« October 2010 · April 2011 · September 2014 »

December 2010
MonTueWedThuFriSatSun
  0102030405
06070809101112
13141516171819
20212223242526
2728293031  
January 2011
MonTueWedThuFriSatSun
     0102
03040506070809
10111213141516
17181920212223
24252627282930
31      
February 2011
MonTueWedThuFriSatSun
 010203040506
07080910111213
14151617181920
21222324252627
28      

Calendar:

  • 14.02.2011: Andre' DiMino - Resignation from Shadowserver
  • 27.01.2011: Darkness DDoS bot version identification guide
  • 24.01.2011: The Conficker Working Group Lessons Learned Document
  • 23.01.2011: See below.
  • 16.01.2011: Update on DDoS botnet - greenter.ru & globdomain.ru
  • 30.12.2010: New Fast Flux Botnet for the Holidays: Could it be Storm Worm 3.0/Waledac 2.0?\\
  • 05.12.2010:
Newest first Oldest first

Sunday, 23 January 2011

Spread of Darkness...Details on the public release of the Darkness DDoS bot

Recently, we wrote about the "Darkness" (also known as Optima or Votwup) DDoS bot that is gaining in popularity.

http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20101205

The features of "Darkness" described in that post applied to the latest version 7g of the bot. However, on December 26, 2010, version 6m was made freely and publicly available from many forums. According to the instructions for the released v6m, it is quite easy to modify the client executable to point to a new command and control server. The open release of this bot, along with the ease of customization is a development that warrants further analysis and increased awareness. We have already seen several new "Darkness" Command and Control servers come online, actively directing DDoS attacks.

Detected "Darkness" Command and Control

The following domains have been detected as running a "Darkness" Command and Control Server. Several of these were active on the following IPs as of this blog post. I haven't yet researched if these sites were specifically setup as a C&C, or if they are compromised servers.

  • saud4.markaz-royal.net - 193.106.172.77
  • oneddos.cz.cc - 195.189.226.193
  • postsamart.in - offline
  • bezlic2a.net - 193.169.218.173
  • fletcher9837.ws - 91.200.40.55
  • site.ru - 194.226.215.67
  • dieta-doleta.ru - 193.105.240.164
  • zama4y.ebana.ru.preview.ihc.ru - 91.218.228.15
  • ololoshka.org - 217.199.218.195
  • supergjgjgjgjgjgjg.com - 89.187.53.197
  • tofdhf.ru - offline
  • 193.105.240.59
  • vkotalke.info - 195.189.226.193
  • hackera.ru - 195.211.101.72

Modification of Binary

One distinction between v6m and v7g of "Darkness" is that v7g allows for 3 separate C&C URLs to be compiled into the client binary, while v6m only permits one. During our testing of the public version, it was very easy to modify the client binary and add a C&C URL of your choice. Version 6m uses simple Base64 encoding of the URL within the binary. In testing, we used a hex editor to modify the v6m binary to add in the Base64 representation of a nonexistent domain name (ssb0tt3st.org). Upon execution, the modified binary properly performed DNS queries for our dummy domain name.

The image below shows the unpacked v6m binary opened in a hex editor highlighting the modified URL string. The image also shows a Wireshark session of the modified binary attempting to resolve the fake 'ssb0tt3st.org'

PmWiki

Note that in v7g, this C&C URL modification is no longer trivial, as the variable containing the C&C URL is now encrypted. Version 6 contains fixed values of "darkness", "IpsectPro", and "dwm.exe" for the bot service registry key, display name, and executable respectively. Version 7g allows for customization of these items for a small fee.

User Agents

Each version of "Darkness" will use one of 10 different User Agent (UA) strings during a DDoS attack. The User Agents are selected randomly upon either a service restart or system reboot. The following list shows the 10 User Agents built into the binary:

  • Mozilla/4.0 (compatible; MSIE 5.0; Windows 2000) Opera 6.03 [en]
  • Mozilla/4.0 (compatible; MSIE 6.0; America Online Browser 1.1; rev1.5; Windows NT 5.1;)
  • Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Avant Browser [avantbrowser.com]; iOpus-I-M; QXW03416; .NET CLR 1.1.4322)
  • Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.19 (KHTML, like Gecko) Chrome/0.4.154.25 Safari/525.19
  • Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.6) Gecko/2007072300 Iceweasel/2.0.0.6 (Debian-2.0.0.6-0etch1+lenny1)
  • Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
  • Mozilla/5.0 (compatible; Konqueror/3.5; Linux 2.6.15-1.2054_FC5; X11; i686; en_US) KHTML/3.5.4 (like Gecko)
  • Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.19) Gecko/20081201 Firefox/2.0.0.19
  • Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.2) Gecko/20060308 Firefox/1.5.0.2
  • Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; WOW64; Trident/4.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.5.21022; .NET CLR 3.5.30729; .NET CLR 3.0.30618)

The following image demonstrates this User Agent randomization where 2 different infected clients utilized a randomly selected UA upon system reboot and "IpsectPro" service restart.

PmWiki

Detection

The good folks at Emerging Threats have published a Snort signature based upon recently analyzed 'Darkness' activity. The current signature is as follows:

SID 2011996
Description ET TROJAN Darkness DDoS Bot Checkin
Category emerging-trojan
Class Type trojan-activity
Protocol tcp
Src. IP $HOME_NET
Src. Port any
Dest. IP $EXTERNAL_NET
Dest. Port $HTTP_PORTS
Revision 2
Rule
(msg:"ET TROJAN Darkness DDoS Bot Checkin"; flow:established,to_server;uricontent:".php?uid="; nocase; uricontent:"&ver=";pcre:"/\.php\?uid=\d{6}&ver=[^&]+(&traff=\d+)?$/U";classtype:trojan-activity;reference:url,www.shadowserver.org/wiki/pmwiki.php/Calendar/20101205;
reference:url,ef.kaffenews.com/?p=833;
reference:url,www.threatexpert.com/report.aspx?md5=55edeb8742f0c38aaa3d984eb4205c68;
reference:url,www.threatexpert.com/report.aspx?md5=60c84bb1ca03f80ca385f16946322440;
reference:url,www.threatexpert.com/report.aspx?md5=7fcebf5bd67cede35d08bedd683e3524;
reference:url,www.threatexpert.com/report.aspx?md5=778113cc4e758ed65de0123bb79cbd1f;
sid:2011996; rev:2;)

AntiVirus detection of 'Darkness' and its variants is decent with a high percentage of the AV engines in Virustotal detecting it. Several binaries associated with 'Darkness' are:

  • 085b71caf44fb70dc0a35c025f70806b
  • a7g563f69ceebc6984788bdcf6c8a221
  • bc53fbbfd198c85d18405f6a9ae69980
  • f03bc8dcc090607f38ffb3a36ccacf48
  • 34d0e0d5485177b0ccdb3cb86fab37a9
  • be1a936feec2945d29b07c0cd90c6634
  • 0fef6530154f3f4a214aa8930b38cf04
  • 1287ccf6b8eafac100376ca6065c26fb

Observations and details about "Darkness" binary

The author insists on the correct name of the bot "Destination Darkness Outlaw System". However, other names like Optima and Votwup are common. Votwup is a name often used by info-sec researchers. Optima is often used on forums for the sake of simplicity, along with the official name. Optima is derived from the name of the control panel "Optima", which was an 'optimized' version of the original panel. // The most common callback URL is "hxxp:<C&C_domain>/optima/index.php. There are two versions of the panel, red and blue. The latest C&Cs feature a red "Optima v.3" control panel.

PmWiki \
  • The current price for version 7g is $350.
  • The bot ID selection is random for each installation
  • Malware features automatic autoupdate
  • There is no builder in the official versions, all the customizations are done by the author as part of the original purchase or for additional fee upon request.
  • Our testing proved that dd2=icmp, dd3=tcp/udp, and vot=voting are much less reliable than dd1=http
  • Publicly released v.6m along with detailed instructions is likely to increase the number of Darkness C&Cs.
  • The fact that the bot modifications are easily performed on unpacked binaries, will likely attract inexperienced attackers, which could lead to a higher number of unpacked Darkness binaries seen in the wild.

Summary

As described in the Shadowserver blog post of 12/5/10, "Darkness" is quite an effective and efficient DDoS bot. Version 7g is already well advertised and well received in large number of forums.
With the free public release of Version 6m, we expect to soon see a wider deployment of "Darkness" Command and Control servers.

As usual, Shadowserver will continue to track all detected 'Darkness' DDoS bots. We will also notify the various global CERT teams, Law Enforcement, as well as the victims themselves.

I want to give special thanks to Mila Parkour of Contagio whose research and analysis assistance was instrumental to this post.

=>Posted January 23, 2011, at 09:51 PM by Andre' - Semper_Securus