It’s 2012 and Armageddon has arrived

Breaking Armageddon’s latest and greatest crypto reveals some interesting new functionality

Armageddon is one of several notable Russian malware families that are designed exclusively for DDoS attacks; it has been on our radar screens for some time now. Its primary competitors within the market of Russian DDoS vendors are Dirt Jumper (a.k.a. RussKill), Darkness/Optima (a.k.a. Votwup), and of course BlackEnergy.

We’ve noticed that the Armageddon code base has undergone some relatively rapid evolution lately, and the purpose of this blog post is to report on some of the new functionality we have observed. With this latest release, the bot uses some new crypto protection to hide its features from casual observers; breaking this encryption revealed some interesting goodies…

It turns out that the latest version of Armageddon contains support for a few new flavors of DDoS flooding which have been customized to target certain types of web sites. The names of the commands give some indication of the gist of the attacks: .apacheflood, .vbulletinflood, .phpbbflood, The implementation of the .apacheflood command was of particular interest; it makes use of the following (decrypted) string when formulating its flooding requests:

Range: bytes=0-,5-0,5-1,5-2,5-3,5-4,,5-1299,5-1300

This string represents an optional HTTP header that turns out to be included in DDoS flooding requests generated by the bot when performing an .apacheflood attack; this string, along with another encrypted Armageddon string, Accept-Encoding: gzip, have been associated with the so-called “Kill Apache” attack, a type of highly assymetric low-bandwidth DDoS technique that has emerged relatively recently.

In a nutshell, the Kill Apache attack abuses the HTTP protocol by requesting that the target web server return the requested URL content in a huge number of individual chunks, or byte ranges. This can cause a surprisingly heavy load on the target server; in particular, certain versions of the Apache HTTP server handle such requests extremely poorly and in some cases can be brought to their knees by a single attacking client. To our knowledge, this is the first time that the Kill Apache attack has reared its ugly head in actual botnet code in the wild, as opposed to proof-of-concept and/or standalone attack tools.

Of course, once we have taken the liberty of prying open Armageddon’s kimono, it was straightforward to write a “fake Armageddon” client that phones home to the (decrypted) C&C URL strings, and engages in communication that impersonates a real bot. This allows us to gather additional intelligence on the activities and behavioral patterns of Armageddon; in particular, we can now monitor the various Armageddon botnets to log the targets that it attacks, and the types of DDoS floods uses in those attacks. Among other things, this technique allowed us to discover that at least one of the botnets powered by the most recent Armageddon code base took part in the DDos attacks related to the recent Russian election in early December. We will continue to keep a watchful eye on Armageddon going forward.
The full article reporting the details of reversing Armageddon’s crypto, a Python decryption script – and an overview of the findings that were revealed once the strings were decrypted – is available here:
Report: It’s 2012 and Armageddon has arrived

This article is intended to be the first in an upcoming series that will provide a guided tour of the inner workings of various crypto systems that are used by contemporary DDoS malware families in order to hide their communications and sensitive data – and how to go about breaking them!

Update: Today we found some similar analysis of Armageddon and its crypto by the team at Onthar’s Malware Research Laboratory:
http://onthar.in/articles/armageddon-sample-analysis/

6 Responses to “It’s 2012 and Armageddon has arrived”

March 07, 2012 at 10:21 am, Analysis of the crypto used by the Trojan.Khan DDoS bot | DDoS and Security Reports | Arbor Networks Security Blog said:

[…] recent blog post described our analysis of the crypto algorithm used by the Armageddon DDoS malware.  This article […]

March 08, 2012 at 3:43 am, SecRelm » DDoS botnet clients start integrating the Apache Killer exploit said:

[…] number of individual chunks, or byte ranges,” said Arbor research analyst Jeff Edwards in a blog post on Tuesday. “This can cause a surprisingly heavy load on the target […]

March 08, 2012 at 1:36 am, Apache Killer integrado ao Amargeddon DDoS Bot tool | Alexos Core Labs said:

[…] da Arbor Networks analisaram a nova versão do malware russo Amargeddon, utilizado exclusivamente para ataques de […]

March 08, 2012 at 11:40 am, Reversing the crypto used by the PonyDOS attack bot | DDoS and Security Reports | Arbor Networks Security Blog said:

[…] found in various DDoS malware families.  In previous articles we covered the reversing of the Armageddon and Khan DDoS bots; today we will cover a new malware family that we are calling Trojan.PonyDOS.  […]

March 13, 2012 at 9:36 pm, DDoS botnet clients start integrating the Apache Killer exploit | CYBERSEECURE said:

[…] number of individual chunks, or byte ranges,” said Arbor research analyst Jeff Edwards in a blog post on Tuesday. “This can cause a surprisingly heavy load on the target […]

March 16, 2012 at 9:44 am, DarkComet RAT DDoS - Trojan.Fynloski | DDoS and Security Reports | Arbor Networks Security Blog said:

[…] crypto systems commonly found in various DDoS malware families.  Previous subjects have included Armageddon, Khan (now believed to be a very close “cousin” of Dirt Jumper version 5), and PonyDOS. […]

Comments are closed.