JKDDOS: DDoS bot with an interest in the mining industry?

By: jedwards -

Today we document JKDDOS, the moniker we have been using for yet another malware family that specializes in DDoS attacks.  Looking back through our malware zoo, we observed our first JKDDOS sample as early as September 2009.  Since then, we have analyzed almost 50 unique JKDDOS samples, the most recent of which we acquired in December 2010.  Based on its recent history of attacks, the operators of this family appear to have an axe to grind against several relatively large international holding companies that have connections to the mining industry.

Malcode Properties

The JKDDOS malware is distributed in the form of a relatively small executable that tends to vary widely in size across different samples; we have seen specimens as small as 17,408 bytes and as large as 240,997 bytes.  The most common size for a JKDDOS sample is approximately 33.5 KB; recently, the JKDDOS samples we have analyzed have usually been packed whereas earlier samples were not.

Example MD5 hashes for the JKDDOS samples we have analyzed to date are as follows:

7707d5ac1860aebf2bed9c9c99abb5da
b3986acec2a3a61d6174f4fe575c45c6
040a56655edb6fee5a4fdb3aacdddde1
49371b0c05ed3289d8515890f2807a7f
4ba6fdaa03a8c170579bed5053b31862
fc039ac8f5ff296a6c63acaab4749465
0b0358bb8a3b703327efb6d09eea8244
f74e8e3d5761b565c70305feb5a62990
eefb3e68f40e0bd7209e7ccc384261b0
d41e4d17cfc229dae27d32c49f9266b6
3830081c2967c915aae5a7451beff1db
3e4c8061f3593643fd5d534be59cf55b
571270581cfff358acfaa72c742514a1
4eef5008ed2c4882555e88179352f9c1
22eedad84ab8c8adb9b51459fd9bc0ca
e6cf74fc1577baf4e82effb99f6e947e
ff7b49da99b6bce035dc8215aaa7b164
48b905cfafd0ffb986ac76427aa75e31
e6ce394faa4c44cadc29d11a71efc4f6
6cf3febdf9c184e74cbfb3dc367d5823
d17d244c8495373d383e68031f0dd900

Most of the JKDDOS samples we have observed were originally distributed from Chinese IP space, although at least one was being hosted in the United States; here are some representative sample URLs (defanged) that have recently hosted JKDDOS executables:

hxxp://116.236.136.108:8080/500.exe         
hxxp://aee11.cn/down/ddos.exe               
hxxp://8.dnfcity.org:889/xz/desyms.exe
hxxp://x9.lajiliang.info:88/1691.exe        
hxxp://1831.3322.org:111/wm.exe             
hxxp://8.5295sf.cn/cl.exe
hxxp://avzhan.3322.org:81/b.exe

At the time of writing, none of the above URLs are still serving JKDDOS malware, although we are aware of at least one JKDDOS distribution URL that is still live.

Note that the avzhan.3322.org distribution server is quite similar to two host names used as distribution servers for the Avzhan DDoS family: avzhan1.3322.org and avzhan2.3322.org.

Here is a representative sampling of net blocks that have distributed JKDDOS  malware:

IP Address         Port  CC   ASN   NetName
116.236.136.108    8080  CN   4812  CHINANET SHANGHAI PROVINCE NETWORK
61.147.120.135       81  CN   4134  CHINANET JIANGSU PROVINCE NETWORK
61.147.72.58        111  CN   4134  CHINANET JIANGSU PROVINCE NETWORK

Installation

Once launched, a JKDDOS bot performs a fairly standard installation process.  It copies itself into the C:WindowsSystem32 directory.  In an attempt to be stealthy, it will sometimes name the installed copy of itself so as to appear to be a legitimate system file; the installation names we have observed include:

cyindun.exe
ifzai.exe
iozaq.exe
otalulsxs.exe
panp.exe
qrhqi.exe
scvhosts.exe
slsno.exe
smssv.exe
svchsot.exe
szace.exe
ubadabi.exe
wsmiuqsxf.exe

JKDDOS will then register itself to run as a service that is automatically started upon reboot.  Most commonly, the name of this fake service is derived from the name under which the JKDDOS bot installs itself; however, this is not always the case.  Service names we have observed include the following:

KKCC
VMservices
cyindun
ewdew
ifzai
iozaq
otalulsxs
panp
scvhosts
slsno
smssv.exe
szace
wsfsdfa60
wsmiuqsxf

The display name of the installed service will usually be identical to the name of the service, although some JKDDOS samples have configured the service with a different display name, such as the following:

bbs.jksing.com
The Net Share
wyeesfd60 mseir

The JKDDOS bot will also insert a Registry entry, with value “Beizhu” holding data “JK”, under the following key:

HKEY_LOCAL_MACHINEHARDWAREDESCRIPTIONSystemCentralProcessorSet

Communication Protocol

Upon completion of its installation procedure, the JKDDOS bot will phone home to its CnC server by opening a TCP socket and sending a binary block of data exactly 497 bytes in length.  This block of data reports information about the infected host, including the version of Windows, the measured clock speed of the CPU, the model of CPU, the name of the infected computer (as returned by the Win32 API GetComputerName), and the amount of physical memory installed on the host.

The format of this data is a rigid structure that contains specific fields at certain byte offsets as follows:

Offset    Size    Contents
0         4       Always 0x10000000
4         16      OS Version; one of "Windows XP", "Windows 2000", or "Windows 2003"
34        10      Measured CPU speed in format: "%dMHz"
64        8       MBs of physical RAM in format: "%d(M)"
94        10      Name of infected host from GetComputerName()
208       66      CPU model name
394       2       The string "JK"

These values are transmitted in plain, non-obfuscated form and, with the exception of the initial 4-byte “header” value, are all in the form of NULL-terminated ASCII strings.  Here is a representative example of a JKDDOS bot-to-CnC message:

00000000  10 00 00 00 57 69 6e 64  6f 77 73 20 58 50 00 00 ....Wind ows XP..
00000010  00 00 00 00 88 f7 8f 00  a8 72 02 20 04 00 00 00 ........ .r. ....
00000020  00 00 33 33 38 36 4d 68  7a 00 00 00 04 00 00 00 ..3386Mh z.......
00000030  b0 f7 8f 00 42 78 02 20  00 00 70 00 70 a4 04 20 ....Bx.  ..p.p..
00000040  32 35 36 28 4d 29 00 00  74 35 00 00 98 7b 6b 00 256(M).. t5...{k.
00000050  dc f7 8f 00 e1 29 00 20  09 2a 00 20 30 a4 56 49 .....).  .*. 0.VI
00000060  43 54 49 4d 00 00 00 00  48 32 00 00 5f 9b 80 7c CTIM.... H2.._..|
00000070  c4 7e 6b 00 c4 7e 6b 00  98 7b 6b 00 00 00 00 00 .~k..~k. .{k.....
00000080  9c 7b 6b 00 00 f8 8f 00  6e 2d 00 20 96 31 00 20 .{k..... n-. .1.
00000090  c0 14 40 00 00 00 00 00  85 33 00 20 d9 4b 02 20 ..@..... .3. .K.
000000A0  28 f8 8f 01 9c 7b 6b 00  28 f8 8f 00 fd 61 04 20 (....{k. (....a.
000000B0  94 0e 60 00 05 62 04 20  c0 14 40 00 ff ff ff ff ..`..b.  ..@.....
000000C0  00 00 20 20 20 20 20 20  20 20 20 20 20 20 20 20 ..               
000000D0  20 20 20 20 49 6e 74 65  6c 28 52 29 20 58 65 6f     Inte l(R) Xeo
000000E0  6e 28 54 4d 29 20 43 50  55 20 33 2e 30 36 47 48 n(TM) CP U 3.06GH
000000F0  7a 00 6d 00 80 f8 8f 00  e1 29 00 20 09 2a 00 20 z.m..... .). .*.
00000100  30 a4 04 20 11 2a 00 20  18 00 00 00 84 f8 8f 00 0.. .*.  ........
00000110  9d ad 02 20 00 00 00 00  c8 46 6d 00 b0 46 6d 00 ... .... .Fm..Fm.
00000120  00 00 00 00 b4 46 6d 00  b8 f8 8f 00 6e 2d 00 20 .....Fm. ....n-.
00000130  c9 3e 00 20 a4 f8 8f 00  52 96 02 20 5a 96 02 20 .>. .... R.. Z..
00000140  00 00 00 00 ff ff ff ff  00 00 00 00 00 00 00 00 ........ ........
00000150  9c 7b 6b 00 32 37 00 01  00 00 40 00 c0 14 40 00 .{k.27.. ..@...@.
00000160  20 f9 8f 00 db 96 02 20  00 00 00 00 00 00 00 00  ......  ........
00000170  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
00000180  5f 06 00 00 00 00 00 00  3d 93 4a 4b 00 00 00 00 _....... =.JK....
00000190  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
000001A0  80 05 00 00 01 bb 02 20  07 bb 02 20 00 00 00 00 .......  ... ....
000001B0  dc ff 8f 00 f3 96 02 20  fb 96 02 20 0a 00 00 01 .......  ... ....
000001C0  00 00 40 00 70 f9 8f 00  70 f9 8f 00 42 bb 02 20 ..@.p... p...B..
000001D0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ........ ........
000001E0  00 00 00 00 06 5f 00 00  00 00 00 00 3d 93 78 87 ....._.. ....=.x.
000001F0  20

Upon receipt of the “phone home” message, the CnC will respond with a 1384-byte structured response that contains instructions for attacks or other operations.  These instructions are represented as a concatenated string of one or more command codes starting at byte offset 0×08 in the CnC response.

The command codes supported by JKDDOS include the following:

RMH: Uninstall the bot by deleting the Windows Service under which the malware was installed.

DDDON: Download and execute a specified URL.

OOOPN: Execute a particular or command via the ShellExecute() API call.

CCCOS: Shutdown and power off the infected host.

RRRST: Reboot the infected host.

UDB,UDX, UDH, ZDU: Perform various types of UDP flooding attacks.

MNI: Perform an HTTP flood attack using the WinInet library.

CLC: Perform an HTTP flood attack using lower-level WinSock2 API calls (e.g., socket(), connect(), etc.)

SNH, TFN: Perform two types of SYN flooding attacks using spoofed source IP addresses.

TCC, ISC: Perform two types of TCP connection exhaustion attacks.

TCH, SFG, ZDT: Perform various types of TCP flooding attacks.

IPH, IPR, IPQ: Perform various types of ICMP flooding attacks.

STPP: Stop all DDoS attacks currently in progress.

Example Attack Traffic

As described above, the JKDDOS attack engine contains support for 16 different varieties of DDoS attacks.  Here are more detailed descriptions on two of the supported attacks:

IPH Attack: The JKDDOS bot will flood the target with large numbers of ICMP echo request packets.  Each ICMP payload will contain 31 bytes of data, which consists of four random bytes (different for each packet) followed by 27 bytes with a fixed value (same for all packets.)  The ICMP check sums for these packets are correct, unlike ICMP flood packets generated by other Chinese DDoS agents such as YoyoDDoS.  In our observations of actual attacks, JKDDOS malware sends this ICMP traffic at rates of between approximately 230 and 435 packets per second.

UDH Attack: The JKDDOS bot will flood the target with large numbers of UDP datagrams.  Each UDP datagram will contain a data payload exactly 1035 bytes in size, with each byte holding an identical value that remains constant across all packets.  In the case of a combined ICMP and UDP flood (e.g., attack code “IPHUDH”), this byte value will be the same for both the UDP and ICMP data payloads.  In our observations of actual attacks, JKDDOS malware sends this UDP traffic at rates between approximately 200 and 540 packets per second.

Control Servers

To date, we have identified at least 19 unique JKDDOS CnC servers.  All but one of these CnC IP addresses reside in Chinese IP space:

CnC IP Address     Port  CC   ASN   NetName
117.41.166.209     1868  CN   4134  CHINANET JIANGXI PROVINCE NETWORK
121.12.126.79      1986  CN   4134  SHENZHENSHILUOHUQUHEPINGLUYIFENGGUANGCHANGCZUO32H
121.12.170.88      1695  CN   4134  SHENZHENSHILUOHUQUHEPINGLUYIFENGGUANGCHANGCZUO32H
121.14.154.41      3335  CN   4134  DONGGUANSHIWEIYIWANGLUOKEJIYOUX
122.224.34.156     1691  CN   4134  NINBO LANZHONG NETWORK LTD
122.226.223.138    1234  CN   4134  YIWU TELECOM IDC ROOM
124.237.77.210     1631  CN   4134  THE YANDA ZHENGYANG ELECTRON LTD. OF QINHUANGDAO
125.208.2.45       1130  CN  24416  BEIJING PRIMEZONE TECHNOLOGIES INC
125.65.112.191     1691  CN   4134  SC-MY-SJDF-LTD
125.67.64.201      1691  CN   4134  CHINANET SICHUAN PROVINCE NETWORK
211.157.109.77     3344  CN  18245  CECT-CHINACOMM COMMUNICATIONS CO. LTD
222.189.237.22     1633  CN   4134  CHINANET JIANGSU PROVINCE NETWORK
222.189.239.85     1691  CN   4134  CHINANET JIANGSU PROVINCE NETWORK
60.190.176.84      1980  CN   4134  ZHOUSHAN DIANXIN ZENGZHIBU
61.147.120.135     1631  CN   4134  CHINANET JIANGSU PROVINCE NETWORK
61.155.142.88      1670  CN   4134  CHINANET JIANGSU PROVINCE NETWORK
61.155.142.88      1671  CN   4134  CHINANET JIANGSU PROVINCE NETWORK
61.164.108.30      1234  CN   4134  RUIAN TELECOM
66.186.34.146      1690  US  35908  VPLS INC. D/B/A KRYPT TECHNOLOGIES

JKDDOS bots have the identity of their CnC hard-coded within their executable in obfuscated form; as is common, these CnCs are identified by host name rather than raw IP address.  The majority of JKDDOS CnC host names reside within the 3322.org and 2288.org domains, large Chinese providers of dynamic DNS services:

12345.23u.info
125.67.64.201
1986.zljtl8.com
604121.3322.org
79wg.net
8895.3322.org
crkzt.3322.org
d1xs.wd54.com
dadaxiaoshuai.3322.org
dao521.2288.org
ddos.ni37.cn
jkqq.3322.org
jsz12365.3322.org
list.xiaoyaolong.com
only2010.2288.org
testjks2.3322.org
testwm.3322.org
wanmeios.3322.org
wmjk.3322.org

We have observed JKDDOS CnC servers operating on a variety of ports; usually in the range 1100-1999 or 3300-3399 ranges:

1130 1234 1631 1633 1670 1671 1690 1691 1695 1868 1980 1986
3335 3344

Victims

We have been tracking various JKDDOS-based botnets for several months using our usual technique of periodically connecting to known CnCs and sending 497-byte messages that imitate particular JKDDOS specimens that have been captured and analyzed.  During this period of time, we have observed JKDDOS botnets issue DDoS attack commands against approximately 78 unique victims in China (40), the United States (31), Hong Kong (5), and Singapore (2).  The victims have been distributed across networks as follows:

CN   4134  CHINANET GUANGDONG PROVINCE NETWORK
CN   4134  CHINANET HUNAN PROVINCE NETWORK
CN   4134  CHINANET JIANGSU PROVINCE NETWORK
CN   4134  CHINANET JIANGXI PROVINCE NETWORK
CN   4134  CHINANET-HN ZHUZHOU NODE NETWORK
CN   4134  HANGZHOU SILK ROAD INFORMATION TECHNOLOGIES CO. LTD
CN   4134  JINHUA TELECOM CO. LTD IDC CENTER
CN   4134  JINYUNQINGHSOANIANHUODONGZHONGXIN-POLICE
CN   4134  MAOMINGSHIGUANSHANYILU265271HAO
CN   4134  NINBO LANZHONG NETWORK LTD
CN   4134  SHANTOUSHIJINSHADONGLUJINLONGDASHABDONG12A
CN   4134  SHAOXING DINGQI INTERNET SCIENCE CO. LTD
CN   4134  SHENZHENSHILUOHUQUHEPINGLUYIFENGGUANGCHANGCZUO32H
CN   4134  TAIZHOU YAMA NETWORK TECHNOLOGY CORP
CN   4134  VA OFFICE BRANCH OF CHINA TELECOM CORP
CN   4134  WENZHOU GAOJIE TECHNOLOGY CO.LTD
CN   4134  WENZHOU LIANZHONG NETWORK TECHNOLOGY LTD
CN   4134  ZHAOWENBIN FIREWALL
CN   4812  CHINANET SHANGHAI PROVINCE NETWORK
CN   4837  CHINA UNICOM HEILONGJIANG PROVINCE NETWORK
CN   4837  CHINA UNICOM HUNAN PROVINCE NETWORK
CN   4837  CHINA UNICOM LIAONING PROVINCE NETWORK
CN   4837  CHINA UNICOM SHANDONG PROVINCE NETWORK
CN   4837  HANGZHOUJUZHENG HUZHOU ZHEJIANG
HK   4058  CPCNET HONG KONG LTD
HK   9584  GENESIS NET LIMITED
SG  26496  8 CROSS STREET
SG  45634  10 SCIENCE PARK ROAD
US   3491  BEYOND THE NETWORK AMERICA INC
US   7011  FRONTIER COMMUNICATIONS OF AMERICA INC
US  15133  EDGECAST NETWORKS INC
US  19853  INTERNET EXCHANGE TECHNOLOGY INC
US  20248  TAKE 2 HOSTING INC
US  21740  ENOM INCORPORATED
US  21788  NETWORK OPERATIONS CENTER INC
US  25761  STAMINUS COMMUNICATIONS
US  26496  GODADDY.COM INC
US  30058  FDCSERVERS.NET
US  32421  BLACK LOTUS COMMUNICATIONS
US  32421  SERVERORIGIN COMMUNICATIONS
US  33569  ALLHOSTSHOP.COM
US  35908  VPLS INC. D/B/A KRYPT TECHNOLOGIES
US  36351  SOFTLAYER TECHNOLOGIES INC
US  46844  SHARKTECH INTERNET SERVICES

The list of victims have included the usual gaming sites and online stores.  However, JKDDOS is somewhat unusual in that it has a tendency to attack large holding companies and investment firms, especially those involved in the mining industry.

As an example, one large, well-known investment company based in New York City was attacked by a JKDDOS botnet on six separate occasions during the 10-day period starting on October 21, 2010, with the shortest and longest attacks lasting approximately 3 and 33 hours, respectively.

Three different victims have some connection to the gold mining industry, and one victim was a manganese miner.  The European website of the most commonly attacked victim describes itself as a “major corporate shareholder” of various gold mining operations.  It was attacked no less than 16 times during the last month, including at least once a day during the period from October 22 through October 29.  These daily attacks typically started around 6am or so (London time) and lasted until about 4 or 5 pm.

We’ve also observed a JKDDOS botnet attack on November 3, 2010 against a corporate holding company that invests in major wineries.

The longest sustained JKDDOS that we have observed recently lasted approximately 72 hours, and was directed against a Chinese discussion forum site.  All of the JKDDOS attacks we have tracked recently were perpetrated by the following seven Chinese-based CnC servers:

CnC IP Address     Port  CC   ASN   NetName
117.40.137.170   CN   4134  CHINANET JIANGXI PROVINCE NETWORK
121.11.81.56     CN   4134  SHANTOUSHIJINSHADONGLUJINLONGDASHABDONG12A
123.183.212.240  CN   4134  CHINANET HEBEI PROVINCE NETWORK
124.237.77.210   CN   4134  THE YANDA ZHENGYANG ELECTRON LTD. OF QINHUANGDAO
124.237.78.106   CN   4134  THE YANDA ZHENGYANG ELECTRON LTD. OF QINHUANGDAO
125.91.10.117    CN   4134  SHANTOUSHILONGHUQUHUAMEIZHUANGHUAMEIHUAYUANDI9ZUO601HAOFANG
61.147.120.135   CN   4134  CHINANET JIANGSU PROVINCE NETWORK

A/V Detections

Overall, anti-virus detection of JKDDOS bots is reasonably good.  Detection rates for the specimens we have analyzed are typically in the 70%-93% range, although the detections are usually generic in nature.  Here are some representative detections, which tend to be all over the map:

DrWeb       DDoS.Attack.230
Avast       Win32:Rincux-D
JiangMin    Backdoor/Wanmei.dd
F-Secure    Backdoor.Win32.Hupigon.hbtu
nProtect    Backdoor/W32.Hupigon.24064.N
Ikarus      Trojan-Downloader.Win32.Apher
Norman      W32/Redosdru.LS
Kaspersky   Trojan-Downloader.Win32.Apher.gzh
PCTools     Trojan-Downloader.Murlo.djw
VirusBuster Trojan.DL.Murlo.BQR

Summary

From a technical point of view, the JKDDOS family appears quite unremarkable and shares many characteristics common to other Chinese DDoS malware such as YoyoDDoS, Avzhan, Chcod, and Darkshell.  However, its choice of large corporate investment groups and mining-related interests as targets makes it a bit more interesting than some of the other DDoS-focused botnets we often see.

Comments

  1. Curt Wilson 03/10/2011, 3:32 am

    Nice analysis work. I’ve heard Hupigon described as a typical type of Remote Access Trojan before and wonder if some of it’s codebase was borrowed for JKDDOS, which may account for the anti-virus signatures being triggered. Curious if you have been able to determine if China is being used as a relay point or if interests there are actively performing the DDoS activity?