Reversing the crypto used by the PonyDOS attack bot
This blog post is the third installment in our ongoing series of articles exploring the crypto systems commonly found in various DDoS malware families. In previous articles we covered the reversing of the Armageddon and Khan DDoS bots; today we will cover a new malware family that we are calling Trojan.PonyDOS. This malware family started showing up on our radar screens late in 2011. Based on a static analysis of the malware, it seems that PonyDOS bot is yet another example of a bot that is exclusively focused on launching DDoS attacks against victim websites. During dynamic analysis in a sandbox, we observed one PonyDOS sample phoning home to its C&C, and getting a response back; sadly, the communications were encrypted. It turns out that PonyDOS uses a relatively complicated encryption mechanism to secure its communications, the reversing of which is discussed in detail in the linked report below. As described in this report, PonyDOS has quite a few tricks up its sleeve that are designed to make its communications resistant to casual attempts at breaking.
PonyDOS gets its named from the string PNYDOS00 that is embedded within the bot binaries; as discussed in the report, the bot includes this identifying string in the “phone home” messages it sends to its command & control (C&C) server. In addition, some of the samples also like to install themselves into sub-directories named pny within the infected user’s Application Data directory for example, as the file:
C:Documents and Settings$USERNAMEApplication Datapnypnd.exe
We reversed the malware’s crypto in order to gain a better insight into its behavior. A complete analysis of the crypto system used by PonyDOS – including a Python implementation of a decryption/encryption module, is available here:
Report: Not just a one-trick PonyDOS
Breaking the encryption used by our little PonyDOS was instrumental in understanding its various DDoS attack mechanisms, and developing defenses against them. It turns out that PonyDOS supports the four following different types of attacks supported by PonyDOS:
- A TCP Connection Flood;
- An HTTP GET flood that does not attempt to read any response from the target web server;
- An HTTP GET flood that does read responses from the target web server;
- An HTTP POST flood;
Of course once we had broken the PonyDOS crypto, we started using our Python script (in encryption mode) to generate fake phone home messages in order to impersonate bots and trick the PonyDOS C&C servers into giving up their current attack orders. This allows us to monitor PonyDOS botnets and observe attacks. To date we’ve logged attacks against various target web sites hosted in the United States, Russian, and Luxembourg. The PonyDOS botmasters seem to favor the GET flood attacks, with almost half (94 out of 192 logged events) of its attacks being specified as attack code 0×01 (GET without server read) or 0×02 (GET with server read). TCP Connection Floods (code 0×00) and POST floods (code 0×03) were used less frequently as alternate attack types:
This completes the third installment in our ongoing series on breaking the crypto systems used by contemporary DDoS malware families.