Upload
dci-ag
View
231
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Â
Citation preview
North America
Radware Inc.
575 Corporate Dr., Lobby 1 Mahwah, NJ 07430 Tel: (888) 234-5763 International
Radware Ltd.
22 Raoul Wallenberg St. Tel Aviv 69710, Israel Tel: 972 3 766 8666
www.radware.com
Dirt Jumper Ver. 5
Technical Security Notes
Eyal Benishti Security Researcher, ERT Research Lab 28.08.2012
Dirt Jumper Ver.5
Technical Security Notes
Page 2
Table of Contents
Summary .............................................................................................................................. 3 Setup and Installation ........................................................................................................... 6 Investigation and Analysis .................................................................................................... 7
Static analysis ................................................................................................................... 7 Dynamic analysis .............................................................................................................. 9
Attack Modes ...................................................................................................................... 10 POST Flood .................................................................................................................... 11 HTTP Flood ..................................................................................................................... 11 Synchronous Flood ......................................................................................................... 11 Downloading Flood ......................................................................................................... 11 Anti-DDoS Flood ............................................................................................................. 12
Conclusions ........................................................................................................................ 13
Dirt Jumper Ver.5
Technical Security Notes
Page 3
Summary
Dirt Jumper (previously known as RussKill) is a very popular Distributed Denial of Service Bot
heavily used in the DDOS-for-hire business.
Acquiring the software and making your own DOS/DDOS Botnet operation
Dirt Jumper is an off-the-shelf Kit available for purchase in the black market for about 800 USD.
Once acquired, the Kit allows the customer/attacker to start his own Distributed Denial-of-Service
(DDOS) Botnet operation. The Kit includes a Command-and-Control (C&C) server, and a Bot
builder that will compile his personal Bot binary code. The Kit does not come with any
infection/propagation solution, so the customer/attacker will have to do this himself.
At the end of the process the agent will have a running DDOS Botnet operation that can include
thousands of computers under his control, capable of launching deadly DDOS strikes against any
desired target.
Customers/Attackers that invest in building such operations do so for various motivations. The most
common one is to continue selling a DDOS service. Another motivation is political or ideological
referred to today as „hacktivism‟.
Dirt Jumper 5.0 – New Features
This Tech Note covers Dirt Jumper 5 which is currently the latest version available. Like any other
software, the Dirt Jumper developers continue with its development by introducing new features,
improve existing ones and fixing bugs. The main features in version 5 are referred to as the “Anti-
DDOS” techniques. This name actually refers to capabilities that will make its attacks more difficult
to be stopped by standard DDOS mitigation technologies. The techniques include User-Agent
rotation and referrer randomization.
Interestingly enough, underground forums published many promises about this new version such as,
HTTP 2.0 support, anti-debug and anti-virtualization; none proved to be the case.
Command-and-Control (C&C)
Dirt Jumper is using HTTP for its C&C. The Bot is doing an HTTP POST request on a fixed interval
in order to communicate with its C&C server, the Bot is sending its unique identifier as a POST
parameter and expecting instructions from the C&C in return. The traffic between the Bot and its
C&C is not encrypted.
Dirt Jumper Ver.5
Technical Security Notes
Page 4
The image above shows how the agent controls the Botnet: The „Today‟ and „Online‟ shows the
number of computers under its control, the „URLs‟ specify the URLs to be attacked, the „Flows‟
specify the attack vector and attack intensity, and the „Start‟ and „Stop‟ allows the agent to inflict
pain and voluntarily stop it.
DOS Attack Vectors
This table summarizes the existing attack vectors.
HTTP Flood Normal HTTP Flood
POST Flood Normal POST flood
Synchronous Flood
Similar to HTTP Flood but more aggressive as it uses more connections
Downloading Flood
HTTP flood targeting an intensive resource (e.g. large image or document)
These attack vectors are explained in detail on the „Attack Modes‟ section.
Dirt Jumper Ver.5
Technical Security Notes
Page 5
Malware Profile
Name Dirt Jumper version 5
Type DDoS Botnet framework
Estimated vendor price
800 USD
Infection mechanism
Not included
(buyer needs to conduct infection himself)
C&C Protocol HTTP (not encrypted)
Functionality Denial-of-Service
• POST Flood
• HTTP Flood
• Synchronous Flood
• Downloading Flood
New features in latest version
• User-Agent rotation
• Referrer randomization
Dirt Jumper Ver.5
Technical Security Notes
Page 6
Setup and Installation
Beginning with the setup will give us some hints about how this Bot works.
The installation kit contains the following –
builder.exe (MD5): 6758c4bd4c2347bd81439b7f47f19050
stub.exe – Bot template file.
Admin (C&C) folder for the PHP code, styling and images files.
When running the builder the following dialog is being displayed
Figure 1: Installation dialog
By looking at the builder dialog we learn that the Bot is going to run as a windows service, copied to
the specified directory with a name and description of the Botnet creator‟s choice, the default is
svchost.exe.
Once the parameters are set, when you hit on the build button, a build.exe file (based on the stub.exe
and in the same directory) is generated. This is the file being used for the actual infection of the
victim‟s machines.
As for the C&C server, after deploying (simple copy) the files from the kit on a web server and
configuring the local database settings, we see the following admin page:
Dirt Jumper Ver.5
Technical Security Notes
Page 7
Figure 2: command and Control admin page
The setting presented on the C&C admin page is straight forward. The attacker can configure the
URL list, the attack method and the number of flows (iterations) the Bot should use for this attack.
Investigation and Analysis
Static analysis
By default, the build.exe is not packed or encoded in any way, yet we know that some earlier
versions of Dirt Jumper Bot which were found in the wild were packed with various custom packers.
Figure 3: PE file analysis
Dirt Jumper Ver.5
Technical Security Notes
Page 8
Another important thing we can learn from the static analysis is that the Bot is coming with a long
list of premade User-Agent HTTP headers. Using HTTP header randomizations and rotations are
one way to make it harder on IPS and IDS products to identify and block an attack.
Here is a partial list of the premade User-Agent list -
Mozilla/3.0 (compatible; WebCapture xx; Auto; Windows)
Mozilla/3.0 (compatible; .com/2.56)
Mozilla/3.0 (DreamPassport/3.0)
Mozilla/3.0 (Liberate DTV 1.1)
Mozilla/3.0 (Slurp.so / Goo; [email protected] ; http://www..com / slurp.html)
Mozilla/3.0 (Slurp / Si; [email protected] ; http://www.Mozilla/3.0 (Vagabondo/1.x MT; [email protected] ; http://. Nl)
Mozilla/3.0 (Vagabondo/2.0 MT; webcrawler @. Nl; http://Mozilla/3.0 (Win95; I)
Mozilla/3.0 (WorldGate Gazelle 3.5.1 build 11; FreeBSD2.2.8-STABLE)
Mozilla/3.0 NAVIO_AOLTV (11, 13; Philips; PH200; 1; R2.0C36_AOL.0110OPTIK; R2.0.0139d_OPTIK)
Mozilla/3.01 (compatible; AmigaVoyager/2.95; AmigaOS/MC680x0)
Mozilla/3.01 (compatible; Netbox/3.5 R92; Linux 2.2)
Mozilla/3.01Gold (X11; I; Linux 2.0.32 i486)
Mozilla/3.01SGoldC-SGI (X11; I; IRIX 6.3 IP32)
Mozilla/3.04 (compatible; NCBrowser/2.35; ANTFresco/2.17; RISC OS-NC 5.13 Laz1UK1309)
Mozilla/3.x (I-Opener 1.1; Netpliance)
Mozilla/4.0 (compatible: AstraSpider V.2.1: astrafind.com)
Mozilla/4.0 (compatible; Vagabondo/4.0Beta; webcrawler at wise-guys dot nl; http://. Wise-guys.nl /)
Mozilla/4.0 (compatible; Advanced Email Extractor v2.xx)
Mozilla/4.0 (compatible; BorderManager 3.0)
Mozilla/4.0 (compatible; B_L_I_T_Z_B_O_T)
Mozilla/4.0 (compatible; Check & Get 3.0; Windows NT)
Mozilla/4.0 (compatible; crawlx, crawler @Mozilla/4.0 (compatible; DepSpid/5.0x; + http://about.. Net)
Mozilla/4.0 (compatible; FastCrawler3 support-fastcrawler3 @. No)
Mozilla/4.0 (compatible; GPU p2p crawler http://gpu..net / search_engine.php)
Mozilla/4.0 (compatible; grub-client-0.3.x; Crawl your own stuff with http://grub.org)
Mozilla/4.0 (compatible; ibisBrowser)
Mozilla/4.0 (compatible; IE-Favorites-Check-0.5)
Mozilla/4.0 (compatible; KeepNI web site monitor)
Mozilla/4.0 (compatible; Lotus-Notes/5.0; Windows-NT)
Mozilla/4.0 (compatible; MSIE 4.01; Mac_PowerPC)
Mozilla/4.0 (compatible; MSIE 4.01; Vonna.com bot)
Mozilla/4.0 (compatible; MSIE 4.01; Windows CE; MSN Companion 2.0; 800x600; Compaq)
Dirt Jumper Ver.5
Technical Security Notes
Page 9
Mozilla/4.0 (compatible; MSIE 4.01; Windows CE; PPS; 240x320)
Mozilla/4.0 (compatible; MSIE 4.01; Windows NT)
Dynamic analysis
Once running, the Bot will copy itself to the target service directory as configured previously by the
attacker.
Figure 4: Service file creation
Another file, sLT.exf, is being created in order to keep the Bot ID, this ID is being used by the Bot
for the C&C communication.
Figure 5: creating Bot ID file
At this point, the Bot loader will then create a new service process running the actual Bot code and
probing the C&C for new commands on a fixed interval.
New registry entry is being created, registering the service as a startup service.
Figure 6: creating new registry entry
At this point the Bot will send the first HTTP beacon request to the C&C, the server will respond
with the attack details if an attack is underway.
Dirt Jumper Ver.5
Technical Security Notes
Page 10
Figure 7: HTTP request/response
Attack Modes
The C&C server response is holding the information about the attack targets and attack method.
As we can see in Figure 7, the C&C is responding with 3 numbers delimited by pipeline („|‟) and a
URL list (google.de in our case).
The first number in the response reflects the attack type; in this case POST Flood is being
represented by ‟04‟.
The second number is the number of flows configured in the C&C admin page.
The third and last number is the Bot POST interval for the C&C server, 60 seconds in our case, this
number is fixed and defaults to 60 in this particular sample.
All the attacks described below are using a dynamic referrer, combined with the randomized User-
Agents seen previously. This is yet another layer of randomization against IPS and Anti-DDOS
solutions.
The C&C allows 5 different attack modes:
Dirt Jumper Ver.5
Technical Security Notes
Page 11
POST Flood
The Post Flood attack is simply a POST request containing the target URL as a payload, the content-
length header is calculated accordingly, the referrer and the User-Agent described earlier are
randomized, and in this particular attack sometarget.com was redirected to local apache server.
Figure 8: Post Flood Capture
HTTP Flood
The HTTP Flood attack is a simple GET request with no special attributes. The GET request is
rotating over the URLs in the list.
Synchronous Flood
Same as HTTP Flood but it appears like the attack is using more connections than regular HTTP
Flood, some kind of aggressive mode.
Downloading Flood
Simple HTTP GET request, although the name implies an intensive resource download attack,
unless directly specified by the attacker URLs in this attack are not different from HTTP Flood
attack.
There‟s evidence in the code that this Bot might have implemented „Range: bytes‟ attack in one of
its previous versions/variants and maybe even was trying to exploit the famous Apache vulnerability
(known as Apache Killer); this feature seems to be currently disabled.
Dirt Jumper Ver.5
Technical Security Notes
Page 12
Figure 8: Download „Range: bytes‟ attack
Anti-DDoS Flood
This attack doesn‟t seem to work out of the box, the Bot remained idle for a long time and without
any attack launched.
Looking deeper into the code shows that this mode is indeed not supported by the Bot, last supported
attack mode is POST Flood (04); this is obviously a mismatch between the C&C and Bot versions.
Figure 8: Attack Modes IDA Capture
Dirt Jumper Ver.5
Technical Security Notes
Page 13
Conclusions
The Dirt Jumper family is continuously evolving; a new version and variants with new capabilities
are most likely to be seen in the wild in the future.
Dirt Jumper is already using some evasion techniques that make its attack detection less intuitive.
Although the Anti-DDoS attack vector wasn‟t implemented completely, it seems like attackers are
always thinking ahead, looking to make their tools even more sophisticated and powerful.
© 2012 Radware, Ltd. All Rights Reserved. Radware and all other Radware product and service names are registered trademarks of Radware in the U.S. and other countries. All other trademarks and names are the property of their respective owners.