The 'Madness' threat analysis report details a sophisticated denial-of-service bot targeting Windows machines, showcasing its advanced capabilities in layer 7 DDoS attacks. It outlines various attack methods, including both low-level and high-level HTTP floods, and highlights the bot's ability to bypass common security measures such as cookie handling and complex JavaScript challenges, particularly those from Cloudflare. The report emphasizes the need for proactive bot defenses to mitigate these evolving threats effectively.

1. THREAT ANALYSIS REPORT
MADNESS
1
THREAT ANALYSIS REPORT
MADNESS
Avi Shulman

2. THREAT ANALYSIS REPORT
MADNESS
2
Contents
Contents............................................................................................................................................................2
Intro ..................................................................................................................................................................3
C&C Communication.........................................................................................................................................3
Persistency Comes First................................................................................................................................3
Time To Call Home........................................................................................................................................4
C&C PANEL....................................................................................................................................................4
DDoS Functionality ...........................................................................................................................................5
HTTP Floods ..................................................................................................................................................5
“Low-Level” WinSock Floods ........................................................................................................................6
“High-Level” WinInet Floods ........................................................................................................................7
“Anti-Cookie” Module ..................................................................................................................................7
“CloudFlare” Bypass .....................................................................................................................................8
The “Hold” Flood ..........................................................................................................................................9
Network Floods.............................................................................................................................................9
Other Functionality...........................................................................................................................................9
Mitigation .......................................................................................................................................................10
Summary.........................................................................................................................................................10
About F5 .........................................................................................................................................................11

3. THREAT ANALYSIS REPORT
MADNESS
3
Intro
“Madness” is a Denial of Service bot targeting Windows machines. While it constantly evolves its capabilities, it certainly
represents the progress attackers made in Layer 7 DDoS expertise.
The bot author proudly states that “Madness” is the superior successor and an actual hybrid of the notorious DDoS
malware families “BlackEnergy”, “gbot”, “DirtJumper”, “Darkness Optima”, “iBot” and “w3Bot”.
While there were several publications covering the infection aspects of this bot, little was said about its Denial of Service
functionality. This report will cover it in detail and compare its different DDoS techniques.
C&C Communication
Persistency Comes First
“Madness” uses quite standard persistency techniques, though they keep improving in every version of the bot. First, it
copies itself to a new path (“%APP_DATA%<UID>svchost.exe”) and revokes current running user access rights to
prevent the user from deleting the file.
It executes temporary files named “per”, “perper”, “perperper” and “perperperper” to grant itself permissions to change
“autorun” registry keys and also other keys in order to evade the UAC and Windows Firewall checks. It also creates a
mutex named “GH5K-GKL8-CPP4-DE24” in order to prevent multiple infections. After that, the bot executes a “persistency
thread” that will constantly check for its added registry keys and if removed will add them again.

4. THREAT ANALYSIS REPORT
MADNESS
4
Time To Call Home
The Command and Control server address is obfuscated in the bot’s configuration using a very simple technique. It
replaces the following characters
^j
@H
*d
and then performs base64 decoding. The following encoded string
YXBvS0FMaXBsaXM9*WVib2toaG@0*@R0*@Rwc@A6O^ovLy8vLy8xMTEwM*AuLi4wM*AuLi4wM*AuLi4yM^IvLy9tbW1@YWFkZGRubm5lZWVzc3MvLy9paWl
ubm5kZGRlZWV4e@guLi5wc@BoaG@wc@AwM*A5OTk4O*@mZmY2N^ZiYm^o
will eventually be decoded to:
apoKALiplis=uebokhhhttttttppp::://////111000...000...000...222///mmmaaadddnnneeesss///iiinnndddeeexxx...ppphhhppp000999888fff666bbbh
After stripping the hard-coded prefix and suffix and joining the characters we’ll get the correct C&C address.
Its phone-home architecture is based on polling the C&C server. Once a minute it sends a probe to its operator with
information on the infected machine (OS and level of privileges) and the number of attack payloads successfully sent,
while the C&C will respond with the current attacking command (base64 encoded).
C&C PANEL
Simply browsing the control panel URL will result in the following error message (saying in Russian that the site is not
available):

5. THREAT ANALYSIS REPORT
MADNESS
5
Analyzing the PHP code shows that the panel reacts differently if it is not provided with the same parameters that the bot
does when sending its phone-home request.
The control panel shows the available commands, their format and statistics on infected machines. The botnet master is
able to send a command both to a specific bot and to the whole botnet. We can notice many DDoS commands that are
named “dd<X>”, while the prefix probably stands for “DDoS”.
DDoS Functionality
As the DDoS market becomes more competitive, noticeable are the efforts that the “Madness” author makes to
differentiate his product and have a richer “portfolio”. Madness DDoS capabilities consist of network floods, such as UDP
and ICMP, however more interesting is its vast diversity of HTTP (Layer 7) floods.
All the floods support up to 10 different URLs which might be used to attack different servers or different URLs on the
same server.
HTTP Floods
We can separate “Madness” HTTP floods into two groups: those using "low-level" Windows libraries, and those using
more "high-level" Windows libraries.
Going "low-level" lets the attacker make the flood much faster, and gives him the flexibility in constructing the HTTP
request from head to toe to bypass many DDoS protections. The added value of using "high-level" HTTP libraries is that
they automatically handle all HTTP protocol aspects such as request construction, managing TCP connections, caching,
cookies and redirections.

6. THREAT ANALYSIS REPORT
MADNESS
6
“Low-Level” WinSock Floods
“DD1” Flood (GET Flood) - This DDoS attacking command uses Windows Sockets API (“WinSock”), a “low-level”
network communication library (that uses sockets). It might handle layer 3 (IP headers) and layer 4 (TCP headers and
TCP handshake) automatically, however it is the author’s responsibility to implement the layer 7 protocol, such as
constructing the HTTP request and managing cookies.
So why use this API then? Why make things harder?
Using “WinSock” removes the processing overhead of “high level” HTTP libraries resulting in a larger request rate. Also,
the attacker has the ability to control each element of the HTTP request. Specifically, “Madness” has control of the “Cookie”
and “Referer” headers. Many simple DDoS protections rely on these headers.
In a possible scenario the attacker recognizes that a certain victim website is handing a Cookie as a simple anti-bot
protection that might be reused from different IP addresses. He then browses the website with his browser, gathers the
Cookie and simply passes this Cookie as a parameter of the attack to the whole botnet.
However, while trying to be sophisticated, the attacker implements several inconsistencies. One of them is sending
requests containing the “keep-alive” header, which is usually used during HTTP floods as an amplification factor, to reuse
the same TCP connection and thus avoid the overhead of setting up a connection for each request. It seems like the bot
writer uses this header as well, however after opening a socket and sending a request he closes the socket virtually
making the “keep-alive” mechanism ineffective.
“DD2” Flood (POST Flood) – This technique is based on the “WinSock” API as well, however using the POST method
might make it more powerful. Compared to GET requests where the server just needs to retrieve a certain resource, the
POST action might result in a more “expensive” processing, such as querying the database, which might longer consume
the server’s working thread, thus making other requests wait, finally resulting in a DoS attack.
The C&C panel allows the attacker to control the data being sent in the POST payload by typing the following command:
dd2=http://10.0.0.2***cookies$$$referal@@@login=user&password=pass
where the POST body (“login=user&password=pass”) follows the 3 “at” signs.

7. THREAT ANALYSIS REPORT
MADNESS
7
“High-Level” WinInet Floods
Similarly to the “low-level” HTTP floods, there are the “high-level” alternatives - “DD3” (GET Flood) and “DD4” (POST
flood) flood methods.
Those attacks are based on the “WinInet” Windows library which is a wrapper for “WinSock” to handle the HTTP protocol.
The added value of using "high-level" HTTP libraries is that they might handle all HTTP protocol aspects such as request
elements construction, managing TCP connections, caching, cookies and redirections.
Those attacks are relatively slow in comparison to the previous attacks. However, using the “Keep-Alive” will be actually
useful as the library handles the TCP connections.
Awkwardly, the bot author didn’t implement support for Cookie handling in those attacks. The reason might be a
“marketing” decision, as there is another GET flood named “DC1” which dedicated for Cookie handling.
“Anti-Cookie” Module
The “DC1” command is a GET flood based on the “WinSock” library (same as “DD1”), though it has a dedicated ability
to parse Cookies from server’s response and attach them to its following requests.
The bot is able to parse Cookies issued by several methods. The most common way for the server to set a cookie is via
a “Set-Cookie” response header. Thus, “Madness” will look for this header and extract all the set cookies.
A Cookie might be set using JavaScript as well via the “document.cookie” property. This technique is also used by many
anti-bot solutions to challenge the client whether it is a real browser having JavaScript running capabilities.
The bot will look for the “document.cookie=” pattern in the response and extract the Cookies.
During the analysis, we have noticed another interesting technique related to Cookie challenges. The bot will look for
the strings "Cookie", "realauth=<value>" and "location" in the response and set the appropriate cookie as a legitimate
browser will do after executing the JavaScript.

8. THREAT ANALYSIS REPORT
MADNESS
8
Apparently, this technique is targeting a well-known Russian web-hosting service which uses a weakly obfuscated
JavaScript code to set the challenge Cookie, making it possible for “Madness” to easily bypass the solution without
having a JavaScript engine.
“CloudFlare” Bypass
“Madness” has a dedicated technique to target more complex JavaScript challenges, specifically targeting “CloudFlare”,
a popular DDoS protection service. The challenge is a JavaScript code which makes a certain calculation and sends
back the result. If the result is correct, the server will issue an “authorization Cookie” and all the following requests
containing that cookie will be considered legitimate. Bots not having a JavaScript engine should fail this test.
In the past, “CloudFlare” issued a pretty simple script, with a hardcoded calculation and without any obfuscation, making
it possible to be bypassed by parsing the response using a similar technique as the previous “anti-cookie”. However,
when the challenge evolved and was heavily obfuscated, it literally became more challenging for DDoS bots.
Instead of trying to parse the response or simulate a browser, the “Madness” author chose to use a real browser to be
able to bypass even the most heavily obfuscated scripts.
Using another “high-level” Windows library called “Urlmon”, it introduced the “DD7” attack. While this same library is
also used by the “Internet Explorer” core, all cookies that were obtained by “Internet Explorer” will be automatically
appended to every request made by this library, specifically by calling the “URLDownloadToFile” function from
“Urlmon.dll”.
Once attack starts, the attacker issues the “cfa” (apparently “Cloud Flare Attack”) command from the C&C.
cfa=http://10.0.0.2/index.php
The victim machine then runs “Internet Explorer” in a minimized window, browses the targeted website, performs the
JavaScript challenge calculation, as it is a legitimate browser, and gets the “authorization Cookie”. Once the cookie is
saved in the browser, the attacker executes the “DD7” flood (or it is already running), while this Cookie will be
automatically appended to each attacking request.
Although, the minimized window is seen in the Windows task bar, it could not be manually maximized.

9. THREAT ANALYSIS REPORT
MADNESS
9
The “Hold” Flood
While analyzing the threat, we have also noticed another “GET” flood variation, which may be referred as a "HOLD" flood.
It sends a “GET” request containing only the “Host” header, sleeps for 0.1 seconds and only then completes the request
by sending "rn".
This attack was probably created to perform less “aggressive” HTTP flood by lowering the request rate. Again, this
attack seems awkward, as it missing popular HTTP headers, such as “user-agent” and does not inherit any of the
capabilities (supporting POST method, Cookies, Referer or challenge bypass techniques) from the other HTTP floods.
Network Floods
While “Madness” focus is definitely on the HTTP floods it also supports simple ICMP and UDP floods using the
“WinSock” API.
For UDP flood, the attacker has the control on the data to be sent over the UDP packets.
Here is an example of an ICMP flood using “WinSock”:
Here is an example of a UDP flood using “WinSock”:
Other Functionality
There are also other common malware functionalities as well:
 exe – download a given file and execute it on the infected machine.
 wtf – idle command, do nothing.
 cmd - execute a cmd command.
 def – kill the bot but don’t uninstall it.
 upd (version 1.22 and above) – update the bot.

10. THREAT ANALYSIS REPORT
MADNESS
10
Mitigation
Although “Madness” uses only 10 threads in all of its attacks, each thread aggressively sends the maximum possible
number of requests/packets making the attacking IP easily spotted by TPS based or Stress (Latency) based detection.
Once detected, the mitigation might be either by using request blocking, “client-side integrity defense” or CAPTCHA.
The “Heavy URL Protection” will provide better detection for “Madness” POST floods (“DD2” and “DD4”) once the
attacker identified and targeted heavy lifting pages.
Broader mitigation strategy which includes “proactive bot defense”, by leveraging JavaScript to test clients whether they
are real browsers, will block all the “low” and “high” level HTTP attacks just when the attack starts. The bot would not be
able to pass the tests as it is not able to execute JavaScript or statically parse the JavaScript test and provide the correct
response, even using the “Anti-Cookie” module.
Although the “cfa” module (“CloudFlare” bypass technique) has the capability to run a real browser and apparently pass
the proactive defense tests, it is not enough to perform it a single time as the proactive defense challenges the client every
period of time making it virtually ineffective. Moreover, having the proactive defense test pass is not enough as the bot
will be marked as suspicious due to its high volume of requests or due to an increase in server’s stress.
Summary
As layer 7 DDoS attacks are being effective, “Madness” provides different flavors of GET/POST floods with a high level
of flexibility while integrating more advanced capabilities to bypass security solutions. We expect this bot to be seen more
in the wild with upgraded capabilities.
One of the lessons we learn from this analysis while protecting our servers is that it is not enough to rely on clients simply
answering the challenge, as complex as it might be. It also requires a proactive bot defense which has more integrity
checks and implements more sophisticated logic around those challenges, as well as other detection and prevention
means, such as blocking requests based on TPS or Server’s stress, CAPTCHA, and more sophisticated anomaly
detection methods.

11. THREAT ANALYSIS REPORT
MADNESS
11
About F5
F5’s market-leading security solutions help you seamlessly scale cloud, data center, and software-defined networking
(SDN) deployments—so you can securely deliver applications to anyone, anywhere, at any time. An application-centric
design, unique placement in the network, intelligent services delivery, and unparalleled visibility reduce risk across your
entire application ecosystem.
The world’s largest businesses, service providers, government entities, and consumer brands rely on F5 to stay ahead
of security, cloud, and mobility trends. Learn more at f5.com.

12. THREAT ANALYSIS REPORT
MADNESS