Can I Play with Madness?

By: Jason Jones -

Madness Pro is a relatively recent DDoS bot, first  seen by ASERT in the second half of 2013 and also profiled by Kafeine in October 2013. Kafeine’s blogpost gave good insight into one method of infection and how quickly a potent DDoS botnet can be built. This post will take a deeper-dive into what Madness does upon infection of a system and what its attack capabilities are.

Installation

Madness uses standard methods to achieve persistence on the system and evade detection. For persistence, it sets up autorun via:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun if the user does not have admin privileges
  • via HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun
  • if that fails to HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun if the user does have admin privileges

It also creates 4 files in the user’s home folder named per, perper, perperper, perperperper (hint: search for these filenames on malwr.com to find more samples :) ) that contain the registry key values above followed by [7] and [8] for WORLD_FULL_ACCESS and WORLD_READ_ACCESS and run regini on the file to setup the registry permissions on those registry keys before doing the above. A mutex named GH5K-GKL8-CPP4-DE24 will also be created to block multiple installations of Madness (since the mutex we have observed has been the same across all samples we have encountered, it also blocks competitors). It will then attempt to bypass the firewall in Windows XP/Vista/7/8 by turning it off the service  and then disabling autostart of that service.

Many of the interesting strings are encoded with Base64, which include the above-mentioned registry keys, commands, mutex values and operating system names. This makes many of the strings very recognizable and easy to identify with a Yara rule. One example rule has been committed to our GitHub repository.

Capabilities

Capability-wise, Madness Pro has a large number of DDoS attacks and a download and execute command. The latest version we have observed in the wild is 1.15. The network phone-homes for Madness resemble the WireShark screenshot below. They include a unique randomly-generated bot ID, a version, the mk parameter, the OS version, privilege level on the system, c – a counter for the number of phone homes, rq – a counter for the number of successful attack payloads sent since the last phone-home. The response from the server is a base64-encoded, newline-separated list of commands. Multiple targets can be specified per command by separating them with a semicolon.

Madness Phone-Home

Madness Phone-Home

I also wrote a Suricata / Snort rule to detect these phone-homes:

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"[ASERT] TROJAN W32/Madness Checkin"; flow:established,to_server; content:"GET"; http_method; content: "?uid="; pcre: "/?uidx3d[0-9]{8}x26verx3d[0-9].[0-9]{2}x26mkx3d[0-9a-f]{6}x26osx3d[A-Za-z0-9]+x26rsx3d[a-z]+x26cx3d[0-9]+x26rqx3d[0-9]+/"; reference:url,www.arbornetworks.com/asert/2014/01/can-i-play-with-madness/; reference:md5,3e4107ccf956e2fc7af171adf3c18f0a; classtype:trojan-activity; sid:3000001; rev:1;)

The DDoS attacks use a combination of WinSock, WinInet (InternetOpenRequestA + HttpSendRequestA), and UrlMon (URLDownloadToFileA) functions. The identified commands are shown below:

exe   - download and execute file
wtf   - stop attacks
dd1   - GET Flood using WinSock
dc1   - AntiCookie GET Flood using WinSockds1   - Slow GET Flood using WinSock
dd2   - POST Flood Using WinSock
dd3   - GET Flood Using WinInet
dd4   - POST Flood Using WinInet
dd5   - ICMP Flood Using WinSock
dd6   - UDP Flood Using WinSock
dd7   - HTTP Flood Using URLDownloadToFileA

The POST and UDP floods both support specification of flood text by appending ‘@@@’ and then the flood text (default is ‘flud_text’). The Cookie recognition code will look for document.cookie and cookies specified of the form ["cookie","realauth=<value>","location"] and attempt to parse the value out.

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.5) Gecko/20060731 Firefox/1.5.0.5 Flock/0.7.4.1
Mozilla/5.0 (X11; U; Linux 2.4.2-2 i586; en-US; m18) Gecko/20010131 Netscape6/6.01
Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.2; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:0.9.6) Gecko/20011128
Mozilla/4.0 (MobilePhone SCP-5500/US/1.0) NetFront/3.0 MMP/2.0 (compatible; Googlebot/2.1; http://www.google.com/bot.html)
Mozilla/4.0 (Windows; U; Windows NT 6.1; nl; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3
Mozilla/4.0 (Windows NT 5.1; U; en) Presto/2.5.22 Version/10.50
Mozilla/4.0 Galeon/1.2.0 (X11; Linux i686; U;) Gecko/20020326
Opera/10.80 (SunOS 5.8 sun4u; U) Opera 10.8 [en]

The flood template for the WinSock POST request is below, note that the Referer and Cookie headers are only included in the attack if there are referer and cookie values. The user-agent will be incrementally selected from the list above (although the AntiCookie code has a small bug :) ). The WinSock GET and AntiCookie GET attacks use similar templates sans the POST data and of course with the GET HTTP verb instead of POST HTTP verb.

POST <uri> HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
Host: <target>
Content-Length: <length>
User-Agent: <user-agent from list>
Referer: <referer>
Cookie: <cookie>
Cache-Control: no-cache
Connection: Keep-Alive

<post data>

The Slow GET flood only sends the GET request and a Host header, sleeps for 100 milliseconds, and then send the rnrn to finish the request.

The UDP and ICMP floods are pretty standard compared to most other DDoS bots. The download and execute command functionality has been used sparingly from the CnCs that we have tracked, except for….

Playing with Madness

Sometimes a botnet admin mistakenly gives you an FTP download link with server credentials that allows for retrieval of an intact panel that includes credentials for the admin area of the web panel. Fortunately, this admin only had a total of 10 bots and at least 3 of those were researchers :). There’s not much more to the admin panel than what is showed in the screenshot below:

Madness Panel 1.13

Madness Panel 1.13

Madness Symbols

Madness Symbols

Sometimes the malware author forgets to run ‘strip’ on the binaries he’s generating for customers and these end up in my hands. Unfortunately not until after I had finished my initial reversing, but I was able to validate my analysis and also investigate identify a few things I had not noticed before. One of the interesting things that was not referenced in any calls in that version (and has been since – now the dc1 attack) was the WinSockGetAntiCookies function and in the latest 1.15 version.

We’ve also had Madness in our botnet tracking system for a number of months and have some interesting data on some of the sites that have been targeted. One of the most popular targets appears to be the ”underground” forum fuckav.ru, but the botnets do not appear to be very large as the availability of the site does not appear to be affected very much. The locations of the CnCs tracked are fairly geographically disparate –  locations that we have found CnCs hosted include the United States, Russia, Slovakia, Netherlands, and France.

Conclusion

Given the breadth of the DDoS attacks available in Madness and the ability to attack large numbers of targets at the same time, it does not appear that Madness will be going away anytime soon in the DDoS space. A number of very active CnCs have been observed so far, and we can only expect to see more in the future.

Related MD5:
cc303da2c4b7a031d578c1dbf5af1970
027dcd2e6d231598c47557bdea98843d
60c77216bfcc21a2b993ca7e688f5b20
df99277fb3946c0327f10dc1c501452c
3fb38453a63dca35c0e751a709485e2b
32187e96c5af1177c35813c17302babf

Comments are closed