[nsp-sec] New (?) chinese ddos bot ...

jose nazario jose at arbor.net
Thu May 8 09:41:55 EDT 2008 

While digging for new and exciting bots I came across this one ...

It all starts with this sample:

URL: http://61.164.144.6/ok.exe
MD5: 46557d13fff633de8f76abb77cc6961d
SHA1: a6cae036098cb0f8eb334ec393f274d7317a2950
File type: MS Windows PE
File size: 33791 bytes

It's a downloader/dropper, and one of the things it grabs is a DDoS bot:

Droped as   C:\WINDOWS\system32\fy.exe
Filesize    16517 bytes
MD5         7d5115dd87f2512b544db3e47d4dabe6

Here's the C&C for it:

> wyhddos.8800.org TCP port 1800

This host does not resolve currently but at the time it was :

> AS      | IP               | AS Name
> 4812    | 222.73.205.122   | CHINANET-SH-AP China Telecom (Group)

The bot sends this to the server (TCP port 1800):

>    "FYWL:2|1024."

The command that comes back is:

>'FLOOD:www.game4power.com|80|120|49|syn_udp_tcp_icmp_break_get_|/index.asp?id=1
\x00\x00\x00\x00\x00'

The bot then replies (quite politely):

> "OK"

Sure enough, the bot will start pounding that host:

> www.game4power.com A INET 74.86.227.85

You see a variety of attacks, including a HTTP GET flood etc; I think
"break" causes it to send large streams of "A" (hex 0x41) trying to overflow
whatever may be on the end of it, or just flood the box.

Related controllers from this server (with their DNS resolution at the
time):

haoddos.kmip.net  TCP port 2014
AS      | IP               | AS Name
4134    | 58.221.246.180   | CHINANET-BACKBONE No.31,Jin-rong Street

This one is live right now and has the same DNS resolution. It is not
responding with a command for me right now.

Possibly related:

lieren888.8800.org   TCP port 8088
AS      | IP               | AS Name
4134    | 125.65.46.69     | CHINANET-BACKBONE No.31,Jin-rong Street

Data sent to the server reads:

 > '@@@QOF\\;>x302<}bkaap6,=651M@{0\x00'

Reply was just "1111111"

Digging for more of these, if you have any info to share it would be
appreciated. 

I don't recognize this communications style.

The ddos controller is dead right now, but I'd like to monitor these when I
get the chance, if more are alive ...


-------------------------------------------------------------
jose nazario, ph.d.  <jose at arbor.net>
security researcher, office of the CTO
Arbor Networks
v: (734) 821 1427
PGP: 0x40A7BF94
www.arbornetworks.com
-------------------------------------------------------------

More information about the nsp-security mailing list