It’s 2012 and Armageddon has arrived

By: jedwards -

Breaking Armageddon’s latest and greatest crypto reveals some interesting new functionality

Armageddon is one of several notable Russian malware families that are designed exclusively for DDoS attacks; it has been on our radar screens for some time now. Its primary competitors within the market of Russian DDoS vendors are Dirt Jumper (a.k.a. RussKill), Darkness/Optima (a.k.a. Votwup), and of course BlackEnergy.

We’ve noticed that the Armageddon code base has undergone some relatively rapid evolution lately, and the purpose of this blog post is to report on some of the new functionality we have observed. With this latest release, the bot uses some new crypto protection to hide its features from casual observers; breaking this encryption revealed some interesting goodies…

It turns out that the latest version of Armageddon contains support for a few new flavors of DDoS flooding which have been customized to target certain types of web sites. The names of the commands give some indication of the gist of the attacks: .apacheflood, .vbulletinflood, .phpbbflood, The implementation of the .apacheflood command was of particular interest; it makes use of the following (decrypted) string when formulating its flooding requests:

Range: bytes=0-,5-0,5-1,5-2,5-3,5-4,,5-1299,5-1300

This string represents an optional HTTP header that turns out to be included in DDoS flooding requests generated by the bot when performing an .apacheflood attack; this string, along with another encrypted Armageddon string, Accept-Encoding: gzip, have been associated with the so-called “Kill Apache” attack, a type of highly assymetric low-bandwidth DDoS technique that has emerged relatively recently.

In a nutshell, the Kill Apache attack abuses the HTTP protocol by requesting that the target web server return the requested URL content in a huge number of individual chunks, or byte ranges. This can cause a surprisingly heavy load on the target server; in particular, certain versions of the Apache HTTP server handle such requests extremely poorly and in some cases can be brought to their knees by a single attacking client. To our knowledge, this is the first time that the Kill Apache attack has reared its ugly head in actual botnet code in the wild, as opposed to proof-of-concept and/or standalone attack tools.

Of course, once we have taken the liberty of prying open Armageddon’s kimono, it was straightforward to write a “fake Armageddon” client that phones home to the (decrypted) C&C URL strings, and engages in communication that impersonates a real bot. This allows us to gather additional intelligence on the activities and behavioral patterns of Armageddon; in particular, we can now monitor the various Armageddon botnets to log the targets that it attacks, and the types of DDoS floods uses in those attacks. Among other things, this technique allowed us to discover that at least one of the botnets powered by the most recent Armageddon code base took part in the DDos attacks related to the recent Russian election in early December. We will continue to keep a watchful eye on Armageddon going forward.
The full article reporting the details of reversing Armageddon’s crypto, a Python decryption script – and an overview of the findings that were revealed once the strings were decrypted – is available here:
Report: It’s 2012 and Armageddon has arrived

This article is intended to be the first in an upcoming series that will provide a guided tour of the inner workings of various crypto systems that are used by contemporary DDoS malware families in order to hide their communications and sensitive data – and how to go about breaking them!

Update: Today we found some similar analysis of Armageddon and its crypto by the team at Onthar’s Malware Research Laboratory: