[nsp-sec] Hardcoded ddos bot -- attn rackspace
jose nazario
jose at arbor.net
Fri Sep 5 15:42:15 EDT 2008
This came across a botnet I track:
hxxp://202.73.57.19/tmp/apls/axd3.exe
MD5: 03d6e6311fc1a84900f136f5c4bb6408
SHA1: f53175f7ec8289eaacb49315eda3db1d4e2168c1
File type: application/x-ms-dos-executable
File size: 12800 bytes
It was an update to the bots. Now they're hardcoded to hit a site in
rackspace. It'll HTTP flood (GET /) axill.com.
BASIC INFO:
-----------------------------------------------
FILE TYPE: application/x-ms-dos-executable
EXTRA INFO: UPX detected, unpacked
-----------------------------------------------
URLS:
-----------------------------------------------
http://www.avantbrowser.
-----------------------------------------------
POSSIBLE IP ADDRESSES:
-----------------------------------------------
72.3.140.229
-----------------------------------------------
POSSIBLE HOSTNAMES:
-----------------------------------------------
Host: axill.com
-----------------------------------------------
POSSIBLE BEHAVIORS:
-----------------------------------------------
Possible HTTP Client: Score: 4
-----------------------------------------------
A/V INFO:
-----------------------------------------------
SCANNER: VScanner VIRUS: No virus found.
SCANNER: AVG VIRUS: No virus found.
SCANNER: ClamAV VIRUS: No virus found.
SCANNER: BDC VIRUS: No virus found.
-----------------------------------------------
PE INFO:
-----------------------------------------------
SECT: CODE 18944 0x00000400 - 0x00001000
SECT: DATA 512 0x00004E00 - 0x00006000
SECT: BSS 0 0x00005000 - 0x00007000
SECT: .idata 1536 0x00005000 - 0x00008000
SECT: .tls 0 0x00005600 - 0x00009000
SECT: .rdata 512 0x00005600 - 0x0000A000
SECT: .reloc 1536 0x00005800 - 0x0000B000
SECT: .rsrc 512 0x00005E00 - 0x0000C000
Interesting hand crafted UA strings to defeat basic UA and HTTP header
checks:
Mozilla/5.0 (
Mozilla/4.0 (
Windows NT 5.1
compatible; MSIE 6.0; Windows NT 5.1
compatible; MSIE 6.0
compatible; MSIE 5.5; Windows 98; Win 9x 4.90
compatible; MSIE 5.5
compatible; MSIE 5.5; Windows 98
compatible; MS FrontPage 6.0)
Opera 7.53 [en]
Opera 7.58 [en]
Opera 8.00 [en]
Opera 7.85 [en]
Gecko/20050821 Netscape/7.1 (ax)
Opera 7.60 [en] (IBM EVV/3.0/EAK01AG9/LE)
Gecko/20050821 Netscape/7.2 (ax)
Gecko/20050821 MultiZilla/1.6.4.0b
Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en)
Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.6)
Gecko/20060712 Firefox/1.0.2
(Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.6) Gecko/20050821
Firefox/1.0.5
Avant Browser (http://www.avantbrowser.com)
Anonymizied by Steganos Internet Anonym
With many options available:
; iebar
; SV1
; .NET CLR 1.1.4322
; n-US; rv:1.7.
; iOpus-I-M
; YPC 3.0.
; MSNc00
; MSNmnl-be
; Wanadoo 6.0
; Maxthon
; FunWebProducts
; AOL 9.0
; 3305
; FREE
; Crazy Browser 1.0.5
; Hotbar 4.3.5.0
; digit_oct2005)
; FDM
; Compaq
; (build 00
; (R1 1.3)
; (R1 1.5)
; Dialer/1.10/ADSL
; Hotbar 4.5.0.0
; Hotbar 4.5.1.0
; 3304
; MyIE2
; MSOCD
; MRA 3.0 (build 00715)
; SKY11a
; YComp 5.0.2.6
; i-NavFourF
; ESB
; DigExt
Hardcoded IP -- 72.3.140.229
Rest of the hand crafted (sent over a socket()) HTTP header:
GET / HTTP/1.
User-Agent:
Host: axill.com
Accept-Encoding: gzip, deflate
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash
Accept: text/html, application/xml, application/xhtml+xml, image/png,
image/jpeg, image/gif, image/x-xbitmap, */*;
Accept-Language: en
Connection: Keep-Alive
Connection: Close
Just a heads up.
-- jose
-------------------------------------------------------------
jose nazario, ph.d. <jose at arbor.net>
security researcher, office of the CTO
Arbor Networks
v: (734) 821 1427
PGP: 0x40A7BF94
www.arbornetworks.com
-------------------------------------------------------------
More information about the nsp-security
mailing list