« June 2010 · December 2010 · January 2019 »

August 2010
MonTueWedThuFriSatSun
      01
02030405060708
09101112131415
16171819202122
23242526272829
3031     
September 2010
MonTueWedThuFriSatSun
  0102030405
06070809101112
13141516171819
20212223242526
27282930   
October 2010
MonTueWedThuFriSatSun
    010203
04050607080910
11121314151617
18192021222324
25262728293031

Calendar:

Newest first Oldest first

Monday, 13 September 2010

Prolific DDoS Bot targeting many industries

One of the uses of botnets that I find particularly interesting are Distributed Denial of Service(DDoS) attacks. I spend a fair amount of time tracking the various botnet related attacks that Shadowserver sees, especially when the list of victims is of fairly high profile.

I've been watching a DDoS group that has been attacking a wide variety of victims in several different countries. This groups uses the BlackEnergy botnet to carry out its attacks.

The Command and Control servers are using the following domains:

  • globdomain.ru
  • greenter.ru

Here is some basic whois information on those domains:

  • domain: GLOBDOMAIN.RU
  • nserver: ns1.reg.ru.
  • nserver: ns2.reg.ru.
  • state: REGISTERED, DELEGATED, VERIFIED
  • person: Private Person
  • phone: +7 495 7638740
  • e-mail: lvf56kre@yahoo.com
  • registrar: REGRU-REG-RIPN
  • created: Monday, 17 May 2010
  • paid-till: Tuesday, 17 May 2011
  • source: TCI
  • domain: GREENTER.RU
  • nserver: ns1.reg.ru.
  • nserver: ns2.reg.ru.
  • state: REGISTERED, DELEGATED, VERIFIED
  • person: Private Person
  • phone: +7 495 7638740
  • e-mail: lvf56kre@yahoo.com
  • registrar: REGRU-REG-RIPN
  • created: Wednesday, 23 June 2010
  • paid-till: Thursday, 23 June 2011
  • source: TCI

Since mid 2010, I've seen these controllers use the following providers:

greenter.ru hosts

  • 194.28.112.135 - AS48691 SPECIALIST-AS Specialist Ltd - - Moldova
  • 194.28.112.5 - AS48691 SPECIALIST-AS Specialist Ltd - - Moldova
  • 195.54.170.16 - Aerlan-1 Moldova
  • 194.8.250.202 - Donstroy Ltd. - Moldova

globdomain.ru hosts

  • 194.28.112.134 - AS48691 SPECIALIST-AS Specialist Ltd - Moldova
  • 194.28.112.5 - AS48691 SPECIALIST-AS Specialist Ltd - - Moldova
  • 195.54.170.16 - Aerlan-1 Moldova
  • 194.8.250.201 - Donstroy Ltd. - Moldova
  • 94.102.52.158 - NL-ECATEL - Netherlands

As of this post, globdomain.ru is on 194.28.112.134 and greenter.ru is on 194.28.112.135

While we don't wish to individually list all the DDoS victims, we do want to break it down by industry and country to give an idea of the breadth of the attacks. Since mid 2010, the DDoS attack victims were distributed among various industries including:

DDoS Industry Victims

  • Banking
  • Major clothing retailer
  • Natural pharma products
  • News portals
  • Eyewear
  • Private detective agencies
  • Online exam prep services
  • Social networking sites
  • Job search site
  • Jewelry
  • Mining and Minerals
  • Vehicle repair services
  • Sporting goods
  • File sharing services
  • Insurance
  • Payment services
  • Medical products
  • Mineral water suppliers
  • Real estate management
  • Government sites
  • Construction equipment & services
  • Soccer sporting goods
  • Website development services
  • Wholesale foodservices
  • Homeowners associations
  • HR document templates
  • Wristwatch retailer
  • Wedding accessories
  • Online SEO services
  • Astrology services
  • Beauty products
  • Open source software community sites
  • Weight loss services
  • Sports betting
  • Penny stock services

DDoS Victim Countries

  • Pakistan
  • Nigeria
  • Malaysia
  • Russia
  • Kuwait
  • Dubai
  • China
  • Australia
  • Austria
  • India
  • Netherlands
  • France
  • Canada
  • United States

Shadowserver is in the process of notifying the various global CERT teams, Law Enforcement, as well as the victims themselves.

Botnet Communications

In a BlackEnergy botnet, the drone will use HTTP to contact the Command and Control server and identify itself. This image shows a wireshark run of the initial communication between the infected drone and the greenter.ru C&C.

C&C greenter.ru

The controller's response to the drone will be Base64 encoded. The full stream is seen below:

C&C greenter.ru

Upon decoding the Base64, the following command string is seen:

10;2000;10;0;0;30;100;3;20;1000;2000#flood http www.xxxxx.com,www.yyy.com,www.zzz.com,xyzxyz.com,#7#xTEST1_2xxxx91D

The fields in the C&C's communcation back to the drone represent in order: ICMP frequency, ICMP packet size, SYN frequency, spoof(y/n), attack mode, maximum # of HTTP sessions, HTTP connection frequency, # of HTTP threads, TCP & UDP frequency, UDP size, and TCP packet size. the field after the actual commands tells the drone how many minutes to wait before checking back in. In the final field, the controller echoes back the drone's identification string.

For for more in-depth analysis of the BlackEnergy DDoS bot, please see Jose Nazario's paper at : http://atlas-public.ec2.arbor.net/docs/BlackEnergy+DDoS+Bot+Analysis.pdf

There are also Snort rulesets available from EmergingThreats that will fire on any BlackEnergy communications traffic. http://emergingthreats.org/index.php/rules-mainmenu-38.html

While there are many other families of DDoS botnets in use, including BlackEnergy2, it's always of great interest when one notices such a prolific and widespread attack against so many high profile websites. Shadowserver will continue to monitor this botnet's activities, as well as its movement from provider to provider.

=>Posted September 13, 2010, at 09:41 AM by Andre' - Semper_Securus