Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Black Energy18 - Russian botnet package analysis

From the infection phase to the command & control functionalities, this talk is a 360 degrees analysis of a recent Russian botnet distribution package. Particular features of this botnet are communication over HTTP protocol and use of PHP and Mysql.

  • Be the first to comment

  • Be the first to like this

Black Energy18 - Russian botnet package analysis

  1. 1. © 2008 Black Energy 1.8 Russian web-based botnet package analysis Presented By Roberto Suggi Liverani
  2. 2. Agenda <ul><li>Background </li></ul><ul><li>What’s In The Package? </li></ul><ul><li>Building The Backdoor </li></ul><ul><li>Infection Analysis </li></ul><ul><li>Command and Control System Architecture </li></ul><ul><li>Botnet Communication </li></ul><ul><li>Attacks Analysis </li></ul><ul><li>Defensive Measures </li></ul><ul><li>Conclusions </li></ul><ul><li>Demo </li></ul>
  3. 3. Background <ul><li>A little bit of background… </li></ul><ul><ul><li>Web-based distributed denial of service (DDoS) botnet </li></ul></ul><ul><ul><li>Probably developed by one or more Russian hackers </li></ul></ul><ul><ul><li>Version 1.8 seems to be the most recent </li></ul></ul><ul><ul><li>Has been hosted in Malaysia and Russia and actively used against Russian targets </li></ul></ul><ul><ul><li>Communication is entirely based on HTTP </li></ul></ul><ul><ul><li>The command and control (C&C) system is based on PHP language and Mysql database </li></ul></ul><ul><ul><li>Version 1.7 was sold for 40 USD in Russian hacker forums </li></ul></ul><ul><ul><li>Version 1.8 has been downloaded from after visiting affiliate links </li></ul></ul>
  4. 4. What’s in the package? <ul><li>The package format… </li></ul><ul><ul><li>The package comes in a rar archive (blackenergy18.rar). </li></ul></ul><ul><li>Package listings </li></ul><ul><li>Bot files: </li></ul><ul><ul><li>builder.exe builds two versions of the same backdoor (encrypted and unencrypted) </li></ul></ul><ul><ul><li>crypt.exe is required by builder.exe to encrypt the backdoor </li></ul></ul><ul><ul><li>cadt.dll is required by crypt.exe to encrypt the backdoor </li></ul></ul>
  5. 5. What’s in the package? <ul><ul><li>The C&C files: </li></ul></ul><ul><ul><ul><li>db.sql is the Mysql database structure of the C&C system </li></ul></ul></ul><ul><ul><ul><li>www directory contains all PHP scripts used by the C&C </li></ul></ul></ul><ul><ul><ul><li>index.php is the main C&C web interface page. </li></ul></ul></ul><ul><ul><ul><li>stat.php – core HTTP communication engine of the botnet. It receives and send responses. </li></ul></ul></ul><ul><ul><ul><li>flags folder contains flag icons used to identify bot country </li></ul></ul></ul><ul><ul><ul><li>config.php is the C&C interface config file. </li></ul></ul></ul><ul><ul><ul><li>common.php – common php functions used by the C&C components </li></ul></ul></ul><ul><ul><ul><li>cmdhelp.html – command listings and help syntax in Russian language </li></ul></ul></ul><ul><ul><ul><li>Net folder contains GeoIP.php application used to associate bot IP to a country </li></ul></ul></ul>
  6. 6. Building the backdoor <ul><li>Builder.exe creates two backdoor executables. </li></ul><ul><li>Some interesting options: </li></ul>
  7. 7. Building the backdoor <ul><li>Output results… </li></ul><ul><ul><li>The _bot.exe is created within the same folder where builder.exe is located. </li></ul></ul><ul><ul><li>_bot.exe is the decrypted backdoor version. </li></ul></ul><ul><ul><li>crypted__bot.exe is the encrypted/packed version (according to some AV, the packer is “Stalin”). </li></ul></ul><ul><ul><li>Both executables are fully functional. </li></ul></ul><ul><ul><li>crypter.exe is automatically invoked by builder.exe and packs _bot.exe with Stalin. This is used to defeat AV detection and reverse engineering. </li></ul></ul><ul><ul><li>The backdoor decrypted file size is 23040 bytes </li></ul></ul><ul><ul><li>The backdoor encrypted/packed file size is 12871 bytes </li></ul></ul>
  8. 8. Infection Analysis <ul><li>Infection scenario… </li></ul><ul><ul><li>Black Energy backdoor does not exploit any vulnerability in the OS system. </li></ul></ul><ul><ul><li>The victim needs to execute the malware in order to be infected. </li></ul></ul><ul><ul><li>The infection is typically triggered by the victim downloading and executing the backdoor from fake online games web sites. </li></ul></ul>
  9. 9. Infection Analysis - Methodology <ul><li>Before proceeding to the analysis of the backdoor, let’s spend some words about the methodology </li></ul><ul><li>Dynamic and Static analysis: </li></ul><ul><ul><li>To properly analyse the infection, the backdoor need to be tested in a controlled environment </li></ul></ul><ul><ul><li>In this way, it is possible to “detect” changes that affect the controlled environment </li></ul></ul><ul><ul><li>Dynamic Analysis involves deploying multiple sensors into the environment to detect changes caused by the backdoor activity </li></ul></ul><ul><ul><li>Static Analysis involves use of reverse engineering tools to control the code execution of the backdoor </li></ul></ul><ul><ul><li>It is recommended to use both methods when analysing any malware. </li></ul></ul><ul><ul><li>Dynamic analysis tend to produce “false positives” as many factors are analysed at the same time. Some of them may not be related to the backdoor activity. For this reason, the analyst should always confirm the results with static analysis and vice versa. </li></ul></ul>
  10. 10. Infection Analysis – Dynamic/Static Analysis <ul><li>Dynamic Analysis Overview </li></ul><ul><ul><li>Scope: Analysis of local system interaction using multiple tools </li></ul></ul><ul><ul><li>Any changes to the following components must be detected: </li></ul></ul><ul><ul><ul><li>Windows Register </li></ul></ul></ul><ul><ul><ul><li>File System </li></ul></ul></ul><ul><ul><ul><li>Memory/Processes </li></ul></ul></ul><ul><ul><ul><li>Network Traffic </li></ul></ul></ul><ul><li>Static Analysis Overview </li></ul><ul><ul><li>Scope: Full deep analysis of the disassembly code of the backdoor executable </li></ul></ul><ul><ul><li>A deep analysis of the PE structure and disassembly code to understand how the backdoor interact with Register, Windows API, Windows DLLs and what functions are called, what operations are performed, what packer is used. </li></ul></ul>
  11. 11. Dynamic Analysis – Tools <ul><li>The environment and the monitor tools in the dynamic analysis: </li></ul><ul><ul><li>VMware image of WinXP with SP2 – this is the controlled environment where the infection has been analysed </li></ul></ul><ul><ul><li>VMware image of Ubuntu running LAMP environment to host the C&C system </li></ul></ul><ul><ul><li>Regmon.exe – tool used to monitor any changes on the Windows Register </li></ul></ul><ul><ul><li>Filemon.exe – any file system activities is recorded by this tool </li></ul></ul><ul><ul><li>Diskmon.exe – any disk activity is recorded by this tool </li></ul></ul><ul><ul><li>SysInternals Process Explorer – like windows task manager tool + additional features </li></ul></ul><ul><ul><li>Rapier (Rapid Assessment & Potential Incident Examination Report) is a framework that makes use of multiple tools to audit the entire OS </li></ul></ul><ul><ul><li>Wireshark and tcpdump – network analyser and sniffer </li></ul></ul>
  12. 12. Dynamic Analysis – Windows Register <ul><li>Tool: regmon.exe </li></ul><ul><li>Two Windows Register keys have been created and one modified. </li></ul><ul><li>[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesmsupdate] </li></ul><ul><li>[HKEY_LOCAL_MACHINESYSTEMControlSet001Servicesmsupdate] </li></ul><ul><li>[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesAFDParameters] </li></ul>
  13. 13. Dynamic Analysis – File System <ul><li>Tools: Rapier with WinAudit and Chksum, filemon.exe </li></ul><ul><li>A new file called mssrv32.exe is created in C:WindowsSystem32 </li></ul><ul><li>File size is 12780 bytes. </li></ul><ul><li>Other files added with the infection: </li></ul><ul><li>4c380647cca89aacd29ed5f7430b2151 </li></ul><ul><li>Filemon.exe is used to list all files activities in the system. </li></ul>
  14. 14. Dynamic Analysis – File System <ul><li>The following file system activities are related to the creation of mssrv32.exe: </li></ul><ul><li>Note that the mssrv32.exe is the same size of _bot.exe . </li></ul>
  15. 15. Dynamic Analysis – Network/Processes <ul><li>Tools: Tcpview, Rapier + Network Module + GDIProcs, WinAudit </li></ul><ul><li>Tcpview output: </li></ul><ul><li>A process without name is identified by Tcpview. It starts a TCP connection with source port 1035 to destination port 80. is the C&C master server in this instance. </li></ul><ul><li>The properties of the process shows a connection between the botnet and svchost.exe. </li></ul>
  16. 16. Dynamic Analysis – Network/Processes <ul><li>Rapier with Network Netstat result: ( is the C&C server) </li></ul><ul><li>Rapier with Network module result: </li></ul><ul><li>Rapier network module runs different scans. All the information gathered allows to identify the PID associated to the process, the source/destination port, the protocol and the executable associated. </li></ul><ul><li>These results are confirmed by the GDI Procs scan analysis as well: </li></ul>
  17. 17. Dynamic Analysis – Network/Processes <ul><li>WinAudit Result: </li></ul><ul><li>Note that there is no information associated to Process Description and Process Manufacturer </li></ul>
  18. 18. Static Analysis – Reversing malware <ul><li>The environment and the monitor tools in the static analysis: </li></ul><ul><ul><li>VMware image of WinXP with SP2 – this is the controlled environment where the infection has been analysed </li></ul></ul><ul><ul><li>VMware image of Ubuntu running LAMP environment to host the C&C system </li></ul></ul><ul><ul><li>Ollydbg – Freeware Windows Debugger – this has been used with builder.exe, crypt.exe, _bot.exe, crypted__bot.exe, cdat.dll files </li></ul></ul><ul><ul><li>IDA Pro – Commercial Windows Debugger – this has been used with _bot.exe file </li></ul></ul><ul><ul><li>PEID – PE Tool analyser – this has been used with builder.exe, crypt.exe, _bot.exe, crypted__bot.exe, cdat.dll files </li></ul></ul>
  19. 19. Static Analysis – Reversing malware <ul><li>Before analysing the disassembly code, information about the PE structure, imports and exports should be analysed </li></ul><ul><li>Let’s dump basic headers and imports/export entries in the malware executable. </li></ul><ul><ul><li>Export table only contains a reference to start function which is the OEP (Original Execution Point). </li></ul></ul><ul><ul><li>Imports are mainly related to the following APIs and DLLs: </li></ul></ul>
  20. 20. Static Analysis – Reversing malware <ul><ul><li>Some interesting functions imported: </li></ul></ul>
  21. 21. Static Analysis – Reversing malware <ul><li>Backdoor Installation </li></ul><ul><ul><li>When the program is first launched, it runs some checks to see whether it has already been installed, and if not it installs itself. </li></ul></ul><ul><ul><li>This is done by calling GetModuleFileName to obtain the primary executable’s file name </li></ul></ul><ul><ul><li>If nothing is found, it copies itself to C:WINDOWSSYSTEM32mssrv32.exe </li></ul></ul>
  22. 22. Static Analysis – Reversing malware <ul><ul><li>The backdoor cannot delete the executable while it is running. The program had to launch a new instance, terminate the first one, and delete the original file from this new instance. </li></ul></ul><ul><ul><li>The backdoor proceeds to create a mutex called {F3532CE1-0832-11B1-920A-25000A276A73}. The purpose of this mutex is to make sure no other instances of the program are already running; the program terminates if the mutex already exists. This mechanism ensures that the program doesn’t try to infect the same host twice. </li></ul></ul>
  23. 23. Static Analysis – Reversing malware <ul><li>During the installation, the backdoor interacts with the Windows Register. The following is an example of registry creation to establish the backdoor as a system service that will be run at each system boot: </li></ul><ul><li>The following registry value is added to disable Windows raw socket security checks (this enable the backdoor to launch network DDoS): </li></ul>
  24. 24. Static Analysis – Reversing malware <ul><li>After creating mssrv32.exe, it create a svchost.exe process. In then delete _bot.exe. </li></ul>
  25. 25. Static Analysis – Reversing malware <ul><li>Botnet communication </li></ul><ul><li>Then it starts to communicate with the server through POST request. </li></ul>
  26. 26. Static Analysis – Reversing malware <ul><li>Crypted__bot.exe – some words about to defeat the protector used by Black Energy </li></ul><ul><li>Some AV identify the packer as “Stalin” but no information is available about this packer. </li></ul><ul><li>Crypt.exe creates an executable file which contains the encrypted backdoor at section 13112000 . </li></ul><ul><li>At VA 131110A1 there is a call to the function 131111B9. This function includes multiple sub functions which perform bitwise operations to decrypt the backdoor into memory. </li></ul><ul><li>The decrypted backdoor is then copied in clear text byte per byte to the memory address 00320000. Size of the memory allocated for the backdoor decrypted is 6000 bytes. </li></ul><ul><li>The memory can then be dumped to an executable file with ollydump plug-in or the OEP can be changed. It is then needed to use tool like ImpRec to rebuild the Import/Exports table of the dumped file. LordPE can then be used to optimise the code. </li></ul>
  27. 27. Static Analysis – Reversing malware <ul><li>Finding the OEP of the backdoor decrypted… </li></ul>Crypted _bot.exe is stored at 13112000 Crypted_.131111b9 decrypts _bot.exe to 00320000 Note that the different size: 6000 and 3000
  28. 28. C&C System Architecture <ul><li>Command and Control System architecture requires: </li></ul><ul><ul><li>Mysql Server </li></ul></ul><ul><ul><li>Any web server supporting PHP and PHP-Mysql </li></ul></ul><ul><ul><li>The C&C is ideal for vulnerable LAMP environments </li></ul></ul><ul><li>Mysql Database Overview – the database is composed by three tables: </li></ul><ul><ul><li>Files – id, url, dnum, dtotal, country </li></ul></ul><ul><ul><li>Opt – name, value </li></ul></ul><ul><ul><li>Stat – id, build_id, files, ip, last, country, country_full </li></ul></ul><ul><li>Files table is associated to the downloader function. The URL variable contains the URL from which the backdoor can fetch and launch another executable. Not clear how this function works. </li></ul><ul><li>It might be used for “updating” the botnet. A cross reference field is also present in the stat table (files). </li></ul>
  29. 29. C&C System Architecture <ul><li>The Opt Table store the commands list: </li></ul><ul><ul><li>attack_mode – a numerical value for the type of attack (default, drop by socket, drop by timeout) </li></ul></ul><ul><ul><li>cmd – the command to send to the bot </li></ul></ul><ul><ul><li>http_freq – how many requests per second to send in HTTP GET flood mode </li></ul></ul><ul><ul><li>http_threads – how many program threads to create for the HTTP flood </li></ul></ul><ul><ul><li>icmp_freq – how many ICMP packets to send in an ICMP attack mode </li></ul></ul><ul><ul><li>icmp_size – how large of ICMP packets to send in ICMP attack mode </li></ul></ul><ul><ul><li>max_sessions – for ‘drop by timeout’ </li></ul></ul><ul><ul><li>spoof_ip – Boolean, used in raw packet flooding attacks </li></ul></ul><ul><ul><li>syn_freq – how frequently to send packets during a TCP SYN flood </li></ul></ul><ul><ul><li>tcpudp_freq – how often to send TCP or UDP traffic </li></ul></ul><ul><ul><li>tcp_size – how large the TCP packets should be </li></ul></ul><ul><ul><li>udp_size – how large the UDP packets should be </li></ul></ul><ul><ul><li>ufreq – how long (in minutes) to wait before checking for another command </li></ul></ul>
  30. 30. C&C System Architecture <ul><li>This is the opt table after a flood http localhost command sent to the bot: </li></ul>
  31. 31. C&C System Architecture <ul><li>The Stat table contains all the statistics of the botnet: </li></ul><ul><li>ID is built from the system’s SMB hostname and the System Volume ID from the C: drive of the infected machine </li></ul><ul><li>build_id is the string value set by builder.exe (can be changed at the building time) </li></ul><ul><li>Files is a reference to the files table. </li></ul><ul><li>Last is a time value in the format of time() and measures the bot heartbeat </li></ul><ul><li>Country and country_full are used by the web interface to display the relative country flag of the bot </li></ul>
  32. 32. C&C System Architecture <ul><li>C&C system web interface (index.php) </li></ul><ul><li>From here, commands can be sent and stat can be accessed. </li></ul>
  33. 33. C&C System Architecture <ul><li>Sending the commands to the zombie… </li></ul><ul><li>The command entered through the web interface (index.php) is saved into the database (table opt). </li></ul><ul><li>The bot performs regular POST requests to http://c&cserver/stat.php or whatever URL value set at the building time. These requests are performed in order to receive commands from the master server. If the zombie is not able to connect to the master server, it will then automatically execute the command specified at the building time (by default -> wait). Wait set a counter after which the zombie will retry to connect to the master server. </li></ul>
  34. 34. C&C System Architecture <ul><li>stat.php is responsible to retrieve commands from the database and then output them in base64 format. </li></ul>
  35. 35. C&C System Architecture <ul><li>Commands Available: </li></ul><ul><ul><li>Refresh Rate – change the refresh rate </li></ul></ul><ul><ul><li>Flood – Network DDoS attacks </li></ul></ul><ul><ul><ul><li>icmp - a basic ICMP ping flood </li></ul></ul></ul><ul><ul><ul><li>syn - a basic TCP SYN flood </li></ul></ul></ul><ul><ul><ul><li>udp - a basic UDP traffic flood </li></ul></ul></ul><ul><ul><ul><li>http - an HTTP GET request flooder. </li></ul></ul></ul><ul><ul><ul><li>data - a basic binary packet flooder </li></ul></ul></ul><ul><ul><ul><li>dns – a DNS request flooder </li></ul></ul></ul><ul><ul><li>Wait – the bot process is put to sleep for x seconds and then re-perform the POST request to receive new commands. </li></ul></ul><ul><ul><li>Stop – stop any attack currently running. </li></ul></ul><ul><ul><li>Die – this deletes the backdoor on the infected machine </li></ul></ul>
  36. 36. C&C System Architecture <ul><li>Commands Syntax: </li></ul><ul><ul><li>flood http index.htm </li></ul></ul><ul><ul><li>flood icmp index.php </li></ul></ul><ul><ul><li>flood syn </li></ul></ul><ul><li>Multiple Commands can be specified using semicolon: </li></ul><ul><ul><li>dns; icmp; http; syn; </li></ul></ul><ul><li>Normally, DDoS options are passed in the command syntax as well: </li></ul><ul><ul><li>'10;2000;10;0;0;30;100;3;20;1000;2000#wait#10#xHOST’ </li></ul></ul><ul><ul><li>In order: ICMP frequency, ICMP packet size, SYN frequency, spoof IP or not (Boolean value), the attack mode, the maximum number of HTTP sessions, the HTTP connection frequency, the number of HTTP threads, the TCP and UDP frequency, the UDP size, TCP packet size and the bot id. </li></ul></ul>
  37. 37. Botnet Communication <ul><li>Botnet communication from a network perspective: </li></ul><ul><li>Tools: tcpdump and wireshark. </li></ul><ul><li>HTTP POST request from bot: </li></ul><ul><li>Note that the bot id and build_id are passed in the POST request. These are needed by the master to identify the bot. </li></ul><ul><li>HTTP Response from Master Server: </li></ul><ul><li>Command -> 10;2000;10;0;0;30;100;3;20;1000;2000#stop#1# </li></ul>
  38. 38. DDoS Attacks Overview <ul><li>DDoS Attacks with flood command overview </li></ul><ul><li>Flood udp – this attack involves sending malformed UDP packets. Source and destination port are random. </li></ul><ul><li>Flood ICMP – this attack send IP ICMP Request to the target with a payload of 1480 bytes (this value can be changed arbitrarily) </li></ul>
  39. 39. DDoS Attacks Overview <ul><li>Flood HTTP – this involves GET requests to the specified URL on the command syntax. </li></ul><ul><li>Flood Data – this send UDP malformed packet with invalid length. Payload size varies for each packet and random data is appended in the payload. Source and destination port are random for each packet. </li></ul>
  40. 40. Defenses and Countermeasures <ul><li>AV Detection – both _bot.exe and crypted__bot.exe have been analysed. Some AV still fail to identify black energy backdoor. Some AV identify the backdoor as a downloader instead. </li></ul><ul><li>The service that has been used is provided by </li></ul><ul><li>_bot.exe results available here: </li></ul><ul><li>Crypted_bot.exe results available here: </li></ul><ul><li> </li></ul>
  41. 41. Defenses and Countermeasures <ul><li>_bot.exe results: Detected by 23/32 AVs (71.88%) </li></ul>
  42. 42. Defenses and Countermeasures <ul><li>Crypted__bot.exe results: Detected by 17/32 AV (53.12%) </li></ul>
  43. 43. Defenses and Countermeasures <ul><li>Backdoor Variants: </li></ul><ul><li>Three different backdoor variants have been identified. The variants differentiate by the POST data sent to the C&C master server. </li></ul><ul><ul><li>First variant: The first uses a simple two-part data string to communicate with the web server, presenting the bot host ID and the build ID using two different variables </li></ul></ul><ul><ul><li>Second variant: uses only one variable, ‘data’, to submit this information, and separates these two values with a colon (‘:’) </li></ul></ul><ul><ul><li>Third variant: the same values (bot ID and build_ID) + SOCKS/HTTP proxy address. </li></ul></ul>
  44. 44. Conclusions <ul><li>Black energy botnet package is not difficult to obtain </li></ul><ul><li>C&C system is trivial to install and can be easily installed in any compromised LAMP environment </li></ul><ul><li>C&C system is easy to use and manage (script-kiddies style) </li></ul><ul><li>Some AV still do not detect the Black Energy backdoor although it is there since mid 2007. </li></ul><ul><li>Black Energy Version 1.7 has been released in summer 2007. Version 1.8 has been released in November. Probably a new version will come out soon. </li></ul><ul><li>Main difference between version 1.7 and version 1.8 is the web interface and the downloader feature. </li></ul><ul><li>It is unclear today what could be the next variants or versions of the Black energy botnet package. The current information available suggest that Black Energy botnet next version will be easier to use and will include additional features. </li></ul>
  45. 45. Demo <ul><li>Time for a Demo!  </li></ul><ul><li>Demo in VMware environments </li></ul><ul><li>Only 2 hosts: </li></ul><ul><ul><li>C&C master server – Ubuntu 6.10 + LAMP – </li></ul></ul><ul><ul><li>Bot Machine: WinXP with SP2 – </li></ul></ul>
  46. 46. Questions? © 2007 [email_address]
  47. 47. References <ul><li>Websites </li></ul><ul><li>Reversing Engineering Malware - </li></ul><ul><li>The Science of Malware Analysis - </li></ul><ul><li>BlackEnergy DDoS Bot - </li></ul><ul><li>BlackEnergy DDoS Bot Download File: </li></ul><ul><li>Fake gamings sites spawns dangerous Trojan - </li></ul><ul><li>BlackEnergy DDoS Bot – HTTP based - </li></ul>
  48. 48. References <ul><li>Books/WhitePapers </li></ul><ul><li>Black Energy DDoS Bot Analysis - </li></ul><ul><li>Wiley – Reversing – The Secrets of Reverse Engineering - 2005 </li></ul>