« October 2010 · April 2011 · September 2017 »

December 2010
MonTueWedThuFriSatSun
  0102030405
06070809101112
13141516171819
20212223242526
2728293031  
January 2011
MonTueWedThuFriSatSun
     0102
03040506070809
10111213141516
17181920212223
24252627282930
31      
February 2011
MonTueWedThuFriSatSun
 010203040506
07080910111213
14151617181920
21222324252627
28      

Calendar:

  • 14.02.2011: Andre' DiMino - Resignation from Shadowserver
  • 27.01.2011: See below.
  • 24.01.2011: The Conficker Working Group Lessons Learned Document
  • 23.01.2011: Spread of Darkness...Details on the public release of the Darkness DDoS bot
  • 16.01.2011: Update on DDoS botnet - greenter.ru & globdomain.ru
  • 30.12.2010: New Fast Flux Botnet for the Holidays: Could it be Storm Worm 3.0/Waledac 2.0?\\
  • 05.12.2010:
Newest first Oldest first

Thursday, 27 January 2011

Darkness DDoS bot version identification guide

Since the last post about the Darkness DDoS bot, there have been some questions and uncertainty about the versions of this bot and the latest version available. Understanding the different versions of the bot allows for easier identification of the malware during its analysis.

We want to provide an update to these past posts and provide additional information about the current and previous versions of the Darkness DDos bot.

http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20110123

http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20101205

Mila Parkour of Contagio did some research as to the various versions of Darkness, and created the following timeline. This timeline shows the evolution of the bot along with non-official releases and notes on code changes.


Update - February 8, 2011


Current version is now v.8a which was released on February 4, 2011. The price of Version 8 is $350 USD, and the update from v.7 to v.8a is $85 USD.

Some of the new features noted that can help in the identification of v.8a include:

  • Optima 8-0-0 MX Black panel with English instructions
  • File name and the bot service names are now random
  • Variable strengh for dd1=http and dd2=icmp commands, with the ability to throttle them using command switches
  • Experimental support for cookie verification to better emulate a browser and bypass certain anti-ddos systems
  • New encryption algorithm for URL and other variable user information used in the body of the bot
  • Support for modules that will be added in the future.
  • More effective dd1=http attacks

Version releases - official and cracked

  • Feb 04, 2011 - 8a official released - Many code changes and fixes, including new encryption algorithm, random file and process names, and better browser emulation.
  • Jan 24, 2011 - 7i official - released and recalled because version 7g was cracked - as it uses same algorithm.
  • Jan 24, 2011 - 7g cracked with added builder and blue Optima panel posted on some forums. This cracked version is rumored to be unstable. The official bot does not have a builder
  • Jan 22, 2011 - 7i official - changes in encryption algorithm, installation, and other small changes
  • Dec 26 2011 - 6m leaked with instructions on how to modify the bots
  • Dec 10, 2010 - 7h official released - minor code changes
  • Dec 02, 2010 - 6n official released - changes in URL encryption, minor code changes
  • Nov 11, 2010 - 7g official released - minor code changes. Ability to order custom installation path, names of bot services, and binary name
  • Nov 04, 2010 - 7f official released - minor code changes
  • Oct 27, 2010 - 7e official released - 1. Support of 3 C&C URLS 2. The version number is now encrypted in the same way as URLs (not Base64).
  • Oct 16, 2010 - 7d official released - minor code changes
  • Oct 08, 2010 - 7c official released - minor code changes
  • Oct 03, 2010 - 7b official released - new reverse resistant encryption for URLs
  • Sep 19, 2010 - 7 official released - 1. easier to pack, different functions, new dd3, Optima panel improved, better work with user accounts without local administrative rights, new id generation process. Red Optima panel
  • Sep 02, 2010 - 6m official released - minor code changes
  • Aug 13, 2010 - 6l official released - minor code changes
  • Jul 31, 2010 - 6h official released - minor code changes
  • Jul 13, 2010 - 6g official released - minor code changes
  • Jun 23, 2010 - 6f official released - minor code changes
  • May 25, 2010 - 6d official released - minor code changes
  • May 20, 2010 - 6c official released - minor code changes
  • May08, 2010 - 6b official released - minor code changes
  • April 28, 2010 - 6 official released - major code changes, more efficient dd1=hhtp, checking for CGI changes in the Optima panel
  • Sep 29, 2009 - 4 official released - loader is not used anymore, one exe as installer, new "intelligent" dd1=http, performance improvements
  • May 14, 2009 - 3 official released - runs as a service, new parser, all new improved control panel called Optima (by different authors)
  • Apr 10, 2009 - 2 official released - new DD1=http allowing attacks on several different sites, added DD3=port, changes in algorithm
  • Mar 03, 2009 - 1 official released - 100 threads, no timeouts, random ID, anti-heuristics, convenient panel, autoupdates, exe loader from install services, Ru/Eng interface

The following screenshot shows how the public version number can be modified.

PmWiki \

The screenshot below shows the identification of the fake version 8g

PmWiki \

The following screenshot shows the easy to spot differences between older and newer versions.

PmWiki \

The following screenshot a packet capture of v6 vs. v7 where v7 allows for the utilization of 3 domains for Command and Control.

PmWiki \

Once again, I want to thank Mila Parkour of Contagio for her excellent analysis and research assistance.

=>Posted January 27, 2011, at 09:08 PM by Andre' - Semper_Securus