Healthcare.gov ‘DoS’ Tool

By: Marc Eisenbarth -

The roll out of the Healthcare.gov site in the United States has been met with a significant amount of news coverage.  Reports have indicated that the site has been inaccessible to some people when they have attempted to visit it.  ASERT has no direct knowledge of any significant denial of service attacks directed towards the site.  However, ASERT has recently found one tool that is designed to overload the webpage.

The standalone tool is written in Delphi and performs layer seven requests to get the healthcare.gov webpage.  The tool alternates between requesting the following URLs:

https://www.healthcare.gov
https://www.healthcare.gov/contact-us

A screenshot of the tool follows:

ObamaCare_screenShot

As we see in the call-graph below, the request rate, the non-distributed attack architecture and many other limitations make this tool unlikely to succeed in affecting the availability of the healthcare.gov site.  It appears this application is available for download from a few a sources and has been mentioned on social media.

Obamacare_IDAScreenShot

ASERT has no information on the active use of this software.  ASERT has seen site specific denial of service tools in the past related to topics of social or political interest.  This application continues a trend ASERT is seeing with denial of service attacks being used as a means of retaliation against a policy, legal rulings or government actions.

Example MD5: eb0b51567b383ac26eaec23861ea5282

Estonia, six years later

By: Dan Holden -

In April 2007, the Estonian government decided to relocate the Bronze Warrior, a Soviet World War II memorial located in Tallinn, as well as the remains of some Soviet WWII soldiers buried nearby.

This decision caused great offense in Russia, starting at the top. Russian president Vladimir Putin said, “I find that this is an absolutely short-sighted policy, extremist-nationalist, which does not take into consideration the history connected with the fight against Nazism or today’s reality.”

Russia’s foreign minister Sergei Lavrov said Estonia had a “blasphemous attitude towards the memory of those who struggled against fascism.”

Within weeks, the country of Estonia was offline, taken down by a botnet-fueled distributed denial of service (DDoS) attack. This attack impacted both the government and the private sector.

The attacks begin….

Within days of the Estonian government decision, a series of sustained DDoS attacks against Estonian Web properties began.

Estonia’s defense minister at the time, Jaak Aaviksoo, told Wired Magazine:

The attacks were aimed at the essential electronic infrastructure of the Republic of Estonia,” Aaviksoo tells me later. “All major commercial banks, telcos, media outlets, and name servers — the phone books of the Internet — felt the impact, and this affected the majority of the Estonian population. This was the first time that a botnet threatened the national security of an entire nation.”

Two weeks into the attack, Arbor Networks senior security researcher at that time Jose Nazario posted a detailed analysis on our blog, writing,

“All in all, someone is very, very deliberate in putting the hurt on Estonia, and this kind of thing is only going to get more severe in the coming years.”

Within the first two weeks, our Internet-wide threat monitoring system, ATLAS, saw at least 128 separate attacks on nine different Web sites in the country, including 35 attacks against the Estonian police, another 35 attacks against the Ministry of Finance and 36 against the Estonian parliament, Prime Minister as well as other general government Web properties.

  • Attack bandwidths ranged from under 10 Mbps to 95 Mbps, with the majority in the 10-30 Mbps range
  • 75 percent lasted no longer than one hour and 5.5 percent, over 10 hours

So does the speculation….

A high profile disagreement between leaders of Estonia and Russia, followed immediately by a cyber-attack against Estonian Web sites? Well, that can only mean one thing, CYBERWAR!!!

Headlines from May 2007:

Estonia: Ground Zero for World’s First Cyber War?

Estonia hit by ‘Moscow cyber war’

Russia accused of unleashing cyberwar to disable Estonia

Slippery Slopes: Attribution and Semantics

One thing that certainly has not changed since the Estonia incident is that hurried analysis, and attempts at instant attribution, are very rarely accurate.

While the headlines said “cyberwar,” the data that we saw at the time said something else, and that is digital attribution regardless of motive can be extremely difficult. These attacks, like many before and since, were widely distributed around the world. In fact, many of the attacks originated from the United States and elsewhere. There was significant chatter and sharing of attack tools on Russian language Web sites.

Arbor’s ATLAS system and subsequent analysis showed signs of Russian nationalism at work, but no Russian government connection. The sources we analyzed from around the world did not show a clear line from Moscow to Tallinn; instead, it was from everywhere around the world to Estonia. Additionally, we noted at the time that targets were high-profile Web properties, not critical national infrastructure.

As so often happens, after the flurry of initial speculation, the facts settle and the truth comes out, and usually with more than a little snark.

wired

Estonia ‘Cyberwar’ Wasn’t

Sadly, this dashes THREAT LEVEL’s hopes of seeing our own made up infowar term on a CNN graphic.  Since we put it out a week ago, a few more hyperbolic cyberterror gems have surfaced in the coverage of the Estonia packet floods — The First War in Cyberspace!The Future Of Warfare! (exclamation points added) — but the only writer to adopt our Cybarmageddon! was Bruce Sterling.  We’ll let you know if it turns up in his next novel.

There is also a lot of confusion around the term “cyberwar.” What does that mean exactly? One country attacking another seems obvious, but in what respects, what targets, and to what degree? What about when a country leverages experts in the field, as it would with defense contractors, to develop tools and capabilities? Just as there is collaboration between the government and the private sector to develop traditional defense systems and hardware, we must by now realize that the same type of public-private collaboration is happening around the world with regard to cyber capabilities, both defensive and offensive.

I’ll leave the question of what defines a “cyberwar” for others with more patience than I to wax intellectual. What I do know is that geopolitics absolutely shapes the threat landscape and the Internet as we know it today.

Regardless of terminology, we have seen some high profile stories since Estonia. Here are but a few examples that we know about:

April 27, 2007: Attacks on Estonia begin

Week of June 15, 2008Ukraine put under DDoS attack due to NATO protests

August 5, 2008, three days before Georgia launched its invasion of South Ossetia, the Web sites for OSInform News Agency and OSRadio were hacked. Arbor estimates these attacks were in the 814 Mbps range, significantly (at that time) larger than the Estonian DDoS attacks the year before. 

December, 2008 – January, 2009: Israel launched an attack named Operation Cast Lead against the Palestine National Authority. The fighting between the Israeli Defense Forces and Hamas included cyber-attacks against government Web sites and media outlets and involved both State and Non-State actors.

December, 2009 – April, 2010: In the months of unrest leading up to Kyrgyzstan’s second Tulip revolution, the technical unit of Kyrgyzstan intelligence cracked the email account of Gennady Pavlyuk, a leading dissident journalist, to obtain specific data on a project of his, then lured him to Kazakhstan under the pretense of meeting angel investors and killed him.

June 2010: Iran was the victim of a cyber attack when its nuclear facility in Natanz was infiltrated by the now very well-known cyber-worm ‘Stuxnet’.

November 2, 2010: Burma was the victim of a cyber-attack caused by a rapidly escalating, large-scale DDoS  attack targeting Burma’s main Internet provider, the Ministry of Post and Telecommunication (MPT), disrupting most network traffic in and out of the country.

January 2011: Tunisia’s Jasmine Revolution which resulted in the overthrow of a corrupt government, included violent protests and the hacking of user names and passwords for the entire online population of Tunisia by AMMAR, the country’s government-run Internet Services Provider (ISP).

January-February 2011: Egypt and Libya are taken offline entirely by their governments.

June 2011: Chinese and Vietnamese attackers started a cyber war over the territorial dispute on the ownership of the Spratly Islands in the South China Sea. 200 Vietnamese Web sites were attacked in June, and 10 percent of those Web sites were managed by government agencies; the attack disabled all the links on these Web sites and placed China’s flag at the center of the page.

March 20, 2013: S. Korean is targeted by N. Korea in series of cyberattacks and impacting 48,000 computers and servers, hampering banks for two to five days.

April 21, 2013: The U.S. military is increasing its budget for cyber warfare and expanding its offensive capabilities, including the ability to blind an enemy’s radar or shut down its command systems in the event of war, according to two defense officials.

May 2013: A new wave of attacked targeting U.S. energy companies begins, rumored to be driven out of the Middle East. Unlike typical cyberattacks that attempt to obtain confidential information, steal trade secrets and gain competitive advantage, these new attacks seek to destroy data or to manipulate industrial machinery and take over or shut down the networks that deliver energy or run industrial processes.

Again, I’ll leave it to others to debate the semantics of cyberwar. What I do know is that cyberspace is a legitimate battle space. The ongoing attacks against global financial services firms are a great example of how this impacts our business and day-to-day lives. Those attacks have been sustained for over six months, with no end in sight. They are being funded at some level, by someone or some group with very serious motivation that would be difficult to keep going with what we know of traditional hacktivism. We can speculate all day long about who might be behind these attacks but I’d suggest we leave that to others and focus on learning lessons and building better defenses. In this changing geo-political driven environment, understanding the ‘who’ can be near impossible with only digital attribution, but attempting to understand the potential motivation behind attacks can help to better gauge risk to your organization. What has really changed since Estonia? The fact that this type of attack today wouldn’t be nearly as surprising as it was in 2007.

 

Lessons learned from the U.S. financial services DDoS attacks

By: Arbor Networks -

By Dan Holden and Curt Wilson of Arbor’s Security Engineering & Response Team (ASERT)

During the months of September and October we witnessed targeted and very serious DDoS attacks against U.S. based financial institutions. They were very much premeditated, focused, advertised before the fact, and executed to the letter.

In the case of the September 2012 DDoS attack series, many compromised PHP Web applications were used as bots in the attacks. Additionally, many WordPress sites, often using the out-of-date TimThumb plugin, were being compromised around the same time. Joomla and other PHP-based applications were also compromised. Unmaintained sites running out-of-date extensions are easy targets and the attackers took full advantage of this to upload various PHP webshells which were then used to further deploy attack tools. Attackers connect to the compromised webservers hosting the tools directly or through intermediate servers/proxies/scripts and issue attack commands. In the September 2012 attacks there were several PHP based tools used, the most prominent of which was “Brobot” along with two other tools, KamiKaze and AMOS which were used a bit less often.  Brobot has also been referred to as “itsoknoproblembro”.

The attack tactics observered were a mix of application layer attacks on HTTP, HTTPS and DNS with volumetric attack traffic on a variety of TCP, UDP, ICMP and other IP protocols. The other obvious and uncommon factor at play was the launch of simultaneous attacks, at high bandwidth, to multiple companies in the same vertical.

On December 10, 2012 the group claiming responsibility for the prior attacks, the Izz ad-Din al-Qassam Cyber Fighters announced “Phase 2 Operation Ababil”.  A new wave of attacks were announced on their Pastebin page:  which described their targets as follows:

“Continually, the goals under attacks of this week are including: U.S. Bancorp, JPMorgan Chase&co, Bank of America, PNC Financial Services Group, SunTrust Banks, Inc.”

On December 11, 2012, attacks on several of these victims were observed. Some attacks looked similar in construction to Brobot v1, however there is a newly crafted DNS packet attack and a few other attack changes in Brobot v2.

These attacks have shown why DDoS continues to be such a popular and effective attack vector. Yes, DDoS can take the form of very large attacks. In fact, some of this week’s attacks have been as large as 60Gbps. What makes these attacks so significant is not their size, but the fact that the attacks are quite focused, part of an ongoing campaign, and like most DDoS attacks quite public. These attacks utilize multiple targets, from network infrastructure to Web applications.

Lessons Learned

While there has been much speculation about who is behind these attacks, our focus is less on the who or why, but how we can successfully defend. There are multiple lessons to be learned from these attacks, by everyone involved – the targeted enterprises, their managed security providers, Website and Web application administrators, and the vendor community.

For enterprises, it is clear that typical perimeter defenses such as firewalls and IPS are not effective when dealing with DDoS attacks, as each technology inline to the target is actually a potential bottleneck. These devices can be an important part of a layered defense strategy but they were built for problems far different than today’s complex DDoS threat. Given the complexity of today’s threat landscape, and the nature of application layer attacks, it is increasingly clear that enterprises need better visibility and control over their networks which require a purpose built, on-premise DDoS mitigation solution. This could sound self-serving, however, visibility into a DDoS attack needs to be far better than the first report of your Website or critical business asset going down. Without real-time knowledge of the attack, defense and recovery becomes increasingly difficult.

For providers of managed security services, they have begun to evaluate their deployments and mitigation capacity. These attacks were unique in that they targeted multiple organizations within the same vertical, putting a strain on the capacity of provider’s cloud-based mitigation services.

What these attacks have continued to demonstrate is that DDoS will continue to be a popular and increasingly complex attack vector. DDoS is no longer simply a network issue, but is increasingly a feature or additional aspect of other threats. The motivation of modern attackers can be singular, but the threat landscape continues to become more complex and mixes various threats to increase the likelihood of success. There have certainly been cases where the MSSP was successful at mitigating against an attack but the target Website still went down due to  corruption of the underlying application and data. In order to defend networks today, enterprises need to deploy DDoS security in multiple layers, from the perimeter of their network to the provider cloud, and ensure that on-premise equipment can work in harmony with provider networks for effective and robust attack mitigation.

 

DDoS attacks targeting traditional telecom systems

By: cwilson -

DDoS affects many types of systems. Some have used the term TDoS to refer to DDoS or DoS attacks on telecommunications systems (Telecommunications Denial of Service).  This is just another application for a DDoS attack, and was mentioned in 2010 by law enforcement and since discussed on a variety of blogs. Typical motives can be anything from revenge, extortion, political/ideological, and distraction from a larger set of financial crimes.  Just as we’ve seen the Dirt Jumper bot used to create distractions by launching DDoS attacks upon financial institutions and financial infrastructure at the same time that fraud is taking place (with the Zeus Trojan, or other banking malware or other attack technique), DDoS aimed at telecommunications is being used to create distractions that allows other crimes to go unnoticed for a longer period.

Recently, ASERT came across a few advertisements for traditional DDoS services that also included phone attack services starting at $20 per day. Screenshot (translated from Russian):

 

The original advertisement was posted around the end of 2011. On June 27 2012 the DDoS service provider placed another advertisement focusing only on the telephone flooding capabilities:

Another DDoS provider has advertised this at $30 per hour:

And a third provider also advertising such attacks charges $5 per hour, $20 for 10 hours, and $40 per day (roughly translated from Russian).

When discussing a recent ideological telecommunications-based DDoS attack upon a law enforcement entity around April of 2012, the attackers revealed some details about their approach. In that case, their attack script was based around Asterisk and put to use on a compromised server.

ASERT has helped mitigate SIP flooding attacks on several occasions. Often, SIP flooding attacks take place because attackers are running brute-force password guessing scripts that overwhelm the processing capabilities of the SIP device, but we have also seen pure flooding attacks on SIP servers. Once the attackers obtain credentials into a VoIP or other PBX system, that system can become a pawn in their money-making scheme to perform DoS, Vishing, or other types of attacks. Default credentials are one of the security weaknesses that the attackers leverage to gain access to the VoIP/PBX systems, so organizations should ensure that their telecommunications systems credentials are strong enough to resist brute force attack, and that the ability to reach the telephone system is limited as much as possible in order to reduce the attack surface and convince the attacker to move on to the next victim.

In other instances, I have seen telephone systems connected to the Internet that were very brittle – even a simple port scan could bring them to their knees quickly. In such cases, an attacker could bring down an organizations phone system quickly if they were able to reach the controller. The benefits of proactive security testing can help identify such brittle systems ahead of time, before an attacker might latch onto the vulnerability.

Any system is subject to availability attacks at any point where an application layer or other processor-intensive operation exists as well as the networks that supply these systems via link saturation and state-table exhaustion. Telecommunications systems are no exception to this principle, as we have seen. Clearly, there is money to be made in the underground economy or these services would not be advertised.

Thanks to Roland Dobbins of Arbor ASERT for operational insight.

References:

http://www.fbi.gov/newark/press-releases/2010/nk051110.htm

http://voipsecurityblog.typepad.com/marks_voip_security_blog/telephony-dos/

It’s not the end of the world: DarkComet misses by a mile

By: jedwards -

This blog post is the fourth installment in our ongoing series of articles exploring the crypto systems commonly found in various DDoS malware families.  Previous subjects have included Armageddon, Khan (now believed to be a very close “cousin” of Dirt Jumper version 5), and PonyDOS.  Today we’ll be diving deep into the details of the DarkComet RAT’s crypto.  Over the last several months, we have encountered a large number of unique DarkComet samples – over a thousand and counting.  DarkComet, also known as Trojan.Fynloski, is primarily a general purpose remote access trojan (RAT). It’s capabilities support quite an extensive laundry list of mischief, including but not limited to key logging, web cam (and sound card) spying, deleting victim files, scanning ports, hijacking MSN sessions, etc.

 

Above and beyond these standard RAT features designed for general purpose mayhem, the malware includes DDoS capabilities as well – hence our interest in reversing its communications so that we can keep tabs on whom the DarkComet botnets are attacking.  In fact, it is believed to have recently been used as a DDoS weapon by supporters of the Syrian regime against opposition forces in the ongoing Syrian uprisings; TrendMicro has a nice article on this topic.

This article builds on the reversing work documented in the excellent DarkComet analysis by Laura Aylward of Contextis.  The report provides a full description of the important disassembly blocks that implement DarkComet crypto and, as usual, a Python module for encrypting and decrypting DarkComet communications.  Conceptually, the core encryption engine used by DarkComet is very similar to that used by PonyDOS, although there are some important differences in terms of key strings, and DarkComet lacks the cryptographic hashing steps used by PonyDOS.

As described in the report, DarkComet supports the use of a custom password to secure its bot-to-C&C communications.  When a new bot binary is built, this password is encrypted using a standard key string which varies with each version of DarkComet; for example, version 2 uses #KCMDDC2#-890, version 5 uses the string #KCMDDC5#-890, etc.  The encrypted password is stored as a resource named PWD; other important bot parameters are also encrypted and stored as resources, such as the C&C server hostname and port (in the NETDATA resource) and the server ID (in the SID resource.)

Upon initialization, a DarkComet bot will use its standard (version-specific) key string to decrypt these resources.  Once it has decrypted the PWD resource, it will append this custom botnet-specific password to the standard key string to yield the final key that is used for securing communications with its C&C.  So for example, a version 5 DarkComet botnet that uses the default password (0123456789), would end up using #KCMDDC2#-8900123456789 as its comms key.  If the botmaster chooses to not provide a password when building his/her bot binary, the comms will be encrypted using just the standard version-specific key.

The encryption mechanism used by DarkComet is relatively decent compared to many other malware families; alas, the same cannot be said of its DDoS technology.  Due to several catastrophic bugs in DarkComet’s HTTP flooding routines, described in detail in the report, the malware’s DDOSHTTPFLOOD application layer attack does not even manage to come close to producing RFC-compliant HTTP flooding requests.  Instead, the traffic it generates is essentially equivalent to a very weak volumetric TCP flood.

A complete review of the crypto system used by DarkComet, with Python re-implementation, is available here:

Report: It’s not the end of the world:  DarkComet misses by a mile

This completes the fourth installment in our ongoing series on breaking the crypto systems used by contemporary DDoS malware families.

DDoS Attacks in Russia Added to Protests

By: Jose -

2011, and now 2012, appear to be years of major populist protests regarding political processes around the world. Russia is no different. News reports of protests in the streets of Moscow have been increasing, with protesters demanding election reforms and fairness. It is in this backdrop that we’re seeing DDoS attacks against some websites.

A recent BBC News story on Russian protests about upcoming elections caused me to go looking in our database for domestic DDoS attacks within Russia on sympathetic sites calling for election changes. We’ve seen this sort of thing in the past, specifically in the 2009 run-up to the elections where opponents to Putin and Medvedev were attacked, so it seems natural to expect it this time.

Inspection of our botnet tracking logs from Project Bladerunner show multiple sites under attack recently that appear to be politically motivated. Four are news sites (three belong to journalufa). The other is a candidates site, and all attacks are ongoing. The botnets here are Dirt Jumper and Black Energy. Despite press that the radio station Echo Moscow is getting political pressure for it’s pro-change reporting, we haven’t yet seen their properties struck by attacks as we have in the past.

First seen

Last seen

Target Host

2012-02-14 22:57:53 2012-02-15 10:58:01 www.muhamediarov.ru
2012-02-14 06:58:24 2012-02-14 06:58:25 journalufa.livejournal.com
2012-02-14 06:58:22 2012-02-14 06:58:24 journalufa.wordpress.com
2012-02-10 06:58:50 2012-02-15 10:57:59 cik-ufa.ru
2011-09-29 12:28:32 2012-02-15 10:58:01 journalufa.com

As you can see from the following screenshots taken today, two of the sites are accessible, but one of them notes that it’s under attack.

CIK-UFA under attack

Journal UFA under attack

The botnets behind these attacks have been actively involved in many DDoS attacks in recent weeks, some of which are on commercial properties, and some of which are on news sites. These appear to be their most overtly political targets. In short, these do not appear to be purpose built for political attacks.

We’re keeping an eye on this situation, expecting it to continue or get worse as the elections approach on March 4.

Attack of the Shuriken: Many Hands, Many Weapons

By: cwilson -

A visual sample of Distributed Denial of Service (DDoS or DoS) attack tools & services compiled by Curt Wilson – Research Analyst, Arbor Networks ASERT

There are a variety of popular Denial of Service attack tools that have received a fair amount of attention by the security research community, but there are many other attack tools in existence that have been developed in the last few years. A visual review of some of the popular and less popular attack tools will be provided here.

We will cover both simple and complex contemporary and historical threats – showing a sample ranging from single user flooding tools, small host booters, shell booters, Remote Access Trojans (RATs) with flooding capabilities, simple DDoS bots, complex DDoS bots and some commercial DDoS services. Many types of threats can be blended into any given tool in order to make the tool more attractive and financially lucrative.

The DDoS threat to enterprises and network providers is obviously more severe from professionally coded bots with a variety of stealthy attributes and their corresponding commercial flooding services, while the small projects coded by amateurs pose less of a threat. However even many of the small-time “host booters” profiled here – typically designed to flood a single gaming user’s IP address and knock them out of the game- often have Remote Access Trojan functionality to perform actions such as password theft, download and execute other malware, sniff keystrokes and perform other malicious activities. In addition to the threats to confidentiality, the author has seen these simple flooding tools (such as a host booter) take down enterprise-class firewalls from either side of the firewall due to state table exhaustion. At the other end of the spectrum, the commercial DDoS services are running full-steam, with a variety of service offerings easily available. While there are numerous motives for DDoS such as revenge, extortion, competitive advantage and protest, many of the commercial DDoS services emphasize competitive advantage with wording devoted to taking down a competitor. More troubling is the recently reported distracting use of DDoS to flood networks after financial theft has been performed via a banking Trojan in order to allow the thieves extended access to the loot. Within this diverse landscape, we are aware of many ongoing attacks from large widely distributed DDoS botnets.

We will start with the simpler threats, move through intermediate threats to the more complex and advanced bots and botnets, and finally wrap up with some indicators of various commercial DDoS service offerings.

Fg Power DDOSER

This tool is primarily a “hostbooter” and is aimed at giving unscrupulous gamers an advantage by flooding opponents with traffic. HTTP flooding capabilities may be effective at bringing down unprotected websites as well. A Firefox password stealer is also included, which can be very deadly as people re-use passwords all the time.

Fg Power DDOSERFg Power DDOSER

GB DDoSeR v3

This tool is advertised as a booter and delivers a TCP or UDP stream of characters of the attacker’s choice towards a victim IP/host and port. This simple bot is written in Visual Basic.

GB DDOSER

Silent-DDoSer

This Visual Basic tool offers attack types “UDP”, “SYN” and “HTTP”. All appear to send a basic user-specified flood string. Silent-DDoSer utilizes triple-DES and RC4 encryption, IPv6 capabilities, and password stealing functions.

Silent-DDoSer

Silent-DDoSer

Drop-Dead DDoS

This tool is one example of a Runescaper booter. While I am not a gamer, the opportunity to make real-world money through the virtual economies of gaming worlds may have help make such tools popular.

Drop-Dead DDoS

D.NET DDoSeR

This tool is again aimed at the Runescape audience, but also features SYN and HTTP flooding. The floods in this case are just poorly formed garbage characters randomly generated. This particular screenshot only has one connected bot.

D.NET DDoSeR

Positve’s xDDoSeR

Like anything flooding port 3074, this is an Xbox booter application, designed to boot users off to generate an unfair advantage. This particular screenshot shows no connected bots.

Positve’s xDDoSeR

Sniff DDoSer

This one was announced on a forum and appears to be written in .NET. The default operation appears targeted towards Xbox flooding. We can also see some of the typical anti-detection mechanisms at play in the builder screen.

Positve’s xDDoSeR

SniFF DDoS

Darth DDoSeR v2

Another tool aimed at Xbox booting, at least in this screenshot. The flood in this case looks like a “SSYN” type, which is slightly different than many other host booters that appear to use UDP by default.

Darth DDoSeR

Net-Weave

Net-Weave is one of the many bots that appeared in our malware collection in mid-2011. It is a booter/bot and backdoor written in .NET and features the typical array of malware functionality including download and execute, USB spreading capabilities, TCP connection exhaustion flood, UDP flood, and a crude port 80 flood instantiated with a .NET Socket call.

Net-Weave

Malevolent DDoSeR

The source code for a version of this leaked some time back. The server is written in C++ and the client is written in Visual Basic. It appears to offer only download and execute and UDP flooding attacks. We show a server screenshot, and a developer’s viewpoint screenshot, obtained from various forums.

Malevolent DDoSeR

Malevolent DDoSeR

HypoCrite

HypoCrite is a Visual Basic host booter apparently on version 4 and offers the ability to steal MSN passwords in addition to providing basic flooding capabilities.

HypoCrite

Host Booter v5.7

This booter features several flooding attacks including the popular Slowloris attack style. The features are listed as:

UDP (UDP flood), Port (Blocks connections on that port), HTTP (For websites), Slowloris (For websites),

Bandwidth Drain (Put a direct link for a .exe or any other file), Send Command To All / Send Stop To All (Execute or End your command), Ports: 25 / 80 / 445 / 3074 / 27015 (Ports you can choose from, you can use your own), Sockets: [1-250] (How many sockets you will use), Seconds: [1-60] (How many seconds you wish your attack to be enabled for), Minutes: [1-59] (How many minutes you wish your attack to be enabled for), Size (KB) Packet size for UDP, Delay (MS) Time between sending a packet

Connect (MS) Reconnect sockets, Timeout (MS) Connection timeout

Host Booter

AlbaDDoS

It appears that the author of this DDoS tool is also involved in defacing websites.

AlbaDDoS

Manta d0s v1.0

The author of this tool, Puridee, has also written multiple other tools including the “Good-Bye” DoS tool.

Manta d0s

Good Bye v3.0

The Good-Bye tools appear to be simple HTTP flooding tools that have no DDoS or botnet capability.

Good Bye DoS

Good Bye v5.0

Good Bye

Black Peace Group DDoser

Little additional information was found about this particular tool.

Black Peace Group

Now we’ll look at a couple of “shell booters” that utilize hijacked web applications to perform flooding attacks. While these have been well documented in the past, shell booters typically leverage a number of compromised web applications where an attacker has typically installed a PHP webshell. Sometimes, these webshells may exist on high bandwidth networks, which can amplify the force of the attack significantly. Private webshells are worth more, and lists of webshells can be purchased. Some generic webshells are x32, greenshell, PsYChOTiiC, shell, mouss, Supershell, venom, atomic, and many others. There are other shells specifically created for ddos, such as ddos.php. A webshell can of course be named anything, but these names are common.

PHPDoS

PHPDoS

TWBOOTER

This screenshot shows 235 shells online.  An update from about a year ago says “Releasing twBooter Web Version today! Might have slowloris and http tonight, but I’ll be releasing without.” Incidentally, someone using the nick “twbooter” was seen selling flooding services via chat.

TWBooter

Gray Pigeon RAT

This is a screenshot from the Gray Pigeon Remote Access Trojan (RAT). In this screenshot, the attacker appears to have three bots online but has filtered the list to show only bots from Beijing, China. Gray Pigeon is well known for its RAT capabilities but it also has DDoS features as well. There are many DDoS bots using Chinese language sets and operating from within the Chinese IP address space. Some of these have been profiled by Jeff Edwards of Arbor Networks ASERT in the past. A great deal of code sharing takes place among the Chinese DDoS bot families that we have analyzed.

Gray Pigeon RAT

DarkComet RAT aka Fynloski

DarkComet is freeware and easily available to anyone. While it features a variety of flooding types, these are an afterthought compared to its main Remote Access Trojan functions which are significant. The binaries for this threat are often called Fynloski.

DarkComet RAT aka Fynloski

MP-DDoser v 1.3

MP-DDoser is a relatively new threat, coming to our attention in December 2011. It supports UDP, TCP connection flood, and HTTP attacks. Marketing materials and the GUI for this bot claim that it supports a slowloris style attack.  Despite these claims, ASERT analysis indicates that the slowloris attack does not function.

MP-DDoser

DarkShell

Darkshell is popular among the Chinese DDoS bot families and features a variety of attack types. Included are three distinct HTTP attacks, two types of TCP flooding attacks, two UDP floods, ICMP flood, SYN flood, TCP connection exhaustion and TCP idle attack types. For extensive details on the Darkshell bot, please see the excellent analysis by ASERT’s Jeff Edwards at /asert/2011/01/darkshell-a-ddos-bot-targetting-vendors-of-industrial-food-processing-equipment/

DarkShell

Warbot

This is the warbot web based control panel. Commands are ddos.http (seen here), ddos.tcp and ddos.udp.

Warbot

Janidos

Without a license key, Janidos runs as a “weak edition”. This version offers to the opportunity to toggle through a variety of User-Agent values during an HTTP DDoS attack. Janidos appears to be of Turkish origin.

Janidos

Aldi Bot

This is an inexpensive bot that showed up late in 2011. It was interesting to see InfinityBot downloaded and executed from one Aldi Bot node that I was analyzing. Some forums suggest that Aldi Bot is not very good quality. For more information about Aldi Bot, please see an analysis and writeup at /asert/2011/10/ddos-aldi-bot/

Aldi Bot

Aldi Bot

Infinity Bot

Infinity Bot was seen being downloaded in the wild by an Aldi Bot instance in September 2011. A demonstration video posted October 4 2011 on YouTube shows Infinity-Bot being used to DDoS the Pentagon website and shows approximately 15,000 bots on the botnet with the highest concentration of bots being in Germany, Netherlands, Austria and Switzerland.

Infinity Bot

Infinity Bot

N0PE

The n0pe bot is written in .NET. Here is a screenshot of the control panel that demonstrates its attack types. N0pe appears to be Russian in origin.

N0PE

Darkness (prior to Darkness X)

This is a banner used to advertise the Russian Darkness bot. Darkness connects to a back-end called Optima. Darkness appears to be popular and used in commercial DDoS services.

Darkness

Darkness X

Darkness X is the 10th version (10a being the latest) of the Darkness bot. The following advertising graphic was used in various forums. Prices have been seen ranging from $499 to $999, depending upon what features are requested. Darkness X includes newly developed plugin architecture.

N0PEDarkness X

Optima – DarknessX control panel

The Optima control panel for DarknessX (aka “Destination Darkness Outcast System & Optima control panel”) has been explored in other forums and looks something like this, as of October 2011.

Optima – DarknessX control panel

Dedal

Dedal has been mentioned in Russian underground forums describing commercial DDoS services. Dedal has been seen to utilize three types of attack – TCP, UDP and HTTP GET. The HTTP GET attack looks very similar to another bot, implying code-sharing or swiping.

Dedal

Russkill

Russkill is another Russian bot that has undergone some evolution and is commonly mentioned in commercial botnet service advertisements. Russkill appears to have evolved into the Dirt Jumper.

Russkill

DirtJumper

Dirt Jumper continues its popularity in the underground DDoS service economy. Dirt Jumper attacks have been widespread. See /asert/2011/08/dirt-jumper-caught/ for a full write-up of this version of Dirt Jumper, and also see the excellent blog entry by DeepEnd Research for a writeup of Dirt Jumper version 3, aka “September” at http://www.deependresearch.org/2011/10/dirt-jumper-ddos-bot-new-versions-new.html

DirtJumper

Dirt Jumper v3, aka “September”

Thanks to DeepEnd research for this screenshot

DirtJumper

G-Bot aka Piranha

G-Bot has been mentioned many times in various forums in 2011 and seems to be a popular Russian bot. There are indicators that it is used in the commercial DDoS market. It appears that version 2.0 is probably the newest. Around July of 2011, G-Bot source code and customer lists were apparently sold by “westside” to “night”. Development stats currently is unknown. Various versions of the web panel and other artifacts are displayed here. G-Bot is also known as DroopTroop.

G-Bot aka Piranha

G-Bot aka Piranha

G-Bot Builder

G-Bot bot list screenshot

First an older version, then a newer.

G-Bot

The second screenshot appears to be from somewhere around January of 2011 and shows the (obscured) IP addresses of infected hosts, country, and version of G-Bot installed on the host, mostly version 1.4.

G-Bot

G-Bot advertisement for version 2.0

G-Bot Advertisment

A leaked version of G-Bot v1.7 comes with a small .exe encoder and a builder.

Armageddon

The Russian Armageddon bot increased in popularity in mid to late 2011. It has been positioned as a competitor to Dirt Jumper, G-Bot, Darkness/Optima and DeDal. Recent versions of Armageddon allow greater control of attack traffic from within the web panel Command & Control, and also claim to have an “Anti-DDoS” attack style that is said to bypass various Anti-DDoS defenses. Additionally, DoS attacks against specific Apache vulnerabilities have been discussed. Armageddon has been observed performing many attacks including politically motivated attacks in Russia, attacks towards online betting sites, attacks towards forums advertising competing DDoS bot products and more. While Armageddon is heavily involved in HTTP attacks, it has also been seen targeting other services such as Remote Desktop, FTP and SSH.
Armageddon

Commercial DDoS Services

Unique DDoS Service

Unique DDoS Service

WildDDOS

WildDDOS

Death ddos service

Death DDoS Service

FireDDoS

FireDDoS

DDoS-SeRVIS

DDoS-SeRVIS

Beer DDoS

Beer DDoS

Totoro

Totoro

500 Internal DDoS Service

500 Internal DDoS Service

OXIA DDoS Service

OXIA DDoS Service

504 Gateway DDoS Tools

DDoS4Fun

DDoS4Fun

NoName

NoName

Wotter DDoS Service

IceDDoS

IceDDoS

While we have only reviewed a portion of the threat landscape, it is plain to see that DoS/DDoS tools and services are readily available and will continue to evolve in their complexity and effectiveness.

I would like to thank the Arbor ASERT Team and Deepend Research for assistance in developing this blog post.

The MegaUpload Shutdown Effect

By: Jose -

The popular file sharing site MegaUpload was shut down by the US FBI and Department of Justice on Thursday, January 19, and executives from the company were taken into custody. This story is very well covered by the Wall Street Journal and includes a copy of the indictment for your reading.

As you would expect, this was a wildly popular site with users from all over the world. So much so that even notable celebrities appear in a video discussing MegaUpload, almost endorsing it. Previous work by Arbor Networks showed that content providers and hosting sites like MegaUpload are the new “Hyper Giants”. With enough global data, you can actually see the traffic drop when the shutdown occurs. Based strictly on the traffic rates it appears that the shutdown started just after 19:00 GMT on January 19, with traffic plummeting down over the next two hours. The graphic here shows three main client regions – Asia-Pacific, Europe, and the US.

Over the past 24 hours, the top countries (in aggregate) using MegaUpload were the United States, France, Germany, Brazil, Great Britain, Turkey, Italy, and Spain, although dozens more countries are represented.

As for the traffic drop off, we’re not the only ones to notice. As seen on Twitter, South America experienced a dramatic traffic drop at about the same time, presumably due to this MegaUpload shutdown. Furthermore, we’re seeing reports of a fake MegaUpload site that is supposedly a malware infection site.

Friends of mine from elsewhere in the world have been joking that the Internet seems to be running a bit smoother today. That may be, given how much bandwidth appears to have been freed up.

MegaUpload

DDoS Watch: Keeping an Eye on Aldi Bot

By: cwilson -

Background

The intention of this entry is to profile some elements of the Aldi Bot in order to provide value for the security operations community and malware research community.

Aldi Bot is a newer inexpensive DDoS bot that is growing in popularity. Recent data (September 30 2011) suggests that there are at least 50 distinct Aldi bot binaries that have been seen in the wild with 44 unique Command & Control points. We see the bot active in Russia, the Ukraine, the US, and Germany. While it has been stated that Aldi Bot won’t be developed further, the source code has leaked which makes it easy to find and use.

G-Data and others in the security community have discussed this bot in recent weeks. Of special interest to those concerned with availability, Aldi Bot offers HTTP and TCP DDoS capabilities along with Firefox, Pidgin and jDownloader credential theft, the creation of a SOCKS5 proxy and the ability to download and execute malicious code of the attacker’s choice.

To underscore its attack capabilities, Aldi Bot was used to DDoS bka.de, the German federal police website in a demonstration video.

Figure 1 – Aldi Bot demonstration video launching DDoS attack on bka.de

click here to view full size image

All it takes is one bot such as Aldi Bot or other tool such as a Remote Access Trojan (RAT) to provide an attacker a handhold on the inside of an organization that can lead to a much larger security breach. It is now well-known that attacks involving the exfiltration of sensitive data typically start with one smaller compromise that is then leveraged for additional access. Additionally Aldi Bot steals passwords, and passwords are often re-used for convenience even though it is a dangerous practice. Without proper monitoring of system and network activity, such infected nodes can be long-lived and pose significant risk.

Thankfully in this case it seems that the Aldi Bot back-ends aren’t long lasting. Of the list of 41 back-ends that I obtained on September 30, 2011, it appears that only 13 of them were still online as of October 3, 2011.

Detection & uniqueness of threat

The author of Aldi Bot suggests that the bot will not be FUD (fully undetectable) and indeed Aldi Bot’s initial antivirus detection based on a September 22, 2011 analysis of the sample I analyzed (MD5: c903b63346c90d29b0fe711a68a747ba) features a 72.7% detection rate, with four vendors using a term similar to “Aldi Bot” such as “Abot” or “Albot”. The rest of the detections are generic.

http://www.virustotal.com/file-scan/report.html?id=dd29102bd9dc8e6599c38ea6dab9164bc5f072f2de0dc5706f120199c14b8949-1316731656

As antivirus detection can be an indicator that triggers an organizations Incident Response function, responders will have to dig a little deeper in many cases because generic alerts don’t provide much context as to the true nature of the threat. An example of this is a user seeking assistance with an Aldi Bot infection using the default filename “jetzt_kommt_aldi.exe” on September 4, 2011 on a Microsoft forum:

http://answers.microsoft.com/en-us/protect/forum/protect_scanning/jetztkommtaldiexe/27675ad5-45ba-4958-a6db-87b96a57164e?msgId=37b909f4-35f7-4d72-a0e3-a6704207c66b

While it has been speculated that Aldi Bot has borrowed from the Zeus banking Trojan source code release in early 2011, Aldi bot is written in Delphi with a PHP back-end, while Zeus is written in C++ with PHP on the back-end. The only obvious similarity between Zeus and Aldi Bot that I can see at first glance is that both of them tend to use a filename called gate.php on the web-based back-end as a “drop zone” to process stolen data.

Commands

Aldi bot’s commands are as follows:

  • ‘StartHTTP’ – starts an HTTP DDoS attack
  • ‘StartTCP’ – starts a TCP DDoS attack
  • ‘StopHTTPDDoS’ – stops an HTTP DDoS attack
  • ‘StopTCPDDoS’ – stops a TCP DDoS attack
  • ‘StopDDoS’ – apparently stops all DDoS attacks
  • ‘DownloadEx’ – download and execute other code (malware)
  • ‘CreateSocks’ – creates a SOCKS5 proxy
  • ‘StealData’ – trigger password stealing functionality
  • ‘Update’ – updates the bot

Custom User-Agent gets the goods

A potentially useful tidbit of information was found while reverse engineering the bot stub. While looking at an InternetOpenA API call associated with outbound activity, I noticed that a custom User-Agent “Aldi Bot FTW! :D” is used. It should be trivial to monitor for the presence of this string on the network.

push 10h ; dwFlags
push offset szProxyBypass ; lpszProxyBypass
push offset szProxyBypass ; lpszProxy
push 0 ; dwAccessType
push offset aAldiBotFtwD ; "Aldi Bot FTW! :D"
call InternetOpenA

If the wrong User-Agent is sent, then the back-end will not respond. On the wire a request to gate.php from an infected host looks similar to this (values are obscured for security)

Figure 2 – infected host reaching out to back-end at initial infection time

Click here to view full size image

Once the source code for Aldi Bot was obtained, it was easy to find this function:

Figure 3 – Delphi source code indicates custom User-Agent

Click here to view full size iamge

The back-end code that performs this checking was found with a datestamp from August 27, 2011 (the initial announcement for Aldi bot itself was apparently made one day later on an underground forum on August 28, 2011). The PHP code that performs the User-Agent checking is as follows:
function dnSOIAN0EWrU($XbJ41W11sYuW){
$XbJ41W11sYuW=str_replace(' ','',$XbJ41W11sYuW);
$XbJ41W11sYuW=str_replace('x','',$XbJ41W11sYuW);
$XbJ41W11sYPW=pack('H*',$XbJ41W11sYuW);
return $XbJ41W11sYPW;
}
$_SERVER['HTTP_USER_AGENT']!=base64_decode(strrev(dnSOIAN0EWrU(strrev(substr('94320157587b6163524342633157
625c62585943514632514d3d3',-48))))) ? exit(): '';

While decoding what’s going on here would be an interesting exercise, it’s easier just to see what’s happening with a slight modification to echo the expected User-Agent string:
$ua = base64_decode(strrev(dnSOIAN0EWrU(strrev(substr('94320157587b6163524342633157
625c62585943514632514d3d3',-48)))));
echo "Expected User-Agent: [", $ua, "]";

Running the PHP code then displays the expected string:

$ php -f aldi.php
Expected User-Agent: [Aldi Bot FTW! :D]

Analyzing back-end functions and detecting Aldi Bot on the wire

Outbound traffic to the back-end “drop zone” will use an HTTP GET string that looks similar to this:

/gate.php?hwid=&pc=&localip=&winver=

The value for the hwid parameter is uniquely calculated based on the systems hardware. The pc parameter is the PC’s name. The localip parameter is the local IP address of the system and winver is the version of windows installed, with x32 or x64 appended to match a 32 or 64 bit architecture.

When stolen data (only passwords at this time) is exfiltrated, a ‘&steal=’ parameter will be used in the URL that will also include the hwid value as such:
/gate.php?hwid=&steal=
The value passed in the steal parameter will be the type of credential and then the actual password values stolen from the system in the format of URL|User|Pass. Here is the back-end code responsible for storing the stolen credentials:

Figure 4 – PHP code handling stolen credentials

Click here to view full size image

A quick google query as of 10/3/2011 with elements from the gate.php string reveals two obvious infections (both reported for takedown) – one Windows 7 and one Windows XP:

http://<REMOVED>/b0ts4ev3ryb0dy/gate.php/gate.php?hwid=287389320&pc=%EE%E9%EB%EC-PC&localip=192.168.123.100&winver=Windows%207%20Professional%20×32.

http://<REMOVED>.ru/gate.php/gate.php?hwid=2001606274&pc=HOME-OFF-D5F0AC&localip=192.168.102.23&winver=Windows%20XP%20Professional%20×32.

The corresponding PHP back-end code:
//GET
$hwid = safe_xss($_GET['hwid']);
$localip = safe_xss($_GET['localip']);
$pc = safe_xss($_GET['pc']);
$winver = safe_xss($_GET['winver']);

This screenshot of bot statistics from one C&C shows that there were 239 bots online at one point, however only 8 bots were active, making this particular instance of the Aldi botnet very small. This could be due to reasonably good antivirus detection of the bot. The pie chart looks incorrect, however stats indicate that the Netherlands experienced the highest infection rate at 57.7% followed by the US with 10.5%.

Figure 5 – bot stats found on one C&C

Click here to view full size image

While the Aldi Bot source code has since been obtained, at first we only had a binary copy. In that case, the Interactive Delphi Reconstructor (IDR) does a pretty nice analysis job. IDR worked better than IDA or DeDe when working with Aldi Bot.

Figure 6 – IDR analysis of back-end traffic generation

Click here to view full size image

The default names of other Aldi bot back-end webapp components of interest (useful for network monitoring or probing on a C&C) include:
admin/inc
admin/inc/config.php
admin/inc/sess.php
admin/functions.php
admin/login.php
admin/pie.php
admin/index.php
admin/downlogs/
admin/img/aldi.gif
admin/js
admin/uploads/
geoip.php
index.php?id=stats
index.php?id=bots
index.php?id=bots&p=0
index.php?id=tasks
index.php?id=logs
index.php?id=upload
index.php?id=showlogs
index.php?logout

In addition to getting some value from watching for these patterns on the network, a review of back-ends indicates that sometimes certain folders such as admin/inc have directory indexing enabled which makes for an obvious C&C fingerprint.

Other indicators may include the following strings that have been seen in at least one Aldi Bot server-side install:

  • “Aldi Bot – installed by till7”
  • “StealData!” (from a misconfigured server)

The back-end login page looks like this:

Download and Execute in practice

As an example of the possible use for the “DownloadEx” function, a bit of poking at some active Aldi Bot campaign reveals the following:

1) Installation of yet another DDoS bot called Infinity Bot that has HTTP, ICMP, and TCP flooding capabilities.

2) Execution of the dScriptSt4r Anti-Virus Deleter, a simple batch file that tries to disable as many anti-virus applications as possible

3) Secure-Soft Stealer 5.20 that’s designed to steal credentials from the following applications:

  1. Trillian, Pidgin, Vitalwerks dynamic update client, DynDNS updater client, Steam, Opera, Firefox, Safari, jDownloader, Outlook, eMule, BulletProof FTP, Flash FXP, Miranda, Windows key, FileZilla, SmartFTP, MSN, ICQ, CoreFTP, and perhaps others.

Aldi Bot is just another in a long line of DDoS tools, however its inexpensive nature seems to have made it quickly popular. Underground forum posts praise its ability to perform effective DDoS attacks, which may have also contributed to the increase in popularity.

Figure 8 – Aldi Bot graphic from the back-end kit

References:

G Data: Botnets on discount:

http://blog.gdatasoftware.com/blog/article/botnets-on-discount.html

H-Online: Malware for everyone – Aldi Bot at a discount price

http://www.h-online.com/security/news/item/Malware-for-everyone-Aldi-Bot-at-a-discount-price-1346594.html

Aldi Bot – bka.de DDoS video:

http://www.youtube.com/watch?v=UskKFTFVLyI

Thanks to Arbor’s ASERT Team, Damballa and other anonymous contributors for additional data used in this analysis.

Go Back In Time →