- 14.02.2011: Andre' DiMino - Resignation from Shadowserver
- 27.01.2011: Darkness DDoS bot version identification guide
- 24.01.2011: The Conficker Working Group Lessons Learned Document
- 23.01.2011: See below.
- 16.01.2011: Update on DDoS botnet - greenter.ru & globdomain.ru
- 30.12.2010: New Fast Flux Botnet for the Holidays: Could it be Storm Worm 3.0/Waledac 2.0?\\
Sunday, 23 January 2011
Spread of Darkness...Details on the public release of the Darkness DDoS bot
Recently, we wrote about the "Darkness" (also known as Optima or Votwup)
DDoS bot that is gaining in popularity.
The features of "Darkness" described in that post applied to the latest
version 7g of the bot. However, on December 26, 2010, version 6m
was made freely and publicly available from many forums. According to the
instructions for the released v6m, it is quite easy to modify the client
executable to point to a new command and control server. The open
release of this bot, along with the ease of customization is a
development that warrants further analysis and increased awareness. We
have already seen several new "Darkness" Command and Control servers
come online, actively directing DDoS attacks.
Detected "Darkness" Command and Control
The following domains have been detected as running a "Darkness" Command
and Control Server. Several of these were active on the following IPs as of this blog post. I
haven't yet researched if these sites were specifically setup as a C&C,
or if they are compromised servers.
- saud4.markaz-royal.net - 22.214.171.124
- oneddos.cz.cc - 126.96.36.199
- postsamart.in - offline
- bezlic2a.net - 188.8.131.52
- fletcher9837.ws - 184.108.40.206
- site.ru - 220.127.116.11
- dieta-doleta.ru - 18.104.22.168
- zama4y.ebana.ru.preview.ihc.ru - 22.214.171.124
- ololoshka.org - 126.96.36.199
- supergjgjgjgjgjgjg.com - 188.8.131.52
- tofdhf.ru - offline
- vkotalke.info - 184.108.40.206
- hackera.ru - 220.127.116.11
Modification of Binary
One distinction between v6m and v7g of "Darkness" is that v7g allows for 3
separate C&C URLs to be compiled into the client binary, while v6m only
permits one. During our testing of the public version, it was very easy
to modify the client binary and add a C&C URL of your choice. Version 6m
uses simple Base64 encoding of the URL within the binary. In testing,
we used a hex editor to modify the v6m binary to add in the Base64
representation of a nonexistent domain name (ssb0tt3st.org). Upon
execution, the modified binary properly performed DNS queries for our
dummy domain name.
The image below shows the unpacked v6m binary opened in a hex editor highlighting the modified URL string. The image also shows a Wireshark session of the modified binary attempting to resolve the fake 'ssb0tt3st.org'
Note that in v7g, this C&C URL modification is no longer trivial, as the
variable containing the C&C URL is now encrypted.
Version 6 contains fixed values of "darkness", "IpsectPro", and
"dwm.exe" for the bot service registry key, display name, and executable
respectively. Version 7g allows for customization of these items for a
Each version of "Darkness" will use one of 10 different User Agent (UA)
strings during a DDoS attack. The User Agents are selected randomly upon
either a service restart or system reboot. The following list shows the
10 User Agents built into the binary:
- Mozilla/4.0 (compatible; MSIE 5.0; Windows 2000) Opera 6.03 [en]
- Mozilla/4.0 (compatible; MSIE 6.0; America Online Browser 1.1; rev1.5; Windows NT 5.1;)
- Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Avant Browser [avantbrowser.com]; iOpus-I-M; QXW03416; .NET CLR 1.1.4322)
- Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.19 (KHTML, like Gecko) Chrome/0.4.154.25 Safari/525.19
- Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:18.104.22.168) Gecko/2007072300 Iceweasel/22.214.171.124 (Debian-126.96.36.199-0etch1+lenny1)
- Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
- Mozilla/5.0 (compatible; Konqueror/3.5; Linux 2.6.15-1.2054_FC5; X11; i686; en_US) KHTML/3.5.4 (like Gecko)
- Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:188.8.131.52) Gecko/20081201 Firefox/184.108.40.206
- Mozilla/5.0 (X11; U; Linux i686; en-US; rv:220.127.116.11) Gecko/20060308 Firefox/18.104.22.168
- Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; WOW64; Trident/4.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.5.21022; .NET CLR 3.5.30729; .NET CLR 3.0.30618)
The following image demonstrates this User Agent randomization where 2
different infected clients utilized a randomly selected UA upon system
reboot and "IpsectPro" service restart.
The good folks at Emerging Threats have published a Snort signature based upon recently analyzed 'Darkness' activity. The current signature is as follows:
AntiVirus detection of 'Darkness' and its variants is decent with a high
percentage of the AV engines in Virustotal detecting it. Several
binaries associated with 'Darkness' are:
Observations and details about "Darkness" binary
The author insists on the correct name of the bot "Destination Darkness Outlaw System". However, other names like Optima and Votwup are common. Votwup is a name often used by info-sec researchers. Optima is often used on forums for the sake of simplicity, along with the official name. Optima is derived from the name of the control panel "Optima", which was an 'optimized' version of the original panel. // The most common callback URL is "hxxp:<C&C_domain>/optima/index.php. There are two versions of the panel, red and blue. The latest C&Cs feature a red "Optima v.3" control panel.
- The current price for version 7g is $350.
- The bot ID selection is random for each installation
- Malware features automatic autoupdate
- There is no builder in the official versions, all the customizations are done by the author as part of the original purchase or for additional fee upon request.
- Our testing proved that dd2=icmp, dd3=tcp/udp, and vot=voting are much less reliable than dd1=http
- Publicly released v.6m along with detailed instructions is likely to increase the number of Darkness C&Cs.
- The fact that the bot modifications are easily performed on unpacked binaries, will likely attract inexperienced attackers, which could lead to a higher number of unpacked Darkness binaries seen in the wild.
As described in the Shadowserver blog post of 12/5/10, "Darkness" is quite an effective and efficient DDoS bot. Version 7g is already well advertised and well received in large number of forums.
With the free public release of Version 6m, we expect to soon see a wider deployment of "Darkness" Command and Control servers.
As usual, Shadowserver will continue to track all detected 'Darkness' DDoS bots. We will also notify the various global CERT teams, Law Enforcement, as well as the victims themselves.
I want to give special thanks to Mila Parkour of Contagio whose research and analysis assistance was instrumental to this post.
=>Posted January 23, 2011, at 09:51 PM by Andre' - Semper_Securus