MS08-067 Used to Drop DDoS Bots

By: Jose -

Earlier today we were informed about a bot that we’ve seen before, KernelBot, being dropped by an exploit tool for MS08-067. The exploit code is “67.exe”, and the bot itself is “6767.exe”. KernelBot is a Chinese origin DDoS bot run by someone we think uses the handle IceKernel; he even names his project KernelBot: d:WorksKernelBots_Up28ServerReleaseServer.pdb. We first became aware of this bot during the CNN.Com attacks earlier this year; some researchers we were working with brought it to our attention. Since then we’ve been watching this guy’s activities and seen a handful of DDoS targets, but most of them are Baidu. It’s nice to see most of the AV vendors have finally caught up and added detection.

If you want to stop this one, you should block all web access to the domain ushealthmart.com. It’s using a few hosts under that domain name to spread and send out configurations.

We are not seeing significant exploit activity around the CVE-2008-4250 vulnerability still, something that’s a bit unexpected given the number of PoC codes available.

KernelBot can send ICMP, TCP SYN, UDP, and even HTTP flood attacks, among others. It communicates with a server to retrieve the file, usually named “cmd.txt”, which itself is a large INI file describing attacks and next actions. The bot itself doesn’t have any mechanisms to spread, so the exploit code is used to cajole victims into downloading it. A command stanza might look like this:

[DDOS_TcpFlood]
IsTcpFlood=0
CmdID=6
TcpFloodDNS=www.1698woool.com
TcpFloodPort=80
IsSendPacket=0
ThreadCount=6
IsTimer=1
Timer=40

You can see a complete example of the configuration file at this translated forums page.

HTTP headers for this guy should be pretty easy to fingerprint when you compare them to legit HTTP headers:

GET %s HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: zh-cn
Accept-Encoding: gzip, deflate
If-Modified-Since: Sun, 26 Jun 2005 15:43:05 GMT
If-None-Match: "60794-12b3-e4169440"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322; .NET CLR 1.0.3705)
Host: %s
Connection: Keep-Alive
Pragma: no-cache
Cache-Control: no-cache
Range: bytes=1-1

Finally, as a “thumb in the eye” of every infected user, the bot does the cheap way of disabling AV updates: it writes out a hosts file entry with everyone pointed at localhost. Not terribly complex.

127.0.0.1       localhost
127.0.0.1       www.360Safe.com
127.0.0.1       www.360.cn
127.0.0.1       bbs.360safe.com
127.0.0.1       baike.360.cn
127.0.0.1       kaba.360.cn
127.0.0.1       bbs.360.cn
127.0.0.1       360.cn
127.0.0.1       forum.ikaka.com
127.0.0.1       tool.ikaka.com
127.0.0.1       file.ikaka.com
127.0.0.1       update.ikaka.com
127.0.0.1       bbs.ikaka.com
127.0.0.1       bbs.janmeng.com
127.0.0.1       www.ikaka.com
127.0.0.1       forum.jiangmin.com
127.0.0.1       update.rising.com.cn
127.0.0.1       online.rising.com.cn
127.0.0.1       center.rising.com.cn
127.0.0.1       www.rising.com.cn
127.0.0.1       fw.rising.com.cn
127.0.0.1       csc.rising.com.cn
127.0.0.1       buy.rising.com.cn
127.0.0.1       sos.rising.com.cn
127.0.0.1       download.rising.com.cn
127.0.0.1       help.rising.com.cn
127.0.0.1       go.rising.com.cn
127.0.0.1       up.duba.net
127.0.0.1       bbs.duba.net
127.0.0.1       shadu.baidu.com
127.0.0.1       www.kztechs.com
127.0.0.1       security.symantec.com
127.0.0.1       shadu.duba.net
127.0.0.1       online.jiangmin.com
127.0.0.1       cn.mcafee.com
127.0.0.1       bbs.mcafeefans.com
127.0.0.1       mcafeefans.com
127.0.0.1       www.ahn.com.cn
127.0.0.1       www.kaspersky.com.cn
127.0.0.1       www.kaspersky.com
127.0.0.1       www.pcav.cn
127.0.0.1       www.vrv.com.cn
127.0.0.1       bbs.sucop.com
127.0.0.1       www.sucop.com
127.0.0.1       sucop.com
127.0.0.1       bbs.cpcw.com
127.0.0.1       www.shudoo.com
127.0.0.1       alert.rising.com.cn
127.0.0.1       www.dswlab.com
127.0.0.1       dswlab.com
127.0.0.1       bbs.dswlab.com
127.0.0.1       zhidao.ikaka.com
127.0.0.1       bbs.kafan.cn
127.0.0.1       bbs.kaspersky.com.cn
127.0.0.1       www.trendmicro.com.cn
127.0.0.1       bbs.trendmicro.com.cn
127.0.0.1       cn.trendmicro.com
127.0.0.1       www.kpfans.com
127.0.0.1       kpfans.com
127.0.0.1       www.mcafee.com
127.0.0.1       dnl-cn1.kaspersky-labs.com
127.0.0.1       dnl-cn2.kaspersky-labs.com
127.0.0.1       dnl-cn3.kaspersky-labs.com
127.0.0.1       dnl-cn4.kaspersky-labs.com
127.0.0.1       dnl-cn5.kaspersky-labs.com
127.0.0.1       dnl-cn6.kaspersky-labs.com
127.0.0.1       dnl-cn7.kaspersky-labs.com
127.0.0.1       dnl-cn8.kaspersky-labs.com
127.0.0.1       dnl-cn9.kaspersky-labs.com
127.0.0.1       dnl-cn10.kaspersky-labs.com
127.0.0.1       dnl-cn11.kaspersky-labs.com
127.0.0.1       dnl-cn12.kaspersky-labs.com
127.0.0.1       dnl-cn13.kaspersky-labs.com
127.0.0.1       dnl-cn14.kaspersky-labs.com
127.0.0.1       dnl-cn15.kaspersky-labs.com
127.0.0.1       dnl-cd1.kaspersky-labs.com
127.0.0.1       dnl-cd2.kaspersky-labs.com
127.0.0.1       dnl-cd3.kaspersky-labs.com
127.0.0.1       dnl-cd4.kaspersky-labs.com
127.0.0.1       dnl-cd5.kaspersky-labs.com
127.0.0.1       dnl-cd6.kaspersky-labs.com
127.0.0.1       dnl-cd7.kaspersky-labs.com
127.0.0.1       dnl-cd8.kaspersky-labs.com
127.0.0.1       dnl-cd9.kaspersky-labs.com
127.0.0.1       dnl-cd10.kaspersky-labs.com
127.0.0.1       dnl-cd11.kaspersky-labs.com
127.0.0.1       dnl-cd12.kaspersky-labs.com
127.0.0.1       dnl-cd13.kaspersky-labs.com
127.0.0.1       dnl-cd14.kaspersky-labs.com
127.0.0.1       dnl-eu1.kaspersky-labs.com
127.0.0.1       dnl-eu2.kaspersky-labs.com
127.0.0.1       dnl-eu3.kaspersky-labs.com
127.0.0.1       dnl-eu4.kaspersky-labs.com
127.0.0.1       dnl-eu5.kaspersky-labs.com
127.0.0.1       dnl-eu6.kaspersky-labs.com
127.0.0.1       dnl-eu7.kaspersky-labs.com
127.0.0.1       dnl-eu8.kaspersky-labs.com
127.0.0.1       dnl-eu9.kaspersky-labs.com
127.0.0.1       dnl-eu10.kaspersky-labs.com
127.0.0.1       dnl-eu11.kaspersky-labs.com
127.0.0.1       dnl-eu12.kaspersky-labs.com
127.0.0.1       dnl-eu13.kaspersky-labs.com
127.0.0.1       dnl-eu14.kaspersky-labs.com
127.0.0.1       dnl-eu15.kaspersky-labs.com
127.0.0.1       dnl-us1.kaspersky-labs.com
127.0.0.1       dnl-us2.kaspersky-labs.com
127.0.0.1       dnl-us3.kaspersky-labs.com
127.0.0.1       dnl-us4.kaspersky-labs.com
127.0.0.1       dnl-us5.kaspersky-labs.com
127.0.0.1       dnl-us6.kaspersky-labs.com
127.0.0.1       dnl-us7.kaspersky-labs.com
127.0.0.1       dnl-us8.kaspersky-labs.com
127.0.0.1       dnl-us9.kaspersky-labs.com
127.0.0.1       dnl-us10.kaspersky-labs.com
127.0.0.1       dnl-us11.kaspersky-labs.com
127.0.0.1       dnl-us12.kaspersky-labs.com
127.0.0.1       dnl-us13.kaspersky-labs.com
127.0.0.1       dnl-us14.kaspersky-labs.com
127.0.0.1       dnl-us15.kaspersky-labs.com
127.0.0.1       dnl-ru1.kaspersky-labs.com
127.0.0.1       dnl-ru2.kaspersky-labs.com
127.0.0.1       dnl-ru3.kaspersky-labs.com
127.0.0.1       dnl-ru4.kaspersky-labs.com
127.0.0.1       dnl-ru5.kaspersky-labs.com
127.0.0.1       dnl-ru6.kaspersky-labs.com
127.0.0.1       dnl-ru7.kaspersky-labs.com
127.0.0.1       dnl-ru8.kaspersky-labs.com
127.0.0.1       dnl-ru9.kaspersky-labs.com
127.0.0.1       dnl-ru10.kaspersky-labs.com
127.0.0.1       dnl-ru11.kaspersky-labs.com
127.0.0.1       dnl-ru12.kaspersky-labs.com
127.0.0.1       dnl-ru13.kaspersky-labs.com
127.0.0.1       dnl-ru14.kaspersky-labs.com
127.0.0.1       dnl-ru15.kaspersky-labs.com
127.0.0.1       dnl-jp1.kaspersky-labs.com
127.0.0.1       dnl-jp2.kaspersky-labs.com
127.0.0.1       dnl-jp3.kaspersky-labs.com
127.0.0.1       dnl-jp4.kaspersky-labs.com
127.0.0.1       dnl-jp5.kaspersky-labs.com
127.0.0.1       dnl-jp6.kaspersky-labs.com
127.0.0.1       dnl-jp7.kaspersky-labs.com
127.0.0.1       dnl-jp8.kaspersky-labs.com
127.0.0.1       dnl-jp9.kaspersky-labs.com
127.0.0.1       dnl-jp10.kaspersky-labs.com
127.0.0.1       dnl-jp11.kaspersky-labs.com
127.0.0.1       dnl-jp12.kaspersky-labs.com
127.0.0.1       dnl-jp13.kaspersky-labs.com
127.0.0.1       dnl-jp14.kaspersky-labs.com
127.0.0.1       dnl-jp15.kaspersky-labs.com
127.0.0.1       dnl-kr1.kaspersky-labs.com
127.0.0.1       dnl-kr2.kaspersky-labs.com
127.0.0.1       dnl-kr3.kaspersky-labs.com
127.0.0.1       dnl-kr4.kaspersky-labs.com
127.0.0.1       dnl-kr5.kaspersky-labs.com
127.0.0.1       dnl-kr6.kaspersky-labs.com
127.0.0.1       dnl-kr7.kaspersky-labs.com
127.0.0.1       dnl-kr8.kaspersky-labs.com
127.0.0.1       dnl-kr9.kaspersky-labs.com
127.0.0.1       dnl-kr10.kaspersky-labs.com
127.0.0.1       dnl-kr11.kaspersky-labs.com
127.0.0.1       dnl-kr12.kaspersky-labs.com
127.0.0.1       dnl-kr13.kaspersky-labs.com
127.0.0.1       dnl-kr14.kaspersky-labs.com
127.0.0.1       dnl-kr15.kaspersky-labs.com

More information around the net:

Comments

  1. What is IceKernel? I googled a lot pages but couldn’t find it.