Analysis of Chcod, another DDoS Trojan

By: jedwards -

We have done some analysis on the Chcod malware family, also known as Ogran, which has been showing up in our sandboxes since at least August 2009.  Like the Yoyoddos and Avzhan trojans, this family is also controlled predominantly from Chinese IP space and appears to be used almost exclusively as a DDoS agent.

Malcode Properties

The Chcod malware is distributed in the form of a very small unpacked executable; we have observed its size vary from 9728 to 20,480 bytes, with specimens most frequently weighing in at approximately 12.5 KB.  Here are some MD5 hashes of some representative samples:

9ec5dbc58ff6f2811596540ada704def
876718d10b42b053df1df4fb0a69f789
32291e232247e9004e520d0e638f565d
e10cf3881ce04f0cde4091c3dad78fe8

Samples are typically hosted on Chinese servers, although we have observed at least one instance of Chcod being distributed from Thai IP space.  Here are some of the (defanged) URLs that have distributed Chcod malware:

hxxp://61.147.120.135:81/zhaomingyang520.exe
hxxp://www.huoyx.com/7758.exe
hxxp://nc3comcn.vip137.2hezu.net/choujin/svchost.exe

Note that all three of these URLs live on CHINANET hosts, none of which are still serving the malware at this time.

Installation

Upon initial execution, Chcod will typically copy itself into the victim’s C:Windows directory using a name that, more often than not, sticks out like a sore thumb; the operators of Chcod appear to make very little effort at blending in to their infected hosts.  Representative examples of installation names we have observed include:

C:WINDOWSQQ.exe
C:WINDOWSvx.exe
C:WINDOWSdfgc.exe
C:WINDOWSd.exe
C:WINDOWSzhaomingyang520.exe

Most variants of Chcod will set themselves up to be Windows Services that are automatically started upon system reboot.  Again, Chcod doesn’t make the slightest attempt to be stealthy when choosing a service name; representative examples include:

hytyju234567890
vsdxqq
dsff
txqqc
Aeeu01234567890

The display names Chcod uses for its installed service have often been even worse, such as this one:

Ati External Event UtilityKillOrKillOrPassKillOrKillOrPassKillOr

We have also observed at least one Chcod sample (MD5 876718d10b42b053df1df4fb0a69f789) that did not even bother to install itself as a service.

Communication Protocols

The Chcod bots phone home to their CnC servers by sending a small 56-byte block of structured data over a basic TCP socket; this message contains only the name of the victim computer (as returned by the gethostname() API) as well as a possibly truncated copy of the host name of the CnC to which it is sending the message.

We document the format of the communication protocol in the form of an equivalent C struct as follows:

// Trojan.Chcod bot-to-CnC message structure
struct {
WORD    wMagicNumber;     // Always 0x0100
char    szCnCName[14];    // NULL-terminated CnC hostname, truncated as needed, otherwise
                          //   NULL-extended
char    szVictimName[32]; // From gethostname(), NULL-terminated and extended
WORD    wWindowsVersion;  // Encoded as: 3 (Vista), 2 (XP), 1 (WinME), 0 (Win98),
                          //   or 4 (Server 2003 x64)
WORD    wPhysicalMemory;  // As returned by dwTotalPhys component of GlobalMemoryStatus()
                          //   and converted to MB
WORD    wUnknown;         // Varies; we've seen 0xb808, 0x5014, 0x1450, and 0xa00f
WORD    wZero;            // Always 0x0000
};

We do not currently know the meaning of the 16-bit value we refer to as wUnknown above, although it appears to be stored as a constant within the executable.

Here is a representative example, sent to a CnC hosted at bon19820609.3322.org, from an infected host named VICTIM:

$0000   01 00 62 6F 6E 31 39 38 32 30 36 30 39 2E 33 00   ..bon19820609.3.
$0010   76 69 63 74 69 6D 00 00 00 00 00 00 00 00 00 00   victim..........
$0020   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
$0030   02 00 FF 00 B8 0B 00 00                           .......

One might wonder why the bot sends the CnC’s own host name back to its CnC?  Presumably so that the operators of Chcod can support a crude form of “virtual hosting” in which multiple distinct Chcod botnets are controlled from a single CnC; each distinct botnet would be controlled via a separate CnC host name; each of these host names could then resolve back to the same IP address upon which the CnC server socket is listening on a single port.  By including its controlling host name in the bot-to-CnC message, the CnC server could in theory determine with which botnet the bot was associated and respond accordingly.

Upon receipt of this “phone home” message, the CnC may respond with one of several different message formats; the nature of the command is specified by the value of the first two bytes in the CnC response:

1. Attack command (0×02): an 80-byte block of data that specifies the victim to be attacked, as well as the parameters of that attack; the message uses the following format:

// Chcod attack command
struct {
 BYTE    nCommandCode;   // 0x02 = Launch DDoS attack
 char    szPadding[15];  // Always filled with 0x00 bytes
 WORD    wAttackType;    // 0x10 = HTTP flood; 0x02 = UDP flood
 WORD    wUnknownParam1; // ???  We have observed values of 0x32 and 0x1A
 WORD    wUnknownParam2; // ???  We have observed values of 0x32 and 0x3E
 WORD    wUnknownParam3; // ???  We have observed values of 0x32 and 0x90
 WORD    wPort;          // Port to attack
 char    szUrl[54];      // Victim URL, hostname, or IP address; NULL-terminated
};

An example from a UDP flood attack (target victim has been obfuscated):

$0000   02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
$0010   02 00 32 00 32 00 32 00 50 00 77 77 77 2E 74 61   ..2.2.2.P.www.ta
$0020   72 67 65 74 2E 63 6F 6D 2F 69 6E 64 65 78 2E 68   rget.com/index.h
$0030   74 6D 00 00 00 00 00 00 00 00 00 00 00 00 00 00   tm..............
$0050   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................

When engaging in a UDP flood, the Chcod bot will open a large number of simultaneous UDP sockets to the specified victim and port.  UDP floods from Chcod are typically directed against port 80 on the victim.  Chcod will flood the victim with UDP datagrams from each of these sockets; each datagram contains 16 bytes of payload.  The content of each datagram payload is 16 random chosen bytes from the range 0x1E through 0x3E.  The payload is different for each datagram sent by the bot.

Thus, a possible mitigation strategy for dealing with a Chcod UDP flood might be to blacklist any source IP address that is sending a lot of 16-byte UDP datagrams that contain data bytes strictly within the range of 0x1E to 0x3E.  (On the other hand, it might not be a bad idea to blacklist any source IP sending large numbers of UDP packets to your web server’s port regardless of their content…)

Here is an example from an HTTP flood attack (again, the real target has been obfuscated):

$0000   02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
$0010   10 00 32 00 32 00 32 00 50 00 77 77 77 2E 74 61   ..2.2.2.P.www.ta
$0020   72 67 65 74 3E 75 73 2F 69 6E 64 65 78 2E 61 73   rget.us/index.as
$0030   70 00 70 00 61 73 70 00 68 64 6F 32 2F 69 6E 64   p.p.asp.hdo2/ind
$0050   65 78 2E 61 73 70 00 00 00 00 00 00 00 00 00 00   ex.asp..........

Note that, although the CnC properly NULL-terminates the string specifying the target, it apparently does not initialize the entire 80-byte buffer with zeroes prior to filling in the structure.  This often results in string fragments associated with previous victims remaining in the response buffer that is sent back to the bots (such as the “…hdo2/index.asp” fragment in the HTTP flood example above.)

2. Download command (0×03): an 80-byte block of data that specifies a URL that is to be downloaded and executed; the message uses the following format:

// Chcod download+execute command
struct {
 BYTE    nCommandCode;   // 0x03 = download URL and execute
 char    szPadding[15];  // Always filled with 0x00 bytes
 char    szUrl[64];      // NULL-terminated and extended URL to download and execute
};

An example message is as follows:

$0000   03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
$0010   68 74 74 70 3A 2F 2F 31 32 32 2E 32 32 34 2E 34   http://122.224.4
$0020   38 2E 38 37 3A 38 38 38 38 2F 64 6F 77 6E 2E 65   8.87:8888/down.e
$0030   78 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00   xe..............
$0050   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................

Upon receipt of such a command, the Chcod bot will initiate an HTTP connection to the specified URL, save the downloaded executable to the C:Windows directory using its original name (e.g., C:Windowsdown.exe in the above example), and execute it.  This mechanism can of course be used to update the Chcod bot with a newer version, or to drop additional malware on an infected system.

3. Uninstall command (0×05): Causes the Chcod bot to delete the Windows Service under which it is installed.

4. Logoff command (0×191): Force the infected user to be logged out of his/her session.

5. Reboot command (0×192): Force the infected host to reboot.

6. Shutdown command (0×193): Force the infected host to shutdown.

7. Idle command (0×00): a 16-byte block of zeros to indicate that the bot is to stand by and perform no action.

It also appears that Chcod supports an additional command code (0×06) with functionality that is not understood at this time.

In general, upon the completion of this message exchange, the bot will remain connected to the CnC and listen for further instructions on the established socket (barring a system shutdown, etc.)

Control Servers

To date, we have identified at least 18 Chcod CnC servers running on 15 different IP addresses; we’ve observed three instances in which a single IP address hosted two CnC servers running on different ports.  Although 17 of the 18 Chcod CnC servers are hosted in Chinese IP space, they are fairly widely distributed across net blocks, as follows:

IP Address         Port  CC   ASN   NETNAME
61.164.126.228     1777  CN   4134  TAIZHOU SOIDC NETWORK TECHNOLOGY CORP
221.12.138.226     6222  CN   4837  WANGUOCHUANZHEN QUZHOU ZHEJIANG
61.164.126.228     1777  CN   4134  TAIZHOU SOIDC NETWORK TECHNOLOGY CORP
221.12.138.226     1983  CN   4837  WANGUOCHUANZHEN QUZHOU ZHEJIANG
61.164.126.228     1888  CN   4134  TAIZHOU SOIDC NETWORK TECHNOLOGY CORP
122.224.48.87      7890  CN   4134  NINBO LANZHONG NETWORK LTD
221.181.66.77      6222  CN  24400  CHINA MOBILE COMMUNICATIONS CORPORATION
221.181.66.77      3456  CN  24400  CHINA MOBILE COMMUNICATIONS CORPORATION
61.164.127.22      1987  CN   4134  TAIZHOU YAMA NETWORK TECHNOLOGY CORP
116.117.176.5      8888  CN   4837  INNERMONGOLIAHAILAERMZAB80MH02POOL
202.97.185.109     7890  CN   4837  CHINA UNICOM LIAONING PROVINCE NETWORK
119.48.217.19      7758  CN   4837  CHINA UNICOM JILIN PROVINCE NETWORK
218.10.18.160      1118  CN   4837  CHINA UNICOM HEILONGJIANG PROVINCE NETWORK
76.164.231.59      8080  US  36114  R & D TECHNOLOGIES LLC
123.187.107.8      8080  CN  17799  CHINANET LIAONING PROVINCE NETWORK
218.60.65.135      8783  CN   4837  CHINA UNICOM LIAONING PROVINCE NETWORK
121.11.84.83       7758  CN   4134  SHANTOUSHIJINSHADONGLUJINLONGDASHABDONG12A
61.190.149.232     1520  CN   4134  CHINANET ANHUI PROVINCE NETWORK
61.147.74.139      8802  CN   4134  CHINANET JIANGSU PROVINCE NETWORK

The Chcod bots have the identity of their CnC hard-coded within their executable; as is common, these CnCs are identified by host name rather than raw IP address.  The majority of Chcod CnC host names are associated with the 3322.org domain, a large Chinese provider of dynamic DNS services.  Examples include:

clddos1.3322.org
cl888666.3322.org
zhaomingyang520.3322.org
bon19820609.3322.org
wbbyby.3322.org
sou8sou8.3322.org

Occasionally, Chcod CnCs live on non-3322.org host names, such as the following:

h.xuhongdiy.com
www.sowogame.cn
server01.comying.com

Note that the host name of the CnC is obfuscated within the static bot executable file; however, invoking strings analysis on a memory dump from a running Chcod bot process will yield the plain text host name of the CnC.

The operators of Chcod-based botnets clearly prefer to host their CnCs on non-standard ports as shown in the above listing.

Victims

We have been tracking various Chcod-based botnets since early October 2010 using our usual technique of periodically connecting to known Chcod CnCs and sending 56-byte messages that imitate particular Chcod specimens.  During this period of time, we have observed Chcod botnets issue DDoS attack commands against approximately 31 unique victims in China (19), Hong Kong (5), Korea (5), and the United States (2).  The victims have been distributed across the following networks:

CC   ASN   Network
CN   4134  CHINANET GUANGDONG PROVINCE NETWORK
CN   4134  CHINANET JIANGSU PROVINCE NETWORK
CN   4134  CHINANET JIANGXI PROVINCE NETWORK
CN   4134  CHINANET SICHUAN PROVINCE NETWORK
CN   4134  CHINANET XINJIANG PROVINCE NETWORK
CN   4134  CHINANET-HN HENGYANG NODE NETWORK
CN   4134  DONGGUANSHIWEIYIWANGLUOKEJIYOUX
CN   4134  JINHUA TELECOM CO. LTD
CN   4134  JINHUA TELECOM CO. LTD IDC CENTER
CN   4134  NINBO LANZHONG NETWORK LTD
CN   4134  SHANTOUSHIJINSHADONGLUJINLONGDASHABDONG12A
CN   4837  HEPINGLU-COM XUZHOU JIANGSU PROVINCE
HK   9269  CITY TELECOM (H.K.) LTD
HK  17444  TOP INTERNET COMPANY
KR   3786  KOREA INTERNET DATA CENTER INC
KR   4766  KOREA TELECOM
KR   9848  KRNIC
US   6939  KARIM JELASSI
US  36351  SOFTLAYER TECHNOLOGIES INC

Victims of Chcod DDoS attacks have included several gaming-related sites (not unusual) and a Chinese university.  The typical Chcod-generated DDoS attack lasts from approximately 4 to 12 hours at a time.  However, one of the victims in particular has been on the receiving end of at least nine separate Chcod DDoS attacks in October 2010 alone; two of these attacks were sustained for almost 40 hours each.

Spot checks of victim websites have found them to be non-responsive during periods of actual attack by Chcod, suggesting that the associated botnets could be of reasonable size.

Of the 19 Chcod CnC servers we have identified, the following seven have actively engaged in DDoS attacks over the last three months:

IP Address         Port  CC   ASN   Network
113.105.169.182    8802  CN   4134  CHINANET GUANGDONG PROVINCE NETWORK
122.224.18.27      7758  CN   4134  NINBO LANZHONG NETWORK LTD
124.119.87.233     8802  CN   4134  CHINANET XINJIANG PROVINCE NETWORK
58.221.35.156      8802  CN   4134  CHINANET JIANGSU PROVINCE NETWORK
58.221.35.172      8802  CN   4134  CHINANET JIANGSU PROVINCE NETWORK
61.147.74.139      8802  CN   4134  CHINANET JIANGSU PROVINCE NETWORK
61.147.74.185      8802  CN   4134  CHINANET JIANGSU PROVINCE NETWORK

The others have either been taken down or otherwise become non-responsive, or have not recently been engaging in active DDoS attacks.

A/V Detections

Anti-virus detection of Chcod bots is pretty good at this point.  Detection rates for the specimens we have analyzed are typically in the 75%-95% range.  Here are some representative detections:

Microsoft     Trojan:Win32/Chcod.A
Kaspersky     Trojan-Downloader.Win32.Ogran.dh
DrWeb         BackDoor.ClDdos.9
Ikarus        Trojan-Downloader.Win32.Ogran
JiangMin      TrojanDownloader.Ogran.o
McAfee        Heuristic.BehavesLike.Win32.Trojan.H
TrendMicro    TROJ_OGRAN.A
VirusBuster   Trojan.DL.Ogran.U

Summary

The Chcod/Ogran family is not nearly as active as other DDoS-focused malware families (such as BlackEnergy and Yoyoddos.)  It does, however, represent another data point in the increasingly crowded landscape of DDoS attack agents.

Much credit to Kenny MacDermid for his significant contributions to this analysis.

Comments

  1. Nice analysis. Interesting to see the win98 and WinME indicators in the struct. Perhaps they are more common in the countries where this bot is more active?

    Regarding obtaining sites from a memdump, this is a great technique I’ve been using more lately and using volatility to analyze. I did find a TDL4 infection that resisted a memdump being taken by moonsols win32dd, but Mandiant’s memorydd.bat worked well and gave me what I needed. Have you ever run across anything similar, or a malware that actively blocked a memdump?

  2. testing comments