- 14.02.2011: Andre' DiMino - Resignation from Shadowserver
- 27.01.2011: See below.
- 24.01.2011: The Conficker Working Group Lessons Learned Document
- 23.01.2011: Spread of Darkness...Details on the public release of the Darkness DDoS bot
- 16.01.2011: Update on DDoS botnet - greenter.ru & globdomain.ru
- 30.12.2010: New Fast Flux Botnet for the Holidays: Could it be Storm Worm 3.0/Waledac 2.0?\\
Thursday, 27 January 2011
Darkness DDoS bot version identification guide
Since the last post about the Darkness DDoS bot, there have been some questions and uncertainty about the versions of this bot and the latest version available.
Understanding the different versions of the bot allows for easier identification of the malware during its analysis.
We want to provide an update to these past posts and provide additional information about the current and previous versions of the Darkness DDos bot.
Mila Parkour of Contagio did some research as to the various versions of Darkness, and created the following timeline.
This timeline shows the evolution of the bot along with non-official releases and notes on code changes.
Update - February 8, 2011
Current version is now v.8a which was released on February 4, 2011. The price of Version 8 is $350 USD, and the update from v.7 to v.8a is $85 USD.
Some of the new features noted that can help in the identification of v.8a include:
- Optima 8-0-0 MX Black panel with English instructions
- File name and the bot service names are now random
- Variable strengh for dd1=http and dd2=icmp commands, with the ability to throttle them using command switches
- Experimental support for cookie verification to better emulate a browser and bypass certain anti-ddos systems
- New encryption algorithm for URL and other variable user information used in the body of the bot
- Support for modules that will be added in the future.
- More effective dd1=http attacks
Version releases - official and cracked
- Feb 04, 2011 - 8a official released - Many code changes and fixes, including new encryption algorithm, random file and process names, and better browser emulation.
- Jan 24, 2011 - 7i official - released and recalled because version 7g was cracked - as it uses same algorithm.
- Jan 24, 2011 - 7g cracked with added builder and blue Optima panel posted on some forums. This cracked version is rumored to be unstable. The official bot does not have a builder
- Jan 22, 2011 - 7i official - changes in encryption algorithm, installation, and other small changes
- Dec 26 2011 - 6m leaked with instructions on how to modify the bots
- Dec 10, 2010 - 7h official released - minor code changes
- Dec 02, 2010 - 6n official released - changes in URL encryption, minor code changes
- Nov 11, 2010 - 7g official released - minor code changes. Ability to order custom installation path, names of bot services, and binary name
- Nov 04, 2010 - 7f official released - minor code changes
- Oct 27, 2010 - 7e official released - 1. Support of 3 C&C URLS 2. The version number is now encrypted in the same way as URLs (not Base64).
- Oct 16, 2010 - 7d official released - minor code changes
- Oct 08, 2010 - 7c official released - minor code changes
- Oct 03, 2010 - 7b official released - new reverse resistant encryption for URLs
- Sep 19, 2010 - 7 official released - 1. easier to pack, different functions, new dd3, Optima panel improved, better work with user accounts without local administrative rights, new id generation process. Red Optima panel
- Sep 02, 2010 - 6m official released - minor code changes
- Aug 13, 2010 - 6l official released - minor code changes
- Jul 31, 2010 - 6h official released - minor code changes
- Jul 13, 2010 - 6g official released - minor code changes
- Jun 23, 2010 - 6f official released - minor code changes
- May 25, 2010 - 6d official released - minor code changes
- May 20, 2010 - 6c official released - minor code changes
- May08, 2010 - 6b official released - minor code changes
- April 28, 2010 - 6 official released - major code changes, more efficient dd1=hhtp, checking for CGI changes in the Optima panel
- Sep 29, 2009 - 4 official released - loader is not used anymore, one exe as installer, new "intelligent" dd1=http, performance improvements
- May 14, 2009 - 3 official released - runs as a service, new parser, all new improved control panel called Optima (by different authors)
- Apr 10, 2009 - 2 official released - new DD1=http allowing attacks on several different sites, added DD3=port, changes in algorithm
- Mar 03, 2009 - 1 official released - 100 threads, no timeouts, random ID, anti-heuristics, convenient panel, autoupdates, exe loader from install services, Ru/Eng interface
The following screenshot shows how the public version number can be modified.
The screenshot below shows the identification of the fake version 8g
The following screenshot shows the easy to spot differences between older and newer versions.
The following screenshot a packet capture of v6 vs. v7 where v7 allows for the utilization of 3 domains for Command and Control.
Once again, I want to thank Mila Parkour of Contagio for her excellent analysis and research assistance.
=>Posted January 27, 2011, at 09:08 PM by Andre' - Semper_Securus