In the first part of this series we had a close look at the BlackEnergy bot. DDos botnets have been continuously evolving in the recent past. Recently, in December of last year, we came across a new DDoS bot found to be fairly active in the wild targeting a number of websites. During our analysis, the samples of bots were found to be using three domains as their Command & Control channel.
However, a couple of these domains were already unavailable, but querying the whois database for greatfull.ru gives the following whois record:
state: REGISTERED, DELEGATED, UNVERIFIED
person: Private Person
Googling for the email address used for registering the domain showed up several adds related to the DDoS service. One of the adds we came across displayed the services and capabilities this botnet can provide.
Darkness bot command and control
During our investigation, we came across the C&C UI used to track the botnet infections and send the DoS commands to the bot clients. One of the control panel we observed posted in underground forums looked like this:
The above control panel UI is in Russian. However, we have been able to translate and understand the purpose of quite a few commands through our command simulation setup. The following are the DDoS commands used by this Bot.
exe — > download specified binary from the server
dd1 — > HTTP GET DDoS attack
dd2 — > ICMP DoS attack
wtf — > Stop all the commands
tot — > Bot synchronization time
vot — > Voting
During our static analysis, we were able to unpack and reverse the binary. We located the Command and Control code within the binary, as well as some other functionalities, which gives us the fair enough idea on how the malware runs on the victims system.
Below is the code segment for one of the commands and the action it takes if the command matches. After checking the command, it calls the same routine multiple times and calls the CreatThread API to initiate the DoS attack.
The above unpacked view of the binary reveals 3 hardcoded encrypted and Base64 encoded URLs, the string “darkness”, and it copies itself as dwm.exe on the victims machine and runs as IpSectPro service.
Network communications with the bot client
During our extensive research on this Bot, given that we had an idea of how the command format of the bot looks, we were able to simulate the DDoS attack. Once executed, the client sends the Registration request to the control server and we were able to make the server reply with the Base64 encoded DoS command as shown below:
Decoded command is an instruction to DoS the target websites
And we were able to see the DoS attack initiated from the client. Within the span of 5 minutes we saw approximately 80,000 hits logged on the server.
Next we simulated the ICMP DoS attack. We made the server reply with the “dd2” command to be able to see the ICMP DoS. Server response in this case is shown below:
HTTP/1.1 200 OK
Date: December 13, 2010 2:47:53 AM PST
Above Base64 command when decoded: dd2=http://www.abc.com/;http://www.xyz.org which initiated the ICMP DoS.
McAfee IPS coverage for Darkness
McAfee Intrusion Prevention (formerly IntruShield) has released coverage for the Darkness bot under the attack ID 0×48804600 BOT: Darkness Bot Activity Detected. McAfee customers with up-to-date installations are protected against this malware.