precision attack chains targeting these computationally intensive, low-latency-sensitive characteristics, such as maliciously constructing model parameter queries (e.g., triggering high-dimensional tensor calculations), where a single request can consume several times the GPU resources of a conventional task; context injection attacks, by embedding specific prompt words to force the model to execute recursive parsing, leading to CPU/memory resource exhaustion. The cost-effectiveness ratio of such attacks far exceeds that of traditional DDoS (which can paralyze services without massive botnets) and is easier to bypass traffic threshold-based protection strategies.

At the same time, we also need to further pay attention to the data security risks of big data platforms: due to the intertwining storage of multi-tenant data involved in large model training and inference processes, residual tuning parameters, etc., sensitive information leakage (such as user privacy data leaking through model output side channels) may occur. During the data labeling process, files containing malicious code that are not cleaned may lead to virus infection spread in the labeling engineer’s work environment and data platform, system performance degradation, and even data being ransomed or stolen. It is necessary to consider strengthening the virus cleaning of data files to be labeled, enhancing fine-grained isolation control capabilities and security detection and protection capabilities, thereby enhancing the threat resistance capabilities of large model platforms.

Therefore, the security construction of large model platforms needs to achieve dual-track progress: on one hand, improve the security of the underlying infrastructure: strengthen defense, monitoring, resource isolation, and other mechanisms at the levels of cloud hosts, container clusters, APIs, etc., effectively defending against penetration and invasion risks, supplemented by elastic scaling and real-time circuit-breaking mechanisms to resist resource exhaustion attacks; on the other hand, improve security capabilities from architecture, design, business logic, and coding optimization levels, including but not limited to: building a deep defense system at the model interaction layer through prompt injection detection, sandboxing of inference processes, data lineage tracking, etc. Embed security capabilities deeply into the technical architecture and business flow.

History has proven that the security gains in responding to new technology risks often come from the new technology itself. Historically, the internet has greatly enhanced the accessibility of attacks, becoming a breeding ground for large-scale attack events; but it has also improved the agility of security operations. Cloud computing platforms have introduced overall disruptive risks but have also brought greater resource elasticity and unified efficient security governance. Artificial intelligence technology is also rapidly changing the capabilities and landscape of cybersecurity. Antiy itself is an active practitioner in the cybersecurity industry embracing large model technology. Our LanDi threat analysis vertical large model focuses on binary sample analysis feature engineering scenarios, breaking through token context limitations, and has already been able to run in CPU scenarios. Antiy’s computer virus classification encyclopedia is also the result of our automated operations leveraging our feature engineering and knowledge system. In areas where we are not proficient, we have also actively embraced excellent domestic large models; for the writing of this report, we used DeepSeek as an assistant.

From the launch of “Black Myth: Wukong” to the explosive popularity of DeepSeek, China’s information technology is continuously creating new legends. At the same time, it is accompanied by a succession of cyber attacks. Overcoming these risks validates the invincibility and great prospects of new things. As a long-term provider of common security capabilities for the internet industry system, Antiy, as a national team of private enterprises, is willing to provide more common security genes for strategic emerging industries, safeguarding great new things.

04 IOC

MD5

71B4C3FE502E6C6D5EF5E420D52D2729

C4526600A90D4E1EC581D1D905AA6593

6C6D1CCCE5946F0AA68F9E0C438C1E21

B1E0B2C046D4CB7F0A0DD87054A17AC4

6B8A9D6335D056E20DCD794B265074E3

AB2C4A13D1FE946003FFCB7DDEC064D0

9E331675D780AF4585857B1F95B40CBB

EFA786F2B6F0F267F717145FAF48A95B

EF9EBF4D5A1A44D0DB92DE06D3DCE7A1

BEC7596CFB1225900673398ABB24FFA8

References[1] Qihoo 360. Zombie networks enter the scene, targeting DeepSeek network attacks upgrade [R/OL]. (2025-01-30)

https://mp.weixin.qq.com/s/NM-zCyA4m5WJeAjPwUmYYg

[2] Antonakakis M, April T, Bailey M, et al. Understanding the Mirai Botnet [R/OL]. (2017-08-16)https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/antonakakis[3] Wikipedia. DDoS attacks on Dyn [R/OL]. (2016) https://en.wikipedia.org/wiki/DDoS_attacks_on_Dyn[4] Antiy. Computer Virus Encyclopedia Mirai corresponding entry [R/OL]. (2016)https://www.virusview.net/malware/Trojan/Linux/Mirai[5] Antiy. Antiy Chasing Shadow Team analyzes new propagation methods of Mirai variants [R/OL]. (2016-12-19)https://www.antiy.cn/research/notice&report/research_report/608.html

[6] Diamonds Is Lit (Official Video)

https://www.youtube.com/watch?v=fPu9hTClNWQ

[7] Fuckbosco

https://soundcloud.com/xxdannyflandersxx/fuckbosco2-a-danny-flanders-special-release

[8] Antiy. 2024 AI technology empowers cybersecurity application testing: Antiy vertical large model shows initial results in malware detection scenarios [R/OL]. (2024-09-23)

https://www.antiy.cn/About/news/20240923.htmlOriginal link: https://mp.weixin.qq.com/s/NvlVuA5urPG_r6attAiXsAAnalysis of Zombie Network Samples Attacking DeepSeek by Antiy Technology

Follow the public account for more information

For membership application, please reply “individual member” or “unit member” in the public account

Welcome to follow the media matrix of the China Command and Control Society

Analysis of Zombie Network Samples Attacking DeepSeek by Antiy Technology

Official website of the China Command and Control Society

Analysis of Zombie Network Samples Attacking DeepSeek by Antiy Technology

Official WeChat account of the China Command and Control Society

Analysis of Zombie Network Samples Attacking DeepSeek by Antiy Technology

Official website of the Journal of Command and Control

Analysis of Zombie Network Samples Attacking DeepSeek by Antiy Technology

Official website of the International Unmanned Systems Conference

Analysis of Zombie Network Samples Attacking DeepSeek by Antiy Technology

Official website of the China Command and Control Conference

Analysis of Zombie Network Samples Attacking DeepSeek by Antiy Technology

National Military Simulation Competition

Analysis of Zombie Network Samples Attacking DeepSeek by Antiy Technology

National Aerial Intelligent Game Competition

Analysis of Zombie Network Samples Attacking DeepSeek by Antiy Technology

Sohu Account

Analysis of Zombie Network Samples Attacking DeepSeek by Antiy Technology

Yidian Account

Leave a Comment