A DDoS Family Affair: Dirt Jumper bot family continues to evolve

By: cwilson -

Previous blog entries and analysis by others in the security community have shined a light upon the Dirt Jumper DDoS bot. Dirt Jumper continues to evolve (version 5 appears to be the newest) and a variety of other associated bots packages have emerged over time to include Simple, September, Khan, Pandora, the Di BoTNet and at least one private version of Dirt Jumper 5 that I am aware of. While we have collected about 300 malware samples of the Dirt Jumper family, it is likely that other variants are available, as the binaries and back-end PHP for Dirt Jumper has leaked several times. This makes it easy for someone to make slight modifications to the PHP or Delphi binary code and attempt to re-sell the bot, use the bot for their own purposes, or start making money with their own commercial DDoS service. Attacks from the Dirt Jumper family of bots continue to target victims all around the world in a robust manner and we will take a look at who is being attacked, although we cannot always determine the motive.

RussKill

Let’s start with a quick review of Russkill, which was seen around 2009-2010:

RussKill has been profiled previously, featuring HTTP and SYN flood attacks.  The start of things to come.

Back-end panels changed and bot binaries gained new capabilities over time.

RussKill evolved into Dirt Jumper:

Which evolved into Dirt Jumper September:

(Thanks to Andre’ DiMino of DeepEnd Research for the screenshot)

Simple

September looks very similar to this version of Simple:

Another version of Simple has a different look and feel (three back-end panels pasted together in this particular image for a total of 11,878 bots online):

Dirt Jumper version 5

The latest version of Dirt Jumper that I know of is version 5, likely written or at least leaked in mid-2011. A few MD5’s:

ef9c4bfa9906251d52c3658252224d85 (leaked sometime in October 2011)
506ba7a322288cc4dc55b7c32fea9f4f (leaked around Feb 2012)

 

The attack types supported by version 5 are as follows:

  • Type 1: HTTP flood –with an example of a dynamic Referer:

Referer: k7569i5p.biz

  • Type 2: Synchronous flood

This attack looks the same as type 01 but opens more connections to the target(s).

  • Type 3: Downloading flood

This flood looks the same as types 01 and 02 (an HTTP GET) but is intended to be aimed at some type of downloadable content in order to burn resources on the server.

  • Type 4: POST flood

The POST flood is similar in style to attacks 01-03 however it has a body payload that consists of the attacked site. A portion of an attack packet shows a dynamic Referer with a properly calculated Content-Length header.  The payload, http://attacked.box corresponds to the attacked site. attacked.box was a locally sinkholed hostname.

Content-Type: application/x-www-form-urlencoded
Content-Length: 21
Referer: 82w6x.info
http://attacked.box

  • Type 5: Anti DDoS flood – NEW as of Version 5 (does not appear to work however)

Attack type 5, “Anti DDoS flood” did not function at all. No attempts to get this to work were successful, despite this feature being hyped in the underground. Perhaps the version(s) I’ve analyzed are not yet fully realized.

Another back-end screenshot with a modified look is seen below, although the exact version number is unknown. I suspect this is a modification to version 5. This is taken from a small botnet with 27 total bots, 5 active.

Some of the more recent evolutions/changes/code ripping of Dirt Jumper include Trojan.Khan, which is very similar to Dirt Jumper. Jeff Edwards from Arbor ASERT wrote about breaking the crypto in Trojan.Khan recently

We do not currently have any screen-shots from the Khan back-end, however I suspect it is very similar to the Dirt Jumper v5 backend based on traffic analysis.

Dirt Jumper has inspired copies or modifications, such as the recent Di BoTNet version 1.0:

The author of the Di-BoTNet doesn’t try to cover it up and states outright that the bot is “Modification Dirt Jumper 5” on an underground forum.

The listed features of the Di-BoTNet are very similar, if not identical to Dirt Jumper version 5. The feature list, translated from Russian with some text corrections, indicates that Di BoTNet has a “bot killer” feature which can eliminate other bots from an infected box.  Also mentioned are anti-virtual machine and anti-debugging techniques and performance increases. Some versions of Dirt Jumper do indeed bog down the CPU of the infected box, which from the botmasters perspective is a bad thing as the bot may then be noticed. Also mentioned is a variation upon the request header that involves rotating between HTTP 1.0 (the Dirt Jumper default), HTTP 1.1 and HTTP 2.0 HTTP versions. Based upon my analysis of a leaked copy of Dirt Jumper v5, it does not perform such rotation, but it does rotate User-Agent and referer values including adding dynamic elements to make itself harder to block. The only “additional functions” explicitly listed for the Di BoTNet is the ability to control the number of threads and the interval from the panel. This is likely an attempt to make the bot less noticeable as a high number of threads can indeed bring the infected box to a near standstill with 100% CPU utilization.

Modules attack:

+ HTTP flood

+ SYN flood

+ DoWN flood

+ POST flood

+ AntiDDoS flood

(these are all identical to the aforementioned Dirt Jumper v5 attack types)

Functionality:

+ Killer Unit: Bot destroys the competition.

(This was not seen in Dirt Jumper v5)

+ UPDATE: The bot uses inzhekta to update the main module.

(I believe inzhekta here means injection of some kind)

+ Many threading: Can attack simultaneously up to 300 target.

(back-end resets attacked sites back to 300 if more than 300 are specified)

+ Reproduction: The bot itself is a function of distribution.

+ Statistics Today: Today statistics by country.

+ Statistics Online: Online statistics by country.

+ Anti virtualke: Bot does not work on virtual machines.

+ Anti Debugging: Can not ban the domain, the bot will live longer.

+ Productivity: The bot improved performance, better attacks, the system loads less.

+ Randomly: When you receive a random attack uses the full (but not chaotic requests) – HTTP 1.0 2.0 1.1; referer, etc.

Additional functions:

+ Streams: The number of threads during the attack indicated in the admin panel.

+ Interval: The interval is specified in the otstuk config.php, or in the admin panel.

Changes to Command & Control

In addition to other changes seen, Dirt Jumper version five sends a longer unique ID to the Command & Control site than previous versions. In previous versions, this has been the k= value, consisting of a 16 byte number. In version 5 (and in Trojan.Khan) this value is a 32 byte alphanumeric string, unique to each bot install. In the case of Khan, we’ve seen the bot binary use u= instead of k= perhaps in an attempt to evade intrusion detection systems that might flag the suspicious outbound traffic to the C&C.

Dirt Jumper version 3 C&C interaction – red indicates the bot posting its unique ID:

k=795078752145971

HTTP/1.1 200 OK
Date: Mon, 25 Jul 2011 16:54:37 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Content-Length: 56
Connection: close
Content-Type: text/html; charset=UTF-8

01|300|150http://<removed>.net/

One site was attacked with an HTTP flood attack.

Dirt Jumper version 5 (and Khan) feature this type of C&C POST:

k=o695zw356tm41qhk3346j1wdl357r4mw

HTTP/1.1 200 OK
Date: Thu, 23 Feb 2012 10:01:45 GMT
Server: Apache/2.2.22 (CentOS)
X-Powered-By: PHP/5.2.17
Content-Length: 29
Connection: close
Content-Type: text/html; charset=UTF-8

11|30|60http://s*********.ws/

 

One site that was previously under attack has its attack stopped (command code 11).

With regards to the samples I analyzed, the 32 byte k value is dropped onto the file system as C:Documents and SettingsLocalServiceLocal SettingsApplication DatasLT.exf. This is the exact same filename used by a sample of Trojan.Khan with md5 5c2514c04231f2ca531e368a767f678e for it’s original dropper.

Pandora DDoS

Pandora is the latest bot apparently written by the author of Dirt Jumper.

Pandora has also been cracked/leaked and available in the underground. It was originally on sale for $800, and then later sold for $100 just before it was obviously leaked. Analysis is ongoing, however there are many similarities with Dirt Jumper. There are indications that Pandora has less features than previous versions of Dirt Jumper.

Advertising for Pandora describes the bot as follows (translated from Russian):

<start of translated text>

A. Product description

From the creator of Dirt Jumper and Simple!

The Key DDoS system in 2012!

New, Universal DDoS botnet PANDORA!

This unique product combines the best moments from all the created earlier versions.

Bot written with the participation of the clients of the previous version of the author.

Yes arrive with Your Pandora!!!

Operating instructions

The bot has Five modes of attack.

One. Requests on the TCP protocol, without receiving a response.

A connection is broken so that the server continues to wait until the client receives a response.  And at this time is already running another request.

Thus not only that is 100% load on apache, database, channel, but there are many half-open connections, which creates a queue on a server and additional burden on apache.

To the methods of possible attack as on the specific script, and so on ports!

Two. Almost the same as the first method, but unlike him, this type of attack takes the answer, creating another type of load.

Namely: Employment connect, traffic, load apache in return information.

Three. This method of attack combines the first and the second.

Bot in turn queries the first method, then the second.

Four. And this method is written solely on top of sockets. Bot performs connect to the server, and while he did not refuse to accept the information, the bot will send the traffic.

Port, you can specify any.

Five. The method that allows you to score a channel. Queries with a very large packages.

The numbering of the attack starts FROM SCRATCH!

The bot also there is a system timeout.

In the field you need to specify the timeout in milliseconds. Timeout is performed in each thread separately.

In order to stop the attack to specify zero the number of threads.

All methods of attacks support the ability to strike at the port. The fourth method of attack beats only for IP. (If you specify a domain, he himself will determine the IP.)

<end of translated text>

Who is being attacked and how? A sample of victims

Attacks are diverse and world-wide. Looking at attack logs from our Project Bladerunner we can get a sense of this diversity and learn about some interesting sites. Based on a small sample of 149 attacks, attack types are as such:

Many of the sites that had been attacked in the past were online, however several sites were unfortunately inaccessible, indicating either legitimate downtime or damage from ongoing attacks. One observed target posted about the DDoS attack to their forum and mentioned there were about 50,000 bots attacking. A sample of targets, including targets attacked more than once:

Unfortunately not all of the sites checked were able to withstand the brunt of the attack. Several sites found in the logs returned error messages of one kind or other such as this:

Typical anti-malware evasion tactics help increase botnet lifespan

While many anti-malware vendors will detect Dirt Jumper bots at least under a generic name, tried-and-true evasion techniques such as the use of packers and crypters help protect the bots from detection. Like many other malware authors, botmasters using Dirt Jumper use private anti-virus scanning services in an attempt to keep bots undetected for a longer period of time. This scan performed by a botmaster from March 8, 2012 indicates that this particular version of Dirt Jumper was not detected. The md5: 02c422fa8a7374ae6b693e909229fd78 has been engineered to be undetected via typical file-based anti-malware scanners. Dynamic detection is likely better.

This particular scanner advertises a notification feature:

The next scan of a Dirt Jumper binary from March 9, 2012 scanned by a different service is only detected by one antivirus engine (file-based detection), which appears to flag on the presence of a .NET crypter:

This second example comes from a site that offers a notification service as well as the ability to encrypt files with a variety of methods. The site shows the following stats:

Summary and what’s next?

The Dirt Jumper family continues to expand. As one type of bot demonstrates success, others copy it often with minor modifications. It can be difficult to determine if a site has been attacked by Dirt Jumper or one of it’s variants, and if so, which one. Therefore we will refer to all of the bots profiled here as well as any future bots as the Dirt Jumper family. Development will continue, and there are increasing trends towards the development of attack techniques that will bypass certain types of anti-DDoS protection measures. The underground economy continues to flourish, and DDoS services are a piece of that rotten pie.

Comments

  1. Hi Curt
    I suppose You right about “inzhekta” translation, but send me, if You interested, original text so I can translate it closely to author’s meaning.
    Thx
    D.L.