- 27.01.2011: Darkness DDoS bot version identification guide
- 24.01.2011: The Conficker Working Group Lessons Learned Document
- 23.01.2011: Spread of Darkness...Details on the public release of the Darkness DDoS bot
- 16.01.2011: Update on DDoS botnet - greenter.ru & globdomain.ru
- 30.12.2010: New Fast Flux Botnet for the Holidays: Could it be Storm Worm 3.0/Waledac 2.0?\\
- 05.12.2010: See below.
- 15.11.2010: Trojan.Spy.YEK - File Stealer
Sunday, 5 December 2010
BlackEnergy competitor – The 'Darkness' DDoS Bot.
Just recently, I began watching the activity of a new DDoS bot that has been quite active over the past few weeks targeting a fairly large variety of websites. What I also found interesting was that this is not the usual prolific BlackEnergy botnet, but a botnet called “Destination Darkness Outlaw System”(D.D.O.S), aka “Darkness”.
As with BlackEnergy, “Darkness” is easy to purchase, easy to deploy, and is very effective and efficient in what it does.
This particular version of “Darkness” is using the domains greatfull-toolss.ru and greatfull.ru for its command and control (C&C). As we will discuss later, a third domain, hellcomeback.ru, was also utilized but is no longer available now. Since November 12 of this year, we have seen over 100 different hosts targeted by 'greatfull.ru'. Initially, the botnet's attacks seem localized and against various MU Online gaming sites, but eventually, it was seen targeting more high profile sites in the financial, insurance, cosmetics, clothing, accessories, and gifts industries.
greatfull.ru and greatfull-toolss.ru are currently being hosted on 18.104.22.168 which is:AS49089 - UA-DC / Nikultsev Aleksandr Nikolaevich.
AS49089 is a small provider that only seems to be announcing the /24 netblock 22.214.171.124/24
It has a single upstream which is AS49211 - SAASUA-AS SAAS Technologies Ltd.
The current AS path is seen as: AS4777 > AS2516 > AS174 > AS42590 > AS49211 > AS49089
Prior to that, the following hosting changes were seen:
11/24/2010 – 126.96.36.199 - AS51441 VOEJNA-AS Berkevich Taras
11/29/2010 - 188.8.131.52 - AS49089 - UA-DC / Nikultsev Aleksandr Nikolaevich
The registration information for the C&C domains are:
The domain registrant
The currently active domains, greatfull.ru and greatfull-toolss.ru used the email address firstname.lastname@example.org for registration. Doing some research on this email address yielded several ads for DDoS services by 'vallium' (translation below)
The 'Darkness' malware
There are several ads touting the effectiveness and efficiency of the 'Darkness' DdoS bot. The following is a translation of some of the features associated with 'Darkness'
- much more effective than its predecessors (Black Energy, Illusion)
- working in 100 threads, no timeouts, generating maximum http traffic rate
- ability to choose and pick several URLs for each site
- Optima bot panel - English or Russian GUI
- Autoupdate and autoupgrade of bots
- Built-in ability to use install biz services
- Works on Windows 95- Windows 7
- Passer module collect passwords on command and offloads them to an FTP site
- Deep-Parser allows to collect URLs from the targeted site and combine them into DD1 command for greater effectiveness
- one executable file, no loader
- can use DD1, DD2, DD3 commands
- runs as a Windows service
- streams correction - if tcpip.sys limits the number of connections, the bot is not trying to initialize them. It is especially useful for server OS and will reduce the number of bot losses due to BSOD and AV/Firewalls
- support of 3 controlling URLs at once. It is a long awaited feature and is very useful in case of a domain suspension or IP address change on the "abuse hosting".
- the variable containing the version is now encrypted like URLs to prevent reversers from modifying and reselling their creation as a new version.
- offering custom build. You can request the file name, directory, and name and service description for extra 10WMZ ($10)
- 30 bots overwhelm an average site. Yes, just 30
- 300 bots - a medium size site
- 1000 bots - large site
- 5000 - cluster with site, even when using anti-ddos, blocks, and other preventive measures.
- 15-20 thousand bots can theoretically bring down vkontakte.ru (Russian Facebook)
A few of these points are worth noting.
- They specifically mention the superior performance to BlackEnergy and Illusion. Upon testing, it was observed that the throughput of the attack traffic directed simultaneously at multiple sites was quite impressive.
- The malware will typically set registry keys as:
HKLM\SYSTEM\ControlSet001\Services\darkness HKLM\SYSTEM\ControlSet001\Services\darkness\ImagePath:"C:\WINDOWS\system\dwm.exe" HKLM\SYSTEM\ControlSet001\Services\darkness\DisplayName: "IpSectPro service"
- The malware can be configured with 3 domains to be used as the Command and Control. This allows for backup in case of hosting takedown or domain suspension. As mentioned earlier, this particular bot was using 'greatfull.ru', 'greatfull-toolss.ru', and 'hellcomeback.ru'. This also ties in with the domain registrations and forum postings for these domains. In the image below, you can see that upon execution, the bot initially attempted unsuccessfully to contact 'hellcomeback.ru'. It then successfully contacted 'greatfull.ru' and greatfull-toolss.ru'.
Querying the Shadowserver database, I was able to find several binaries that attempted connections to greatfull.ru and/or greatfull-toolss.ru. I examined 4 of them, all of which were dropped in the past month. These binaries are:
After contacting the C&C, the bot issues a GET with a unique UID and version number of the bot. The server replies with a base64 encoded set of instructions for the DDoS attack.
After base64 decoding, you can see the specific attack commands that are sent to the bot:
Note the 'dd1=' at the beginning of the instruction. 'Darkness' utilizes three commands for its attack. dd1=http, dd2=icmp, dd3=tcp/udp. In the attack history of the 'greatfull.ru' botnet, all the commands issued were via 'dd1=' except for several attacks on 11/17/2010, where the attacks were via 'dd2='.
A more in-depth analysis of the 'Darkness' DdoS bot will be provided in a future blog post.
The hellcomeback.ru domain was registered on 10/10/2010. The greatfull.ru and greatfull-toolss.ru domains were registered on 11/3/2010. Having a three-headed C&C domain structure for this DDoS bot enables it to remain functional despite a takedown of any single domain or provider. It also allows for some additional correlation of the botnet operator to forum posts, ads, registrations, etc.
It now appears that 'Darkness' is overtaking BlackEnergy as the DDoS bot of choice. There are many ads and offers for DDoS services using 'Darkness'. It is regularly updated and improved and of this writing is up to version 7. There also appear to be no shortage of buyers looking to add 'Darkness' to their botnet arsenal.
Shadowserver continues to track 'greatfull.ru' and other 'Darkness' DdoS bots. We are also notifying the various global CERT teams, Law Enforcement, as well as the victims themselves.
I would particularly like to thank Mila Parkour of Contagio for her great research and analysis assistance.
=>Posted December 05, 2010, at 11:11 PM by Andre' - Semper_Securus