Skunkx DDoS Bot Analysis

By: Jose -

Lest you think all of the DDoS bots we focus on come only from China, we found one that appears to be from the US. We’re calling this bot “Skunkx”. We have not yet seen the bot’s attacks in the wild, however, and so we do not know its favored victim profiles. We also do not know how big this botnet is at this time.

The bot’s capabilities include:

  • Perform DDoS attacks: UDP floods, SYN floods, HTTP floods, and Slowloris attacks
  • Detect some analyst tools (Commview, TCPView, and Wireshark) and platforms (QEMU, VMWare, VirtualPC)
  • Spread over USB, MSN, YahooMessenger
  • “Visit” sites, speedtest
  • Download and install, update, and remove arbitrary software
  • Detect and stop DDoSer, Blackshades, Metus and IRC bots on the box; it apparently can speak “DDoSer” too
  • Spread as a torrent file
  • Steal logins stored in the SQLite DB by Mozilla

We have not seen source or the control panel of the bot. The author appears to like the “JoinVPS” service, however. His servers that he has used go back to “Net-0x2a: Zharkov Mukola Mukolayovuch” in the Ukraine, and also “PIRADIUS” in Malaysia. This is someone familiar with underground hosting, it seems.

Some of the samples have been UPX packed, but not all use such simple packing. The hostnames in use suggest one attacker, and we have not seen the kit openly available for sale or review. CnC communications use an obfuscated ASCII protocol that is not unlike a basic IRC method. We are worked with the registrar to shut down the domain name used by the attacker.

Skunkx in IDA console

Inspection of the bots we captured show a handful of user-agents (my favorite is the Cyberdog one!) and HTTP headers that appear distinctive, enabling us to detect its traffic selectively. The author appears to have imported Slowloris’ attack method without any modification.

We have also been sinkholing this botnet. Inspection shows hundreds of bots checking in from around the world, with most in the US. Here’s a map showing botted hosts:

We continue to work with network providers to get these hosts cleaned up.

Samples by hash and dates:

2010-11-05-8b0ec6c72ba825ef6f6c51ec7940c5d1
2010-10-21-a6bcc047bd5c020d4ab0fc985a955930
2010-09-14-49aa607813acff4d4ee0e6f97a18496a
2010-08-19-201ecebc3ce0a62918c9e03acf2a691b
2010-06-14-678ea804716f80ca1a107467c0ac0d4c
2010-06-03-89d846b4cf063af0c3e34d8f96505299
2010-05-31-659cefcf48c770b9dec7fbc820feb08c
2010-07-27-9105d79b81ec98ff4bb739d65980dbed
2010-07-30-bd9bc177f68823cfd7cc98ce77033787

Many thanks to Jeff Edwards for his help during this analysis.

Comments

  1. Arbor, first of all, you rock. I love the detailed analysis you provide on these threats.

    Could I request that you add a “printable version” link to these pages? That would make it even more awesome.

  2. Mehul Doshi 07/30/2011, 3:17 am

    Skunkx malware analysis by endpoint security or antimalware client or a link via virustotal would help. We are seeing a similar pattern however the virus variant are drastically different. Does that mean Skunkx is changing the malware variant for propogation with various organizations. Indian organizations are not aware of this threat and would indian cert be updated or you are only working with network providers.