[nsp-sec] New Chinese DDoS Bot Family - BFDDOS Bot
jose nazario
jose at arbor.net
Wed Jul 2 09:46:37 EDT 2008
MOST DEFINTELY NOT FOR PUBLIC CONSUMPTION YET
Folks
Similar to my message from may 8, 2008 to this list - Subject New (?)
chinese ddos bot ... - I think I've found another new Chinese DDoS bot
family. This one appears to like to call itself BFDDOS.
Samples were obtained via URL reports and analysis of EXEs obtained via a
data sharing partner. At this point I have two EXEs in our database, and I'm
hunting for more (both in our repository and in the net at large):
MD5: a1aa0e8635f9ac3a8713588f40fdff16
SHA1: 8f9b6895aded991eab70c35638d5a97dd1420a11
File type: application/x-ms-dos-executable
File size: 73728 bytes
MD5: a55c24133d89918a6d6ab142c1b88eea
SHA1: 1e587550860b7db1d6e283ef49ffe7f24dfd6164
File type: application/x-ms-dos-executable
File size: 32768 bytes
Samples came from these web servers:
AS | IP | AS Name
4134 | 121.14.152.91 | CHINANET-BACKBONE No.31,Jin-rong Street
4134 | 202.105.233.126 | CHINANET-BACKBONE No.31,Jin-rong Street
The update mechanism is unique and similar to the 8 may 2008 bot (which I've
dubbed "Powerbot"). It uses its name plus numbers which don't seem to
express anything too meaningful on the system - not PID, not listening port,
etc. The bot checks in with a heartbeat and, if the system is actively
handing out commands, you get back commands.
The following is based on dynamic analysis.
The EXE gets installed - name intact - under C:\WINDOWS\system32\.
It changes the registry to create a service:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\±©·çÍøÂçѹÁ¦²âÊÔ "" =
»¶ÓʹÓñ©·çÍøÂçѹÁ¦²âÊÔ³ÌÐò
The bot is then registered as a service (again, CN-ZH characters not getting
correctly expressed here) to ensure it runs at all times:
Create Service - Name: (±©·çÍøÂçѹÁ¦²âÊÔ) Display Name:
(±©·çÍøÂçѹÁ¦²âÊÔ·þÎñ¶Ë³ÌÐò) File Name: (C:\WINDOWS\system32\FOOBAR.exe)
Control: () Start Type: (SERVICE_AUTO_START)
It then launches C:\WINDOWS\system32\FOOBAR.exe (ie itself it just copied).
This copy then starts networking. Here's a failed check in:
taipingyang12.3322.org 61.191.52.12
Destination: 61.191.52.12 port 8000/TCP
Communications Data
SEND
$0000 42 46 44 44 4F 53 2B 32 2D 31 30 32 34 00 BFDDOS+2-1024.
SEND
$0000 48 65 61 72 74 00 Heart.
---
Here's a successful check in where the bot got an actual, live command:
fb.joywx.cn 202.105.233.126
Destination: 202.105.233.126 port 2008/TCP
Communications Data
SEND
$0000 42 46 44 44 4F 53 2F 32 2D 31 30 32 34 00 BFDDOS/2-1024.
SEND
$0000 48 65 61 72 74 00 Heart.
RECEIVED
$0000
41 54 54 41 43 4B 2B 31 32 31 2E 31 32 2E 31 36 ATTACK+121.12.16
$0010
39 2E 32 31 35 2D 38 33 30 32 2D 31 30 30 2D 32 9.215-8302-100-2
$0020
30 30 2D 69 63 6D 70 2D 75 64 70 2D 00 00-icmp-udp-.
Here's some of the automated static analysis our system produced which may
reveal some more information:
Generated at: Wed Jul 2 12:40:11 2008
BASIC INFO:
-----------------------------------------------
FILE TYPE: application/x-ms-dos-executable
FILE SIZE: 73728 bytes
PACKER/S:
Armadillo v1.71
-----------------------------------------------
URL ELEMENTS:
-----------------------------------------------
/index.html
-----------------------------------------------
FILENAMES:
-----------------------------------------------
KERNEL32.dll
ADVAPI32.dll
MFC42.DLL
MSVCRT.dll
MSVCP60.dll
explorer.exe
\BFDDos.dll
ntdll.dll
%SystemRoot%\System32\BFDDos.dll
\xcopy.exe
ntoskrnl.exe
USER32.dll
urlmon.dll
WS2_32.dll
DLL.dll
WSOCK32.DLL
%SystemRoot%\System32\w32time.dll
-----------------------------------------------
POSSIBLE REGISTRY KEYS:
-----------------------------------------------
SYSTEM\CurrentControlSet\Services\W32Time\Parameters
-----------------------------------------------
POSSIBLE IP ADDRESSES:
-----------------------------------------------
192.168.1.2
192.168.0.6
192.168.0.7
192.168.0.3
192.168.0.5
192.168.0.4
192.168.0.2
192.168.0.1
192.168.0.99
-----------------------------------------------
CHECKSUMS:
-----------------------------------------------
MD5: a1aa0e8635f9ac3a8713588f40fdff16
SHA1: 8f9b6895aded991eab70c35638d5a97dd1420a11
-----------------------------------------------
POSSIBLE BEHAVIORS:
-----------------------------------------------
Possible HTTP Client: Score: 4
-----------------------------------------------
A/V INFO:
-----------------------------------------------
SCANNER: VScanner VIRUS: Unknown, file is "suspicious"
SCANNER: AVG VIRUS: No virus found.
SCANNER: ClamAV VIRUS: No virus found.
SCANNER: BDC VIRUS: No virus found.
-----------------------------------------------
PE INFO:
-----------------------------------------------
SECT: .text 8192 0x00001000 - 0x00001000
SECT: .rdata 4096 0x00003000 - 0x00003000
SECT: .data 4096 0x00004000 - 0x00004000
SECT: .rsrc 53248 0x00005000 - 0x00005000
[KERNEL32.dll]
GlobalAlloc
GetProcAddress
GetModuleHandleA
ReadFile
GetFileSize
SetFileAttributesA
lstrcatA
GetCurrentProcess
Process32Next
Process32First
CreateToolhelp32Snapshot
CreateRemoteThread
WriteProcessMemory
VirtualAllocEx
lstrlenA
LoadLibraryExA
ResumeThread
CreateProcessA
SetThreadPriority
GetCurrentThread
SetPriorityClass
lstrcpyA
GetEnvironmentVariableA
GetShortPathNameA
GetModuleFileNameA
SetFileTime
GetFileTime
LockResource
GetCurrentProcessId
GlobalFree
Sleep
FreeLibrary
DeviceIoControl
GetLastError
FindResourceA
LoadResource
CreateFileA
SizeofResource
WriteFile
CloseHandle
GetSystemDirectoryA
OpenProcess
GetStartupInfoA
[ADVAPI32.dll]
CloseServiceHandle
RegOpenKeyA
RegDeleteValueA
RegSetValueExA
RegCloseKey
OpenProcessToken
LookupPrivilegeValueA
AdjustTokenPrivileges
StartServiceA
OpenSCManagerA
OpenServiceA
ControlService
[MFC42.DLL]
[MSVCRT.dll]
exit
_acmdln
__getmainargs
tolower
__setusermatherr
_XcptFilter
__p__commode
__p__fmode
__set_app_type
_except_handler3
_controlfp
_exit
_onexit
__dllonexit
_adjust_fdiv
__CxxFrameHandler
_initterm
_stricmp
[MSVCP60.dll]
??0_Winit at std@@QAE at XZ
??1Init at ios_base@std@@QAE at XZ
??0Init at ios_base@std@@QAE at XZ
??1_Winit at std@@QAE at XZ
-----------------------------------------------
I have no idea what is up with those hardcoded RFC1918 IPs.
Possible commands the bot may use:
REMOVE
UPDATEDATA:
DOWNLOAD:
STOPATTACK
zdyudp
zdytcp
drdos
icmp
ATTACK+
RETURNPOWER:
OFFPOWER:
Investigations via Googling around for BFDDOS yielded a BFDDOS.SYS that
isn't present in my samples. It's basically a WinHook process hider.
MD5(BFDDOS.SYS)= dd36209b4f16f315784d2c44f9e4e2d8
SHA1(BFDDOS.SYS)= f585f9025ed00e8978b53b4169264df8867d1e68
Interesting strings from it:
\processhide\objfre_wnet_x86\i386\PorcessHide.pdb
IoDeleteDevice
IoDeleteSymbolicLink
KeServiceDescriptorTable
IoCreateSymbolicLink
IoCreateDevice
DETECTION AND MITIGATION
No sigs to present yet, but basically I think you can look for the
following:
C > S - ^BFDDOS.[1-9].[1-9]{4}
C > S - ^Heart
S > C - ^(ATTACK|REMOVE|UPDATEDATA|DOWNLOAD|STOPATTACK|RETURNPOWER|OFFPOWER)
I found what may be an interesting feature to exploit for IDS/IPS/DPI sigs:
there's no space between the User-Agent header and the value it sets:
User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows 5.1)
User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
All other headers look reasonably legit. This would stop the bot from
getting updates via HTTP, but probably wouldn't stop it from getting its
commands.
I'm starting to track these and I am hoping to find more. Contact me if you
want to get the commands from the tracker (and also for powerbot).
-------------------------------------------------------------
jose nazario, ph.d. <jose at arbor.net>
security researcher, office of the CTO
Arbor Networks
v: (734) 821 1427
PGP: 0x40A7BF94
www.arbornetworks.com
-------------------------------------------------------------
More information about the nsp-security
mailing list