Tag Archives : Dirt Jumper May 2012

Dirt Jumper DDoS Bot Increasingly Popular

By: Jose -

We’ve profiled the Dirt Jumper DDoS bot before and shown its evolution over the years. We then took this analysis into our zoo to see which DDoS bot families are growing in popularity with attackers. The marketplace has opened up significantly (see Curt’s excellent overview of DDoS tools and services) in recent years, and with that comes competition.

In the past few years, the popular kit we saw in our zoo was Black Energy, an easy to use, powerful DDoS bot distributed in Russian-language spheres. You could find it on the net for anywhere from $40 to free, depending on how hard you looked. Starting in 2009, Black Energy version 2 was available. It boasted a modular architecture and included banking theft Trojan functionality to augment the DDoS functionality. Another competitor that appeared in this timeframe was Optima or Darkness. It then becomes interesting to look in one’s zoo to see which families are popular at present.

The graphic below is from some quick analysis of our zoo, looking at our automated classification system that tags samples with the appropriate family name. Optima includes the group of Darkness, Optima and Votwup samples we have seen; Black Energy focuses on the BEv1 samples we have seen in the wild, and omits any BEv2 samples we have; Dirt Jumper includes all Russkill variants and Dirt Jumper variants we have seen. What we saw was a bit surprising, namely the rate at which Dirt Jumper samples appear in our zoo and quickly overtake the other families in terms of popularity. This matches anecdotally what we had seen, but the magnitude itself is surprising.

Some ideas as to what is going on:

  • With BEv2, the Black Energy author (back in 2009 which it was being developed and tested) appears to have tried to piggy back on the Zeus and SpyEye craze that was really gathering momentum at the time. Modules to steal from banks would have been a great complement, in theory, but in reality BE targeted DDoS actors who hang out in different forums than the financial thieves. With the notable exception of the Gameover series of attacks, these two groups don’t spent a lot of time together from my own observations.
  • Optima and Darkness make a decent product. I didn’t keep track of pricing or advertising, but their usability, reliability and features all come together to make a great follow-on to the Black Energy model (kit which includes an easy to use web UI and a builder to configure the feature-rich DDoS bot). Why it didn’t take off is really something I can’t explain.
  • Finally, Dirt Jumper’s meteoric rise in popularity in this time frame suggests that author (and any promotors they have working for them) is doing something right. Features are getting incorporated well, new versions are released, and the bot’s got traction in the community. An alternative explanation is that the leaks we see leading to “unofficial versions” are also classified as DJ and explain the rise.

In this competitive underground world, it’s fascinating to see market forces at work so clearly. Bear in mind that all this popularity leads to attention, both in terms of CnC tracking (and shutdown) and AV detection, which is counter-productive. We’ll see how these guys react to larger responses.

Dirt Jumper Caught in the Act

By: cwilson -

Background
In late July 2011, a specific piece of malware came to our attention. Analysis revealed that this particular piece of malware was launching DDoS attacks and we have direct evidence of DDoS attack on two Russian websites. One of these was a gaming website, the other involved in selling a popular smartphone. Further research determined that this malware was also used in attacks on yet another Russian gaming site, test attacks on various other sites, attacks on a large corporations load balancer, and a damaging attack on a Russian electronic trading platform.

A comparison of this threat with other threats that we have analyzed resulted in a determination that this is a newer version of the Russkill bot, also known as Dirt Jumper. We suspect that this is version 3 of Dirt Jumper.

The malware infection begins with the loading of a file named vf4e2ad6800e566_2011723171112.exe which at the time of this writing is still online and dangerous. The MD5 of is f7c0314fb0fbd52af9d4d721b2c897a2. Using this information, we gain additional insight.

A query of the helpful malc0de.com database reveals the following (WARNING: live malware is referenced from these links as of 8/3/2011 – be careful!)

Dirt Jumper

(As of 7/29/2011, a file with this name is still online, however the actual file has changed at least once)

 

Evidence Points to a Financially Motivated Attack
A Google query for the MD5 of the binary revealed a ThreatExpert report, found at http://www.threatexpert.com/report.aspx?md5=f7c0314fb0fbd52af9d4d721b2c897a2 which indicates some interesting information. When relevant, ThreatExpert reports contain a section that describes outbound traffic. However there may not be any obvious distinction for normal traffic and traffic that might be part of a DDoS attack.  Therefore in accordance with the data capturing capabilities of any given analysis infrastructure, a DDoS flood may not be noticed as it may appear as a simple outbound connection. Such outbound connections are typically used for Command & Control or to fetch additional malware.

The ThreatExpert report revealed outbound traffic to the following URL’s:

http://xzrw0q.com/driver32/update/m_d.php (the Command & Control site – active as of 7/29/2011)

http://etp.roseltorg.ru

The title page of etp.roseltorg.ru translates as such: “A single electronic trading platform – the national operator of electronic trading”. Visits to the site indicate that it was “Created with the assistance of the Government of Moscow”.  I thought this very interesting, since I didn’t expect to see such a site as a malware callback or binary drop site.

Review of contents posted to etp.roseltorg.ru indicated that they were subject to a DDoS attack between July 15 and July 18 2011. The following text is translated from Russian from Google’s cache for http://webcache.googleusercontent.com/search?q=cache:oi5ap9zl6T4J:etp.roseltorg.ru/+etp.roseltorg.ru+ddos&cd=1&hl=en&ct=clnk&gl=us&source=www.google.com

Dirt Jumper

The ThreatExpert report showing the outbound connection indicated the malware was submitted on July 23 2011, 18:26:05, which does not cleanly overlap with the posted DDoS impact, however the attacked site may have developed mitigations such as the deployment of anti-DDoS infrastructure or the use of selective ACL’s at network chokepoints. Stateful firewalls are often used to deploy ACL’s however the stateful nature of these devices can turn them into a liability in the event of a large attack due to their state table becoming clogged with bogus requests.

Additional evidence implicating Dirt Jumper in the attack on etp.roseltorg.ru is obtained in a community message left on the VirusTotal site in response to a scan of the same binary file.

http://www.virustotal.com/file-scan/report.html?id=9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440-1311578189

Dirt Jumper

The ThreatExpert report itself also indicates this information:

  • The data identified by the following URLs was then requested from the remote web server:
  • http://xzrw0q.com/driver32/update/m_d.php
  • http://etp.roseltorg.ru/

An underground forum indicates the use of Dirt Jumper v3 being mentioned on July 4, 2011 as part of a DDoS-for-hire business:

Dirt Jumper

There are many similar messages on underground forums that indicate a clear market for DDoS services. On August 1, 2011, Brian Krebs wrote an article about this phenomenon in “Digital Hit Men for Hire”- http://krebsonsecurity.com/2011/08/digital-hit-men-for-hire/

 

A Look at the Command & Control & Webpanel
The attacker, or perhaps those who rent space on the botnet, will login via an authentication panel that looks something like this:

Dirt Jumper

The HTTP attack web panel for Dirt Jumper looks something like this:

Dirt Jumper

We can see here that this particular control panel has (had?) 70,446 bots total but only 668 are online at the time that the screenshot was made.  While this screenshot only shows HTTP flooding capabilities, older screenshots of Russkill control panels showed both HTTP and SYN flood capabilities on the same page.

At least in the older versions of Russkill, the webpage for remote administration can be hidden – given a non-obvious path – in order to discourage easy discovery by researchers, law enforcement or rival botmasters. The “Hide url” feature is visible here in a screen capture of an attack panel from a couple of years ago (thanks to Malware Intelligence for the screenshot):

Dirt Jumper

While it is no longer active, we shall soon see that xzrw0q.com was the Command & Control used by this variant of Dirt Jumper. Each infected system made an outbound connection to the C&C and receives instructions on which sites to attack. Since we know that etp.roseltorg.ru was a victim, it is also likely that one other site was also a victim of that particular DDoS attack. It is unknown if there was any actual impact from this attack.

ASERT internal analysis infrastructure provided a packet capture which reveals the following correlation with what we’ve seen so far:

Dirt Jumper

This is an interaction with the Command & Control server, which as we can see was located at xzrw0q.com in late July 2011.

According to DomainTools, xzrw0q.com was using IP address 31.192.109.164 and was located in the Russian Federation, hosted by Mir Telematiki Ltd. This domain was associated with malware for some time and other domain names with slight variations have also been used for malicious purposes.

In this transaction, we can see an HTTP POST to /driver32/update/m_d.php passing the data k=<15 digit value, removed>. The server responds back with a pipe-delimited set of values followed by a list of sites to attack (actual site names removed to protect the attacked):

01|300|150http://q**********.net/
http://www.i******.ru

A traffic flood towards these two sites then ensued, with one of the sites appearing to take a harder hit than the other. Attack traffic observed is based on HTTP GET requests.

It appears that when an attack campaign is not executing, the malware will periodically connect back to its C&C and receive the following pipe-delimited values, minus any URL’s:

12|300|150

From the change in communications, we may make the determination that the first value is a command code and that they may possibly start with 01 (correlating to an HTTP GET flood) through at least 12 (keep-alive message perhaps).  Other research into earlier versions of Russkill showed variations in the command structure; however those particular structures did not function in the version analyzed here.

The second sets the number of threads created to launch the attack. For example, a sandboxed bot showed 13 threads when the middle value was 10, and 305 threads during a sandboxed attack using the values 01|300|150http://attacked.com (attacked.com was locally sinkholed).  We gain additional insight into the offset of the executing thread as well – svdhalp.exe+0430c is obviously a useful point for analysis.

Dirt Jumper

POST messages back to the C&C took place every 150 seconds, which likely accounts for the last value.

 

Dealing With the Binary Protections
The initial binary file appears to be packed by UPX, however it is likely that this is a modified UPX, or other obfuscation techniques have been deployed to increase the amount of effort required for a successful analysis.

The original file that starts the infection has been renamed to EVILNESS.EXE for the sake of this analysis, and this file has some unusual properties as such:

Description: “Signs Blast Egypt Avery”
Copyright: “Sobs Sift 1997-2011”
Company: “Comma Stone”
File Version: “Wolff Diets Cowboy Mig”
Original File name: “Baby.exe”
Product Name: “Picks Air”

It is possible that these values are dynamically added to the binary at build time out of a word list.

According to PEiD, the binary appears to be packed with UPX, which is normally trivial to unpack simply by using the UPX utility.

Dirt Jumper

However attempts to manually unpack the original binary with UPX result in a broken binary file that’s missing important sections of the PE header. Additionally, the file cannot be loaded into analysis tools such as IDA Pro without modification. If we attempt to load the de-UPX’ed file, we receive the following error messages:

Dirt Jumper

IDA Pro then exits.

After a manual unpacking session with a debugger and the import reconstructor tool, the PE header was manually modified to allow for easier analysis.  Imports that were destroyed are then recovered and the malware is then able to be analyzed much more easily. For example, PEiD now easily determines that the post-UPX binary was written in Delphi 5-6.

Dirt Jumper

From here, we are able to load the file into IDA Pro to gain additional insight, or go deeper with a tool such as the Interactive Delphi Reconstructor (IDR) which allows us to see elements such as these components used in an HTTP POST attack:

Dirt Jumper

And the locations of important functions, in this case the httpsend_s function:

Dirt Jumper

Just like many other DDoS bot families, Dirt Jumper aka Russkill continues to undergo active development to help feed a market that’s hungry for DDoS services.

Appreciation is offered to Malware Intelligence and Arbor Networks colleagues on the ASERT and Remote Services teams for additional insight.