Black Energy18 - Russian botnet package analysis

Agenda
Background
What’s In The Package?
Building The Backdoor
Infection Analysis
Command and Control System Architecture
Botnet Communication
Attacks Analysis
Defensive Measures
Conclusions
Demo

Background
A little bit of background…
Web-based distributed denial of service (DDoS) botnet
Probably developed by one or more Russian hackers
Version 1.8 seems to be the most recent
Has been hosted in Malaysia and Russia and actively used against Russian targets
Communication is entirely based on HTTP
The command and control (C&C) system is based on PHP language and Mysql database
Version 1.7 was sold for 40 USD in Russian hacker forums
Version 1.8 has been downloaded from download.xakepok.org after visiting affiliate links

What’s in the package?
The package format…
The package comes in a rar archive (blackenergy18.rar).
Package listings
Bot files:
builder.exe builds two versions of the same backdoor (encrypted and unencrypted)
crypt.exe is required by builder.exe to encrypt the backdoor
cadt.dll is required by crypt.exe to encrypt the backdoor

What’s in the package?
The C&C files:
db.sql is the Mysql database structure of the C&C system
www directory contains all PHP scripts used by the C&C
index.php is the main C&C web interface page.
stat.php – core HTTP communication engine of the botnet. It receives and send responses.
flags folder contains flag icons used to identify bot country
config.php is the C&C interface config file.
common.php – common php functions used by the C&C components
cmdhelp.html – command listings and help syntax in Russian language
Net folder contains GeoIP.php application used to associate bot IP to a country

Building the backdoor
Builder.exe creates two backdoor executables.
Some interesting options:

Building the backdoor
Output results…
The _bot.exe is created within the same folder where builder.exe is located.
_bot.exe is the decrypted backdoor version.
crypted__bot.exe is the encrypted/packed version (according to some AV, the packer is “Stalin”).
Both executables are fully functional.
crypter.exe is automatically invoked by builder.exe and packs _bot.exe with Stalin. This is used to defeat AV detection and reverse engineering.
The backdoor decrypted file size is 23040 bytes
The backdoor encrypted/packed file size is 12871 bytes

Infection Analysis
Infection scenario…
Black Energy backdoor does not exploit any vulnerability in the OS system.
The victim needs to execute the malware in order to be infected.
The infection is typically triggered by the victim downloading and executing the backdoor from fake online games web sites.

Infection Analysis - Methodology
Before proceeding to the analysis of the backdoor, let’s spend some words about the methodology
Dynamic and Static analysis:
To properly analyse the infection, the backdoor need to be tested in a controlled environment
In this way, it is possible to “detect” changes that affect the controlled environment
Dynamic Analysis involves deploying multiple sensors into the environment to detect changes caused by the backdoor activity
Static Analysis involves use of reverse engineering tools to control the code execution of the backdoor
It is recommended to use both methods when analysing any malware.
Dynamic analysis tend to produce “false positives” as many factors are analysed at the same time. Some of them may not be related to the backdoor activity. For this reason, the analyst should always confirm the results with static analysis and vice versa.

Infection Analysis – Dynamic/Static Analysis
Dynamic Analysis Overview
Scope: Analysis of local system interaction using multiple tools
Any changes to the following components must be detected:
Windows Register
File System
Memory/Processes
Network Traffic
Static Analysis Overview
Scope: Full deep analysis of the disassembly code of the backdoor executable
A deep analysis of the PE structure and disassembly code to understand how the backdoor interact with Register, Windows API, Windows DLLs and what functions are called, what operations are performed, what packer is used.

Dynamic Analysis – Tools
The environment and the monitor tools in the dynamic analysis:
VMware image of WinXP with SP2 – this is the controlled environment where the infection has been analysed
VMware image of Ubuntu running LAMP environment to host the C&C system
Regmon.exe – tool used to monitor any changes on the Windows Register
Filemon.exe – any file system activities is recorded by this tool
Diskmon.exe – any disk activity is recorded by this tool
SysInternals Process Explorer – like windows task manager tool + additional features
Rapier (Rapid Assessment & Potential Incident Examination Report) is a framework that makes use of multiple tools to audit the entire OS
Wireshark and tcpdump – network analyser and sniffer

Dynamic Analysis – Windows Register
Tool: regmon.exe
Two Windows Register keys have been created and one modified.
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesmsupdate]
[HKEY_LOCAL_MACHINESYSTEMControlSet001Servicesmsupdate]
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesAFDParameters]

Dynamic Analysis – File System
Tools: Rapier with WinAudit and Chksum, filemon.exe
A new file called mssrv32.exe is created in C:WindowsSystem32
File size is 12780 bytes.
Other files added with the infection:
4c380647cca89aacd29ed5f7430b2151 _BOT.EXE-160375AD.pf
Filemon.exe is used to list all files activities in the system.

Dynamic Analysis – File System
The following file system activities are related to the creation of mssrv32.exe:
Note that the mssrv32.exe is the same size of _bot.exe .

Dynamic Analysis – Network/Processes
Tools: Tcpview, Rapier + Network Module + GDIProcs, WinAudit
Tcpview output:
A process without name is identified by Tcpview. It starts a TCP connection with source port 1035 to destination port 80. 192.168.0.34 is the C&C master server in this instance.
The properties of the process shows a connection between the botnet and svchost.exe.

Rapier with Network Netstat result: (192.168.1.1 is the C&C server)
Rapier with Network module result:
Rapier network module runs different scans. All the information gathered allows to identify the PID associated to the process, the source/destination port, the protocol and the executable associated.
These results are confirmed by the GDI Procs scan analysis as well:

WinAudit Result:
Note that there is no information associated to Process Description and Process Manufacturer

Static Analysis – Reversing malware
The environment and the monitor tools in the static analysis:
VMware image of WinXP with SP2 – this is the controlled environment where the infection has been analysed
VMware image of Ubuntu running LAMP environment to host the C&C system
Ollydbg – Freeware Windows Debugger – this has been used with builder.exe, crypt.exe, _bot.exe, crypted__bot.exe, cdat.dll files
IDA Pro – Commercial Windows Debugger – this has been used with _bot.exe file
PEID – PE Tool analyser – this has been used with builder.exe, crypt.exe, _bot.exe, crypted__bot.exe, cdat.dll files

Before analysing the disassembly code, information about the PE structure, imports and exports should be analysed
Let’s dump basic headers and imports/export entries in the malware executable.
Export table only contains a reference to start function which is the OEP (Original Execution Point).
Imports are mainly related to the following APIs and DLLs:

Some interesting functions imported:

Backdoor Installation
When the program is first launched, it runs some checks to see whether it has already been installed, and if not it installs itself.
This is done by calling GetModuleFileName to obtain the primary executable’s file name
If nothing is found, it copies itself to C:WINDOWSSYSTEM32mssrv32.exe

The backdoor cannot delete the executable while it is running. The program had to launch a new instance, terminate the first one, and delete the original file from this new instance.
The backdoor proceeds to create a mutex called {F3532CE1-0832-11B1-920A-25000A276A73}. The purpose of this mutex is to make sure no other instances of the program are already running; the program terminates if the mutex already exists. This mechanism ensures that the program doesn’t try to infect the same host twice.

During the installation, the backdoor interacts with the Windows Register. The following is an example of registry creation to establish the backdoor as a system service that will be run at each system boot:
The following registry value is added to disable Windows raw socket security checks (this enable the backdoor to launch network DDoS):

After creating mssrv32.exe, it create a svchost.exe process. In then delete _bot.exe.

Botnet communication
Then it starts to communicate with the server through POST request.

Crypted__bot.exe – some words about to defeat the protector used by Black Energy
Some AV identify the packer as “Stalin” but no information is available about this packer.
Crypt.exe creates an executable file which contains the encrypted backdoor at section 13112000 .
At VA 131110A1 there is a call to the function 131111B9. This function includes multiple sub functions which perform bitwise operations to decrypt the backdoor into memory.
The decrypted backdoor is then copied in clear text byte per byte to the memory address 00320000. Size of the memory allocated for the backdoor decrypted is 6000 bytes.
The memory can then be dumped to an executable file with ollydump plug-in or the OEP can be changed. It is then needed to use tool like ImpRec to rebuild the Import/Exports table of the dumped file. LordPE can then be used to optimise the code.

Finding the OEP of the backdoor decrypted…
Crypted _bot.exe is stored at 13112000 Crypted_.131111b9 decrypts _bot.exe to 00320000 Note that the different size: 6000 and 3000

C&C System Architecture
Command and Control System architecture requires:
Mysql Server
Any web server supporting PHP and PHP-Mysql
The C&C is ideal for vulnerable LAMP environments
Mysql Database Overview – the database is composed by three tables:
Files – id, url, dnum, dtotal, country
Opt – name, value
Stat – id, build_id, files, ip, last, country, country_full
Files table is associated to the downloader function. The URL variable contains the URL from which the backdoor can fetch and launch another executable. Not clear how this function works.
It might be used for “updating” the botnet. A cross reference field is also present in the stat table (files).

The Opt Table store the commands list:
attack_mode – a numerical value for the type of attack (default, drop by socket, drop by timeout)
cmd – the command to send to the bot
http_freq – how many requests per second to send in HTTP GET flood mode
http_threads – how many program threads to create for the HTTP flood
icmp_freq – how many ICMP packets to send in an ICMP attack mode
icmp_size – how large of ICMP packets to send in ICMP attack mode
max_sessions – for ‘drop by timeout’
spoof_ip – Boolean, used in raw packet flooding attacks
syn_freq – how frequently to send packets during a TCP SYN flood
tcpudp_freq – how often to send TCP or UDP traffic
tcp_size – how large the TCP packets should be
udp_size – how large the UDP packets should be
ufreq – how long (in minutes) to wait before checking for another command

This is the opt table after a flood http localhost command sent to the bot:

The Stat table contains all the statistics of the botnet:
ID is built from the system’s SMB hostname and the System Volume ID from the C: drive of the infected machine
build_id is the string value set by builder.exe (can be changed at the building time)
Files is a reference to the files table.
Last is a time value in the format of time() and measures the bot heartbeat
Country and country_full are used by the web interface to display the relative country flag of the bot

C&C system web interface (index.php)
From here, commands can be sent and stat can be accessed.

Sending the commands to the zombie…
The command entered through the web interface (index.php) is saved into the database (table opt).
The bot performs regular POST requests to http://c&cserver/stat.php or whatever URL value set at the building time. These requests are performed in order to receive commands from the master server. If the zombie is not able to connect to the master server, it will then automatically execute the command specified at the building time (by default -> wait). Wait set a counter after which the zombie will retry to connect to the master server.

stat.php is responsible to retrieve commands from the database and then output them in base64 format.

Commands Available:
Refresh Rate – change the refresh rate
Flood – Network DDoS attacks
icmp - a basic ICMP ping flood
syn - a basic TCP SYN flood
udp - a basic UDP traffic flood
http - an HTTP GET request flooder.
data - a basic binary packet flooder
dns – a DNS request flooder
Wait – the bot process is put to sleep for x seconds and then re-perform the POST request to receive new commands.
Stop – stop any attack currently running.
Die – this deletes the backdoor on the infected machine

Commands Syntax:
flood http 192.168.1.1 index.htm
flood icmp 192.168.2.2 index.php
flood syn 192.168.3.2
Multiple Commands can be specified using semicolon:
dns; icmp; http; syn; 192.168.1.1#15#xHOST
Normally, DDoS options are passed in the command syntax as well:
'10;2000;10;0;0;30;100;3;20;1000;2000#wait#10#xHOST’
In order: ICMP frequency, ICMP packet size, SYN frequency, spoof IP or not (Boolean value), the attack mode, the maximum number of HTTP sessions, the HTTP connection frequency, the number of HTTP threads, the TCP and UDP frequency, the UDP size, TCP packet size and the bot id.

Botnet Communication
Botnet communication from a network perspective:
Tools: tcpdump and wireshark.
HTTP POST request from bot:
Note that the bot id and build_id are passed in the POST request. These are needed by the master to identify the bot.
HTTP Response from Master Server:
Command -> 10;2000;10;0;0;30;100;3;20;1000;2000#stop#1#

DDoS Attacks Overview
DDoS Attacks with flood command overview
Flood udp – this attack involves sending malformed UDP packets. Source and destination port are random.
Flood ICMP – this attack send IP ICMP Request to the target with a payload of 1480 bytes (this value can be changed arbitrarily)

DDoS Attacks Overview
Flood HTTP – this involves GET requests to the specified URL on the command syntax.
Flood Data – this send UDP malformed packet with invalid length. Payload size varies for each packet and random data is appended in the payload. Source and destination port are random for each packet.

Defenses and Countermeasures
AV Detection – both _bot.exe and crypted__bot.exe have been analysed. Some AV still fail to identify black energy backdoor. Some AV identify the backdoor as a downloader instead.
The service that has been used is provided by virustotal.com
_bot.exe results available here: http://www.virustotal.com/analisis/c88ba95b30d2fe50bc612ab73b922fc2
Crypted_bot.exe results available here:
http://www.virustotal.com/analisis/12cc7b4378f7ce90963232423590068b

_bot.exe results: Detected by 23/32 AVs (71.88%)

Crypted__bot.exe results: Detected by 17/32 AV (53.12%)

Backdoor Variants:
Three different backdoor variants have been identified. The variants differentiate by the POST data sent to the C&C master server.
First variant: The first uses a simple two-part data string to communicate with the web server, presenting the bot host ID and the build ID using two different variables
Second variant: uses only one variable, ‘data’, to submit this information, and separates these two values with a colon (‘:’)
Third variant: the same values (bot ID and build_ID) + SOCKS/HTTP proxy address.

Conclusions
Black energy botnet package is not difficult to obtain
C&C system is trivial to install and can be easily installed in any compromised LAMP environment
C&C system is easy to use and manage (script-kiddies style)
Some AV still do not detect the Black Energy backdoor although it is there since mid 2007.
Black Energy Version 1.7 has been released in summer 2007. Version 1.8 has been released in November. Probably a new version will come out soon.
Main difference between version 1.7 and version 1.8 is the web interface and the downloader feature.
It is unclear today what could be the next variants or versions of the Black energy botnet package. The current information available suggest that Black Energy botnet next version will be easier to use and will include additional features.

Demo
Time for a Demo! 
Demo in VMware environments
Only 2 hosts:
C&C master server – Ubuntu 6.10 + LAMP – 192.168.1.1
Bot Machine: WinXP with SP2 – 192.168.1.2

References
Websites
Reversing Engineering Malware - http://www.zeltser.com/reverse-malware-paper/
The Science of Malware Analysis - http://www.osix.net/modules/article/?id=760
BlackEnergy DDoS Bot - http://www.castlecops.com/p1020284-Black_Energy_DDoS_bot.html
BlackEnergy DDoS Bot Download File: http://download.xakepok.org/4108126?ints_code=tGdsXA%2FvQR5Rmvk%2BzFVXFHKaGn%2Ffu2aI
Fake gamings sites spawns dangerous Trojan - http://sunbeltblog.blogspot.com/2007/11/fake-gaming-site-spawns-dangerous.html
BlackEnergy DDoS Bot – HTTP based - http://www.offensivecomputing.net/?q=node/557

References
Books/WhitePapers
Black Energy DDoS Bot Analysis - http://atlas-public.ec2.arbor.net/docs/BlackEnergy+DDoS+Bot+Analysis.pdf
Wiley – Reversing – The Secrets of Reverse Engineering - 2005

Black Energy18 - Russian botnet package analysis

by Roberto Suggi Liverani

Accessibility

Categories

Upload Details

Usage Rights

1 Embed 1

Statistics

Black Energy18 - Russian botnet package analysis Presentation Transcript