DirtJumper’s DDoS Engine Gets a Tune-Up with new “Drive” Variant

By: Jason Jones -

Over the last few months ASERT has been tracking what appears to be a new variant in the DirtJumper family (for more information on the history of the DirtJumper family see our previous posts [ 1 ] [ 2 ] [ 3 ] ) – that we have dubbed “Drive.” Drive is written in Delphi and sports a new and much more powerful DDoS engine than its predecessors. It has also changed the format of attack commands and added some new features to those commands. In addition to the new engine, a few CnCs have also been observed serving up Gzip-compressed data and at least one has exhibited blocking based on geographic location. The “Drive” name comes from multiple URI paths being named or containing /drv/ or /drive/ and a few CnC hostnames containing the word “drive”. This new variant does not seem to have made it to the “mainstream” underground forums yet with only a total of 15 unique CnC hostnames being observed so far.

Drive Revs its Supercharged Engine

Drive sports 2 POST floods, a GET flood, 2 connection + data floods and a UDP flood – although the UDP flood was not seen in all instances. It also has the ability to specify a post query string of random data to add additional stress to a server in the cases where login pages, search pages, etc. are targeted.

It also sports a new string encryption algorithm that is very similar to the Khan algorithm that Jeff Edwards wrote about in 2012 [ 4 ] . A representation of the assembly code for the algorithm is shown in Python below. This algorithm could be made more efficient, but is presented as-is to represent exactly what Drive does:

def decrypt_drive(crypted):
    ebx = 1
    edi = 1
    esi = 1
    decrypted = ""
    while len(decrypted) < len(crypted):
        if esi == 2:
            tmp_chr = ord(crypted[edi-1])
            tmp_chr += ebx + 1
            decrypted += chr(tmp_chr)
        else:
            tmp_chr = ord(crypted[edi-1])
            tmp_chr -= (ebx + 1)
            decrypted += chr(tmp_chr)
        if ebx == 1:
            ebx = 2
        elif ebx == 2:
            ebx = 3
        else:
            ebx = 1
        esi -= 1
        if esi == 0:
            esi = 2
        else:
            esi = 1
        edi += 1
    return decrypted[::-1]

Any “sensitive” data – cnc host, cnc port, cnc URI, install name, ini name – is encrypted with this algorithm.

The phone homes retain the k= POST parameter, but unlike DirtJumper v5 and Khan the length of the value is 15-bytes instead of 32. A randomly generated User-Agent following the format described in the attacks section below is also included.

New Turn-by-Turn Attack Directions

Attacks are no longer specified by 3 pipe-delimited integers and then targets, they are

now specified using an attack command – any of -get, -post1, -post2, -ip, -ip2, -udp – that is mapped to a corresponding integer that is referenced everywhere else it is needed. The assembly code for this is shown in Figure 1. Other options for the command are -timeout to specify a timeout, -thread to specify the number of threads to launch (defaults to 30), and -request – only used in the POST attacks. Once the attack_code is set, the code will branch based on the value – if it’s greater than or equal to 3, then it will branch to a section of code that handles the -ip, -ip2, and -udp attacks, otherwise it will branch to a section to handle the HTTP attacks.

Figure 1: Attack Command Parsing

Figure 1: Attack Command Parsing

In the parsing of the HTTP attacks, it will parse the hostname out from the URL – first checking for http:// or https:// and perform a gethostbyname call to obtain the IP address of the target. It will also look for any “:” and parse out the targeted port as well. While the code searches for https://, we have not seen any copies of Drive that have an embedded SSL library to actually support an attack over HTTPS and it uses socket / send / recv  to establish a connection and send data to add more evidence to a lack of SSL support.

Parsing for non-HTTP attacks is slightly different – an IP and port combination are expected. A small number of example commands are shown below:

-ip <ip address>:<port> -timeout 0 thread 999

-get hxxp://<target>/ -timeout 3000 -thread 1

-post1 hxxp://<target>/<uri> -timeout 0 -request username=[5]&password=[5]&submit=Submit -thread 150

-udp <target>:<port> -timeout 0 -thread 80

Upgrading the DDoS HorsePower

HTTP Floods

The HTTP-based attacks randomly select one of three User-Agents and then randomly generate values for each one – including version number and patch-level and also randomly chooses whether to include the WOW64 string to indicate a 64-bit Windows system. Regular expressions that represent the 3 possible User-Agents are displayed below:

Mozilla/5.0 (Windows NT [56].1; WOW64; rv: [9-17].0 Gecko/20100101 Firefox/[9-17].0

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT [56].1; WOW64; ; Trident/4.0; SLCC2; .NET CLR 2.0.[0-9]{6}; .NET CLR 3.5.[0-9]{6}; .NET CLR 3.0.[0-9]{6}

Opera/9.80 (Windows NT [56].1; WOW64; U; Edition <Random country>  Local; ru) Presto/2.10.289 Version/[5-12].0[0-9]

The Referer field also contains a randomly generated value between 5 and 14 characters that is concatenated with a randomly selected TLD to form the full URL. Previous versions / variants of DirtJumper used a hard-coded User-Agent string, so the switch to a more dynamic set of User-Agents that more closely resemble legitimate browsers make for harder fingerprinting. Closer inspection by the reader will show that there do exist some anomalies that would not exist in a real-world browser.
The two POST attacks differ slightly – one appears to target just making sure the server has processed the POST request and closes the connection after it received the first 1024 bytes, while the other attack waits until the response has been completely received before closing the connection. In addition to the random User-Agent string, the POST attacks also contain the above mentioned ability to randomize their POST data. The default clearly targets login forms, but others have been observed targeting search pages and user profile pages. The integer value between the brackets represents how long of a random string to generate. Hard-coded values are also allowed in POST data. 

login=[1000]&pass=[1000]&password=[50]&log=[50]&passwrd=[50]&user=[50]&username=[50]&vb_login_username=[50]&vb_login_md5password=[50]

IP Floods

The two IP attacks – -ip and -ip2 – are both connection style flood attacks that also include more randomly generated data that is sent to the target. These attacks have been seen targeting HTTPS, SSH, MySQL to name a few. An interesting tidbit with these attacks is that they will only operate on an IP address – if a hostname is sent it will fail as no calls to gethostbyname are made to retrieve the IP address to open a socket to. One attack will allocate a buffer of 1460 bytes, memset to set all bytes in the buffer to null and then memcpy the randomly generated data into it and send the full 1460 byte buffer. The random data consists of 2 15-byte strings concatenated together with a space separating them. The other attack only sends the random data. This set of attacks seems to attempt to get around general connection flood protections that only classify floods based on no sending of data, but is not difficult to protect against – especially in the case of targeting SSL-encrypted services where it will lack a proper SSL handshake.

UDP Flood

The UDP flood is a pretty standard UDP flood with the port specified by the attacker and more random data sent to the target. This attack has only been seen a handful of times from the CnCs that have been monitored.

 

Under the Hood of a few CnCs

Drive has certainly been ambitious with its targets – targeting a popular online retailer, search engine, a popular security news site and some foreign financial institutions for a number of hours – but with some attacks being successful and some not. Using the excellent – and free –  OpenDNS Security Graph, we have been able to obtain a rough low-end estimate on the number of infected hosts – with the caveat that an unknown number may be from others monitoring the same CnC or dynamically analyzing a piece of malware attempting to connect to the CnC. The graph shown below is a snapshot taken during a successful attack and shows a peak of around 1,000 queries during the attack.

This particular CnC was co-hosted with a BetaBot CnC and a BitCoin mining harvestor and all 3 were dropped by a Smoke Loader.

OpenDNS Security Graph for www.mogains.com

OpenDNS Security Graph for www.mogains.com

The CnC located at kers2.com was the first CnC that we observed hosting Drive, but we found that it was difficult to monitor for a number of months. Later we discovered that it was blocking connections based on geographic location and switching where we routed through allowed us to determine what it was targeting. This CnC was seen targeting foreign financial institutions and has recently appeared to go offline again, but it is possible that it once again shifted its allowed victims to a different geography. This CnC was online for at least 3 months, which is one of the longest-lived DirtJumper family lifetimes that we have seen recently. With queries peaking above 2000 and mostly averaged above 1500, it represented a significant threat when it was active.

OpenDNS Security Graph for kers2.com

OpenDNS Security Graph for kers2.com

Conclusion

Drive is an up-and-coming threat on the ASERT radar and something we will continue to monitor closely in the coming months as it continues to spread and attack new targets. The attacks we have witnessed have proved to be more potent than other variants and we have even seen CnCs name over 60 targets at once for extended periods of time.

 

References

[ 1/asert/2011/08/dirt-jumper-caught/

[ 2/asert/2012/04/a-ddos-family-affair-dirt-jumper-bot-family-continues-to-evolve/

[ 3/asert/2012/05/dirt-jumper-ddos-bot-increasingly-popular/

[ 4/asert/2012/03/kahn/

Comments are closed