McAfee Labs

Evolving DDoS Botnets: 2. Darkness

By on Mar 01, 2011

In the first part of this series we had a close look at the BlackEnergy bot. DDos botnets have been continuously evolving in the recent past. Recently, in December of last year, we came across a new DDoS bot found to be fairly active in the wild targeting a number of websites. During our analysis, the samples of bots were found to be using three domains as their Command & Control channel.

However, a couple of these domains were already unavailable, but querying the whois database for gives the following whois record:


person:     Private Person
phone:      +380686548525
fax-no:     +380686548525
registrar:  REGRU-REG-RIPN
created:    2010.11.03
paid-till:  2011.11.03

Googling for the email address used for registering the domain showed up several adds related to the DDoS service. One of the adds we came across displayed the services and capabilities this botnet can provide.


Darkness bot command and control


During our investigation, we came across the C&C UI used to track the botnet infections and send the DoS commands to the bot clients. One of the control panel we observed posted in underground forums looked like this:


The above control panel UI is in Russian. However, we have been able to translate and understand the purpose of quite a few commands through our command simulation setup. The following are the DDoS commands used by this Bot.

exe — > download specified binary from the server

dd1 — > HTTP GET DDoS attack

dd2 — > ICMP DoS attack

wtf — > Stop all the commands

tot — > Bot synchronization time

vot — > Voting

During our static analysis, we were able to unpack and reverse the binary. We located the Command and Control code within the  binary, as well as some other functionalities, which gives us the fair enough idea on how the malware runs on the victims system.

Below is the code segment for one of the commands and the action it takes if the command matches. After checking the command, it calls the same routine multiple times and calls the CreatThread API to initiate the DoS attack.



The above unpacked view of the binary reveals 3 hardcoded encrypted and Base64 encoded URLs, the string “darkness”, and it copies itself as dwm.exe on the victims machine and runs as IpSectPro service.

Network communications with the bot client


During our extensive research on this Bot, given that we had an idea of how the command format of the bot looks, we were able to simulate the DDoS attack. Once executed, the client sends the Registration request to the control server and we were able to make the server reply with the Base64 encoded DoS command as shown below:


Decoded command is an instruction to DoS the target websites


And we were able to see the DoS attack initiated from the client. Within the span of 5 minutes we saw approximately 80,000 hits logged on the server.


Next we simulated the ICMP DoS attack. We made the server reply with the “dd2” command to be able to see the ICMP DoS. Server response in this case is shown below:

HTTP/1.1 200 OK

Date: December 13, 2010 2:47:53 AM PST

Server: Xerver/4.32

Connection: close

Content-Type: text/html



Above Base64 command when decoded: dd2=; which initiated the ICMP DoS.


McAfee IPS coverage  for Darkness

McAfee Intrusion Prevention (formerly IntruShield) has released coverage for the Darkness bot under the attack ID 0x48804600 BOT: Darkness Bot Activity Detected. McAfee customers with up-to-date installations are protected against this malware.