McAfee Labs

Evolving DDoS Botnets: 2. Darkness

0
By on Mar 01, 2011

In the first part of this series we had a close look at the BlackEnergy bot. DDos botnets have been continuously evolving in the recent past. Recently, in December of last year, we came across a new DDoS bot found to be fairly active in the wild targeting a number of websites. During our analysis, the samples of bots were found to be using three domains as their Command & Control channel.

greatfull-toolss.ru

greatfull.ru

hellcomeback.ru

However, a couple of these domains were already unavailable, but querying the whois database for greatfull.ru gives the following whois record:

nserver:    ns1.reg.ru.

nserver:    ns2.reg.ru.
state:      REGISTERED, DELEGATED, UNVERIFIED
person:     Private Person
phone:      +380686548525
fax-no:     +380686548525
e-mail:
registrar:  REGRU-REG-RIPN
created:    2010.11.03
paid-till:  2011.11.03

Googling for the email address used for registering the domain showed up several adds related to the DDoS service. One of the adds we came across displayed the services and capabilities this botnet can provide.

ads

Darkness bot command and control

 

During our investigation, we came across the C&C UI used to track the botnet infections and send the DoS commands to the bot clients. One of the control panel we observed posted in underground forums looked like this:

CPanel

The above control panel UI is in Russian. However, we have been able to translate and understand the purpose of quite a few commands through our command simulation setup. The following are the DDoS commands used by this Bot.

exe — > download specified binary from the server

dd1 — > HTTP GET DDoS attack

dd2 — > ICMP DoS attack

wtf — > Stop all the commands

tot — > Bot synchronization time

vot — > Voting

During our static analysis, we were able to unpack and reverse the binary. We located the Command and Control code within the  binary, as well as some other functionalities, which gives us the fair enough idea on how the malware runs on the victims system.

Below is the code segment for one of the commands and the action it takes if the command matches. After checking the command, it calls the same routine multiple times and calls the CreatThread API to initiate the DoS attack.

code

fileinsight

The above unpacked view of the binary reveals 3 hardcoded encrypted and Base64 encoded URLs, the string “darkness”, and it copies itself as dwm.exe on the victims machine and runs as IpSectPro service.

Network communications with the bot client

 

During our extensive research on this Bot, given that we had an idea of how the command format of the bot looks, we were able to simulate the DDoS attack. Once executed, the client sends the Registration request to the control server and we were able to make the server reply with the Base64 encoded DoS command as shown below:

traffic

Decoded command is an instruction to DoS the target websites

dd1=http://www.abc.com/;http://www.xyz.org

And we were able to see the DoS attack initiated from the client. Within the span of 5 minutes we saw approximately 80,000 hits logged on the server.

traffic

Next we simulated the ICMP DoS attack. We made the server reply with the “dd2” command to be able to see the ICMP DoS. Server response in this case is shown below:

HTTP/1.1 200 OK

Date: December 13, 2010 2:47:53 AM PST

Server: Xerver/4.32

Connection: close

Content-Type: text/html

 

ZGQyPWh0dHA6Ly93d3cuYWJjLmNvbS87aHR0cDovL3d3dy54eXoub3Jn

Above Base64 command when decoded: dd2=http://www.abc.com/;http://www.xyz.org which initiated the ICMP DoS.

ICMP

McAfee IPS coverage  for Darkness

McAfee Intrusion Prevention (formerly IntruShield) has released coverage for the Darkness bot under the attack ID 0×48804600 BOT: Darkness Bot Activity Detected. McAfee customers with up-to-date installations are protected against this malware.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>