Darkshell: A DDoS bot targetting vendors of industrial food-processing equipment

By: jedwards -

This week, we continue our efforts to document the crowded space of Chinese DDoS bots by analyzing Darkshell.  This particular malware family has recently been used to attack quite a few companies involved in the industrial food processing industry.

Malcode Properties

The Darkshell malware is distributed in the form of a small executable which typically ranges in size from approximately 66,048 bytes to 79,360 bytes.  Here are the MD5 hashes for the 42 Darkshell samples we have analyzed to date:

ccb07865a8ba624c27c03024805624d2
0bef3c845c7b83b8c4e67090827c3680
a2b44c7ffce42cd6fcfe5a6e7c57853d
d6932bd1f84b03edb21b6749d25ac267
1a4a37d55a02f4541113a4c7bfaa4a6a
971e89f7e99c2af7117a1ec40d3dfe6d
8cf97cb9f76cc02ecd3a9e9e8ba268fe
07022e10f7dd52fa5f503d53143cf4ff
9f294c680cccf428487768a2eda0b59e
f570a9648575175d7dd1202cfe26474a
86c0a68e2db7fd2b8d3acdb2e864a914
c862538d7b6fceeba9dda0bed74642ab
63672dcde4bae762bc588c42c3189f53
3de053e9bda604a3f4683f87aa046bfa
70f0aada94cac2309faa4cbcaa742dad
d164e9048454bd1b267a8ba8bf50948c
4fa8430485784c68c249005ff9a2a067
ee244509ce21e2c685f129f8f985688f
75240cb1ab2cb9c65035c99f2687c01f
e8e9dd3638d0415d4da6f1b09728986f
c0ad6a2621a2a5925edec03a58a2f159
7fc1194c06700ef5c34edc12418842ea
94063f3b92e4f08ea5c789fc2b31cd4b
e2ff76137d122f7b7d8c609fc7b96abc
5302199cc2fdb3fddf71457f885c777a
28dcabf6d6860c3b303720462adfce80
ccda2b93ed4aacffdc9aab151c24f52b
b07a43cd8062791935cec2f3d1d58c3f
a7fb233ab799e1a0c4e4e57a4a7a2eda
57523283b8fdd9f3f66622b454bb05da
2c22f53b9d7f2144853ffa9683200f6c
20fa022aaf9162e88c7c92e332f99c21
2be7320313ffb59e942eb0a7254b7a19
d9debcb20307e6ed8fface8bf5cbeea6
316a9e1acf24e51f198efa864801fc2f
7bb75a70f95ddb7c8109b397435ea002
2484e79c6403985e7b7081ffd2b01021
c1e66b1167c90446933a26f13a9f26e5
6361ae5f223f9ef8cc799047fa849cc8
b83c0b457d42d5682142558555a6ade8
9c3d1a99d74a0174eebadcb32b80d8c1
726795453f01742e97038ad1a303a71d

Most of the Darkshell samples we have observed were originally hosted in Chinese IP space; here are some representative sample URLs (defanged) that have recently hosted Darkshell executables:

hxxp://1qzf.net/ms.exe
hxxp://www.sudupay.com/down/down.exe
hxxp://61.147.120.135:81/v7.exe
hxxp://www.jishu8.net/a3.exe
hxxp://60.173.8.118:8080/upload/1986.exe
hxxp://61.147.120.135:81/msierit32.exe
hxxp://61.147.120.135:81/srv1112.exe

None of these URLs are still serving Darkshell malware at this time.  Here is a representative sampling of net blocks that have distributed Darkshell malware:

61.164.118.139   CN   4134  SHANGHAI QILI NETWORK TECHNOLOGY CORP
222.186.32.153   CN   4134  CHINANET JIANGSU PROVINCE NETWORK
61.147.120.135   CN   4134  CHINANET JIANGSU PROVINCE NETWORK
60.190.216.46    CN   4134  NINBO LANZHONG NETWORK LTD
60.173.8.118     CN   4134  CHINANET ANHUI PROVINCE NETWORK
61.147.120.135   CN   4134  CHINANET JIANGSU PROVINCE NETWORK
121.12.127.155   CN   4134  SHENZHENSHILUOHUQUHEPINGLUYIFENGGUANGCHANGCZUO32H

Installation

Once launched, a Darkshell bot performs a fairly standard installation process.  It copies itself into the C:WindowsSystem32 directory.  In an attempt to be stealthy, it will usually name the installed copy of itself so as to appear to be a legitimate system file; the installation names we have observed include:

regedit32.exe
regedit325516.exe
regedut32.exe
Msierit32.exe
Msbbrit32.exe
domain.exe

Darkshell will then register itself to run as a fake service that is automatically started upon reboot.  This service will be registered with one of the following names:

BackGround Switch
BackGround switch
BackGroucd Switch
BackGround Switch5516
domain Switch
Domain Switch

The display name of the installed service will claim to be “BackGround Switch Disktop Control”, or some derivative thereof (note the misspelling of “Desktop”).

Most Darkshell bots will also install a small driver file, beep.sys, into C:WindowsSystem32drivers.  It is believed that the purpose of this driver is to hook the infected host’s SSDT in order to hide from anti-virus software.  The driver creates a device named “.Re1986SDTDOS” on the system.

Communication Protocol

Upon completion of its installation procedure, the Darkshell bot will phone home to its CnC server by opening a TCP socket and sending a binary block of data exactly 260 bytes in length.  This block of data reports the name of the infected computer (as returned by the Win32 API GetComputerName), the version of Windows and amount of physical memory installed on the host, and the version or ID string of the Darkshell bot.  The format of this data is a rigid structure that can be represented by the following C struct:

// Darkshell bot-to-CnC comms
struct {
   // Header:
   DWORD   dwMagic;    // always 0x00000010 for Darkshell
   // Obfuscated section:
   char    szComputerName[64]; // Name of infected host, NULL-terminated/extended
   char    szMemory[32];    // Amount of memory in infected host; format "%dMB"; NULL-terminated/extended
   char    szWindowsVersion[32];   // Specifies version of Windows; one of: Windows98, Windows95,
                                   // WindowsNT, Windows2000, WindowsXP, Windows2003, or Win Vista;
                                   // NULL-terminated/extended
   char    szBotVersion[32];   // Specifies version of bot; NULL-terminated/extended;
   DWORD   szUnknown1[4];     // ??? - Always NULL-terminated 'n'
   // Binary section:
   char    szPadding1[32];  // Filled with 0x00 bytes
   WORD    wUnknown2;  // ??? - We have seen 0x00A0, 0x00B0, and 0x00C0
   WORD    wUnknown3;  // ??? - Always 0xFD7F
   char    szPadding2[20];  // Filled with 0x00 bytes
   WORD    wUnknown4;  // ??? - Always 0xB0FC
   BYTE    cUnknown5;  // ??? - We have seen 0xD6, 0xD7, 0xE6, 0xE7, and 0xF1
   BYTE    cZero;      // Always 0x00
   DWORD   dwSignature[8]; // Always 0x00000000, 0xFFFFFFFF, 0x18EE907C, 0x008E917C,
                           //        0xFFFFFFFF, 0xFA8D91&C, 0x25D6907C, 0xCFEA907C
};

Here is a representative example of a Darkshell bot-to-CnC message:

00000000  00 00 00 10 a8 95 9b aa  95 91 de de de de de de ........ ........
00000010  de de de de de de de de  de de de de de de de de ........ ........
00000020  de de de de de de de de  de de de de de de de de ........ ........
00000030  de de de de de de de de  de de de de de de de de ........ ........
00000040  de de de de cc c9 c8 91  9c de de de de de de de ........ ........
00000050  de de de de de de de de  de de de de de de de de ........ ........
00000060  de de de de a7 75 70 7a  6f 87 8b a6 ae de de de .....upz o.......
00000070  de de de de de de de de  de de de de de de de de ........ ........
00000080  de de de de a8 75 8e cc  ce cd ce ce c6 cd de de .....u.. ........
00000090  de de de de de de de de  de de de de de de de de ........ ........
000000A0  de de de de 70 de de de  00 00 00 00 00 00 00 00 ....p... ........
000000B0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
000000C0  00 00 00 00 00 00 00 00  00 b0 fd 7f 00 00 00 00 ........ ........
000000D0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
000000E0  b0 fc f1 00 00 00 00 00  ff ff ff ff 18 ee 90 7c ........ .......|
000000F0  00 8e 91 7c ff ff ff ff  fa 8d 91 7c 25 d6 90 7c ...|.... ...|%..|
00000100  cf ea 90 7c                                      ...|

Note that bytes 4 through 168 are encoded using a crude obfuscation scheme that can be reversed using the following snippet of Python code:

def decrypt_darkshell(cipherbytes, start_idx=0x04, stop_idx=0xA8):
   """     
   De-obfuscates Darkshell comms encoded using the following method:
     cipherbyte = 0xDE - [plainbyte - (plainbyte & 0x10) << 1]
   The obfuscation is reversed as follows:
     intermediate = 0xDE - cipherbyte
     plainbyte = intermediate + (intermediate & 0x10) << 1
   """    
   len_mesg = len(cipherbytes)
   if len_mesg != 260:
       raise RuntimeError("Darkshell bot-to-CnC comms are always 260 bytes")
   plainbytes = []
   for cipherbyte in cipherbytes[start_idx:stop_idx]:
       intermediate= 0xDE - ord(cipherbyte)
       plainbytes += [chr(intermediate + ((intermediate & 0x10) << 1))]
   return cipherbytes[:start_idx] + ''.join(plainbytes) + cipherbytes[stop_idx:]

Applying this de-obfuscation process to the above sample comms results in the following:

00000000  00 00 00 10 56 49 43 54  49 4d 00 00 00 00 00 00 ....VICT IM......
00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
00000020  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
00000030  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
00000040  00 00 00 00 32 35 36 4d  42 00 00 00 00 00 00 00 ....256M B.......
00000050  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
00000060  00 00 00 00 57 69 6e 64  6f 77 73 58 50 00 00 00 ....Wind owsXP...
00000070  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
00000080  00 00 00 00 56 69 70 32  30 31 30 30 38 31 00 00 ....Vip2 010081..
00000090  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
000000A0  00 00 00 00 6e 00 00 00  00 00 00 00 00 00 00 00 ....n... ........
000000B0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
000000C0  00 00 00 00 00 00 00 00  00 b0 fd 7f 00 00 00 00 ........ ........
000000D0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
000000E0  b0 fc f1 00 00 00 00 00  ff ff ff ff 18 ee 90 7c ........ .......|
000000F0  00 8e 91 7c ff ff ff ff  fa 8d 91 7c 25 d6 90 7c ...|.... ...|%..|
00000100  cf ea 90 7c                                      ...|

Note the version/ID string “Vip2010081″ located at byte offset 0×84.  Each Darkshell specimen has one of these strings hard-coded within its executable.  Our conjecture is that this string specifies some form of version identifier for the malcode.  The version strings we have seen to date include:

Vip2010081
VIP100707
Private520

Note that there are several fields within the 260-byte message structure for which we have not yet determined an interpretation.

Upon receipt of the “phone home” message, the CnC will either respond with an idle or “standby” command, which consists of a single byte 0×30 (i.e., decimal “0″ character) indicating that the bot is to perform no further actions for now, or it will respond with a 260-byte binary structure containing the instructions for a DDoS attack.  If an attack is ordered, the format of the response will be as follows:

// Darkshell CnC attack command
struct {
 DWORD   dwCode;         // 0x00000030 for HTTP flood attack
 DWORD   dwParameter;    // ??? - We have seen 0x0800
 char    szTarget[99];   // URL of target to attack, NULL-terminated/extended
 WORD    wPort;          // Port to attack (usually 80)
 char    szPadding[151]; // Always filled with 0x00 bytes
};

Unlike the phone home message, the attack instructions are not obfuscated in any way.  Here is a representative example (with the real target’s host name changed to www.victim1.com):

00000000  00 00 00 30 08 00 00 00  68 74 74 70 3a 2f 2f 77 ...0.... http://w
00000010  77 77 2e 76 69 63 74 69  6d 31 2e 63 6f 6d 2f 75 ww.victi m1.com/u
00000020  2e 70 68 70 3f 61 63 74  69 6f 6e 3d 73 68 6f 77 .php?act ion=show
00000030  26 75 69 64 3d 36 32 30  31 34 00 00 00 00 00 00 &uid=620 14......
00000040  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
00000050  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
00000060  00 00 00 00 00 00 00 00  00 00 00 00 50 00 00 00 ........ ....P...
00000070  04 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
00000080  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
00000090  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
000000A0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
000000B0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
000000C0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
000000D0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
000000E0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
000000F0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
00000100  00 00 00 00                                      ....

Attack Traffic

Upon receipt of such an attack command, the Darkshell bot will begin flooding the victim with large numbers of HTTP GET requests.  Each of these GET requests is identical.  The GET requests are initiated from sequentially increasing source ports.  Each bot simultaneously opens a large number (e.g., 15-25) of TCP connections to the specified target URL; each such connection continually issues the same identical GET request multiple times, regardless of the response (if any) from the victim; these requests have the following format:

GET /u.php?action=show&uid=62014 HTTP/1.1
Host: www.victim1.com
Cache-Control: no-store, must-revalidate
Referer: http://www.victim1.com
Connection: Close

The Host and Referer header fields will be customized based upon the specified target, but the rest of the HTTP header will be fixed as above.

Control Servers

To date, we have identified at least 30 unique host names and 34 unique IP addresses that have been used as Darkshell CnCs.  32 of these CnC IP addresses have resided in Chinese IP space:

CnC IP Address     Port  CC   ASN   NetName
111.226.71.35      5288  CN   4134  CHINANET HEBEI PROVINCE NETWORK
116.11.186.119     5516  CN   4134  CHINANET GUANGXI PROVINCE NETWORK
119.183.244.214    8012  CN   4837  CHINA UNICOM SHANDONG PROVINCE NETWORK
121.12.117.109      603  CN   4134  SHENZHENSHILUOHUQUHEPINGLUYIFENGGUANGCHANGCZUO32H
121.12.127.155     8000  CN   4134  SHENZHENSHILUOHUQUHEPINGLUYIFENGGUANGCHANGCZUO32H
121.12.127.99      8001  CN   4134  SHENZHENSHILUOHUQUHEPINGLUYIFENGGUANGCHANGCZUO32H
121.14.153.183     8000  CN   4134  DONGGUANSHIWEIYIWANGLUOKEJIYOUX
121.14.155.164     8000  CN   4134  DONGGUANSHIWEIYIWANGLUOKEJIYOUX
121.14.156.126     2345  CN   4134  DONGGUANSHIWEIYIWANGLUOKEJIYOUX
121.14.219.195     2991  CN   4134  SHANTOUSHILONGHUQUHUAMEIZHUANGHUAMEIHUAYUANDI9ZUO601HAOFANG
122.227.45.12       603  CN   4134  ZHEJIANG HUANLONG NEW MATERIALS TECHNOLOGY CO. LTD
122.230.137.109    8080  CN   4134  CHINANET-ZJ HUZHOU NODE NETWORK
124.237.78.135      888  CN   4134  THE YANDA ZHENGYANG ELECTRON LTD. OF QINHUANGDAO
125.113.113.149      80  CN   4134  CHINANET-ZJ JINHUA NODE NETWORK
202.109.143.77     3266  CN   4134  CHINANET JIANGXI PROVINCE NETWORK
218.29.97.162      8080  CN   4837  MZTCWLKJYXGS CORP
218.60.132.110     7080  CN   4837  CHINA UNICOM LIAONING PROVINCE NETWORK
218.61.13.253      9000  CN   4837  CHINA UNICOM LIAONING PROVINCE NETWORK
220.172.151.241    9000  CN   4134  CHINANET GUIZHOU PROVINCE NETWORK
222.189.238.156    7433  CN   4134  CHINANET JIANGSU PROVINCE NETWORK
222.217.155.94     8080  CN   4134  CHINANET GUANGXI PROVINCE NETWORK
222.218.211.229    8080  CN   4134  CHINANET GUANGXI PROVINCE NETWORK
222.83.212.225     8080  CN   4134  CHINANET GUANGXI PROVINCE NETWORK
58.221.33.159      1111  CN   4134  CHINANET JIANGSU PROVINCE NETWORK
58.221.44.193      8000  CN   4134  CHINANET JIANGSU PROVINCE NETWORK
58.53.128.83       8181  CN   4134  CHINANET HUBEI PROVINCE NETWORK
59.188.23.12       4520  HK  17444  NEW WORLD TELECOM LTD. HONG KONG
59.57.113.118      7000  CN   4134  CHINANET FUJIAN PROVINCE NETWORK
59.57.123.203      8001  CN   4134  CHINANET FUJIAN PROVINCE NETWORK
60.173.8.118       1986  CN   4134  CHINANET ANHUI PROVINCE NETWORK
61.129.33.151       603  CN   4812  GREEN POWER BAR
61.147.99.243      8080  CN   4134  CHINANET JIANGSU PROVINCE NETWORK
61.164.150.155     1234  CN   4134  VA OFFICE BRANCH OF CHINA TELECOM CORP
98.126.74.51       4567  US   4213  VPLS INC. D/B/A KRYPT TECHNOLOGIES

The Darkshell bots have the identity of their CnC hard-coded within their executable (in plain, non-obfuscated text); as is common, these CnCs are identified by host name rather than raw IP address.  The majority of Darkshell CnC host names are associated with the 3322.org domain, a large Chinese provider of dynamic DNS services, including:

ddosbox.3322.org
a90722692.3322.org
sawyer.3322.org
babab2hd2.3322.org
gd0168.3322.org
jhz100.3322.org
juhuatai0.3322.org
jzn1986.3322.org
kuilei65551543.3322.org
li0427.3322.org
nacui120.3322.org
nb969798.3322.org
qingcs.3322.org
wudikoko.3322.org
xplin.3322.org
yaolin001.3322.org
yhyhwjwj.3322.org
ziyingtianxia.3322.org
zxswww.3322.org

On occasion, Darkshell CnCs may be found on non-3322.org host names, such as the following:

ddos.zh-cn.cc
winmbddos.8866.org
1qzf.net
appleyhoo.net
dkzy.8866.org
g5512484.8866.org
lang12397007.2288.org
maipianzhu.8800.org
qjwl8866.8866.org
wsxe.8866.org

We have observed Darkshell CnCs operating on a wide variety of ports (usually non-standard ones), including:

80 603 888
1111 1234 1986
2345 2991
3266
4520 4567
5288 5516
7000 7080 7433
8000 8001 8012 8080 8181
9000

Victims

We have been tracking various Darkshell-based botnets for approximately three months using our usual technique of periodically connecting to known Darkshell CnCs and sending 260-byte messages that imitate particular Darkshell specimens that have been captured and analyzed.  During this period of time, we have observed Darkshell botnets issue DDoS attack commands against approximately 97 unique victims in China (65), the United States (23), Hong Kong (4), South Korea (3), Netherlands (1), and Sweden (1).  The victims have been distributed across networks and hosting providers as follows:

CC   ASN   Network
CN   4134  CHINANET ANHUI PROVINCE NETWORK
CN   4134  CHINANET FUJIAN PROVINCE NETWORK
CN   4134  CHINANET GUANGDONG PROVINCE NETWORK
CN   4134  CHINANET HEBEI PROVINCE NETWORK
CN   4134  CHINANET HUNAN PROVINCE NETWORK
CN   4134  CHINANET JIANGSU PROVINCE NETWORK
CN   4134  CHINANET JIANGXI PROVINCE NETWORK
CN   4134  CHINANET SICHUAN PROVINCE NETWORK
CN   4134  CHINANET XINJIANG PROVINCE NETWORK
CN   4134  CHINANET-HN CHENZHOU NODE NETWORK
CN   4134  DONGGUANSHIWEIYIWANGLUOKEJIYOUX
CN   4134  HANGZHOU GSOFT SCIENCE&TECHNOLOGY DEVELOPMENT CO. LTD
CN   4134  HANGZHOU SILK ROAD
CN   4134  LISHUI DIANXIN COLTD
CN   4134  NINBO LANZHONG NETWORK LTD
CN   4134  RUIAN TELECOM
CN   4134  SHANTOU TIANYIN TECHNOLOGY CO. LTD
CN   4134  SHANTOUSHIJINSHADONGLUJINLONGDASHABDONG12A
CN   4134  SHENZHENSHILUOHUQUHEPINGLUYIFENGGUANGCHANGCZUO32H
CN   4134  WENBIN ZHAO
CN   4134  WENZHOU LIANZHONG NETWORK TECHNOLOGY LTD
CN   4134  WENZHOU TELECOM CO. LTD
CN   4134  WORLD CROSSING TELECOM(GUANGZHOU) LTD
CN   4134  WUJINGBO
CN   4134  XIAMEN SANWU NETWARE SCIENCE CO. LTD
CN   4134  XIAMEN TELECOM IDC
CN   4812  CHINANET SHANGHAI PROVINCE NETWORK
CN   4837  CHINA UNICOM HEILONGJIANG PROVINCE NETWORK
CN   4837  CHINA UNICOM HENAN PROVINCE NETWORK
CN   4837  XIAMEN CITY FUJIAN PROVINCE
CN   4847  FOR GREAT WALL BROADBAND NETWORK SERVICE ACCESS IN BEIJING
CN   9929  NINGBO CITY ZHEJIANG PROVINCE
CN  17964  BEIJING XIRANG MEDIA CULTURAL CO. LTD
CN  37943  ZHENGZHOU GIANT COMPUTER NETWORK TECHNOLOGY CO. LTD
CN  38356  HICHINA WEB SOLUTIONS (BEIJING) LIMITED
HK   4058  ASIA DATA (HONG KONG)INC.LIMITED
HK   4645  HKNET COMPANY LIMITED
HK  17444  NWT IDC DATA SERVICE
KR   3786  KOREA INTERNET DATA CENTER INC
KR   3786  LG DACOM KIDC
KR   4766  KOREA TELECOM
NL  47869  NETROUTING TELECOM
SE  49770  SERVERCONNECT.SE
US   4213  VPLS INC. D/B/A KRYPT TECHNOLOGIES
US  23338  DCS PACIFIC STAR LLC
US  25761  STAMINUS COMMUNICATIONS
US  26496  GODADDY.COM INC
US  30058  FDCSERVERS.NET
US  36351  1WEBHOST
US  36351  HOSTING SERVICES INC
US  36351  SOFTLAYER TECHNOLOGIES INC
US  46844  SHARKTECH INTERNET SERVICES

The recent victims have included online merchants of baby products, jewelry, and cosmetics, as well as a social networking site and numerous video game-related sites.

However, the most common targets of Darkshell attacks over the past three months have been the websites of relatively small manufacturers of industrial food processing equipment and machinery.  We have logged attacks against at least 16 such victims emanating from the Darkshell botnets, comprising approximately 40% of the victims that we sampled.  One can only speculate on the reasons for this aggressive focus on such a relatively tiny niche within the online landscape.  Several such attacks have been sustained for over 60 hours at a time, and most of these equipment vendors have suffered multiple repeat attacks during this interval of time.

One common pattern of Darkshell behavior is to attack three or four different URLs associated with a particular food processing equipment vendor; these multiple URLs are typically associated with pages displaying specific products.

We have also observed instances in which multiple Darkshell botnets engaged in coordinated attacks against a single victim (again, vendors of industrial food processing equipment.)

A/V Detections

Overall, anti-virus detection of Darkshell bots is reasonably good at this point.  Detection rates for the specimens we have analyzed are typically in the 65%-85% range, although we have analyzed several samples for which the detection rate was 0%.  Here are some representative detections:

Kaspersky       Backdoor.Win32.DarkShell.fu
Microsoft       Backdoor:Win32/Httpbot.A
CAT-QuickHeal   Backdoor.DarkShell.fu
Antiy-AVL       Backdoor/Win32.DarkShell.gen
ViRobot         Backdoor.Win32.DarkShell.79360
nProtect        Backdoor/W32.DarkShell.79360.B
JiangMin        Backdoor/NetBot.qg
Symantec        Spyware.Ardakey
TrendMicro      BKDR_BVOK.SM

Summary

At first glance we expected Darkshell to be another mundane entry in the seemingly never-ending rogue’s gallery of DDoS-focused botnets; in other words, not terribly advanced in terms of cutting edge technology, but nevertheless quite active and effective at shutting down victims, unfortunately.  However, we were surprised when we discovered that its operators have such a propensity for attacking one particular commercial market segment.  Until we’ve gathered more information, we can only speculate upon the motivations of the criminals operating and/or using the Darkshell botnets, and the nature of the axe they apparently have to grind against certain suppliers of industrial food-processing equipment.

We will, however, definitely be keeping a close eye on this particular family going forward.

Comments

  1. There really should be more powers and willingness from the countries where these bots are hosted to shut them down

  2. Nice writeup with the right kind of detail. I state that, because I use articles on malwares, especially online malware (rather than local virus types) that have a great amount of detail about C&C servers etc./et al in them to populate a custom HOSTS file here, because by blocking off known bad sites or servers (hosts/domain names) they cannot infest my system from those hosts/domain names, & I do so as an added layer of security. This article was definitely helpful in that capacity because of the amount of detail you covered. Fact is, I wish all security oriented posts online about malware in general contained this type of information. Again, in closing, truly a superior job on the article writers’ part!

    APK

  3. Vytautas Butrimas 03/04/2011, 2:52 am

    Good article. Not hard to image this botnet being directed at other sectors (for example, defense, telecommunications). Pretty scary. Thanks again.

  4. Hi this is a neat article I found right stummbled upon right after I found the source code to this darkshell trojan on some chinese website. email me at king_seyan at hotmail.com with any updates

  5. It is very good to have such article on a DDoS tool. I wonder what could be the maximum number of clinet(zombie clients) such tool which has raw TCP persistent connection as command and control channel. As it is apparent why attackers have moved from the raw TCP connection to IRC not only because of convince but the efficiency in controlling number of clients.
    Thanks in advance