F5 Networks Threat Analysis: Madness

THREAT ANALYSIS REPORT

MADNESS

1


MADNESS

Avi Shulman


MADNESS

2

Contents Contents............................................................................................................................................................ 2

Intro .................................................................................................................................................................. 3

C&C Communication......................................................................................................................................... 3

Persistency Comes First ................................................................................................................................ 3

Time To Call Home ........................................................................................................................................ 4

C&C PANEL .................................................................................................................................................... 4

DDoS Functionality ........................................................................................................................................... 5

HTTP Floods .................................................................................................................................................. 5

“Low-Level” WinSock Floods ........................................................................................................................ 6

“High-Level” WinInet Floods ........................................................................................................................ 7

“Anti-Cookie” Module .................................................................................................................................. 7

“CloudFlare” Bypass ..................................................................................................................................... 8

The “Hold” Flood .......................................................................................................................................... 9

Network Floods ............................................................................................................................................. 9

Other Functionality ........................................................................................................................................... 9

Mitigation ....................................................................................................................................................... 10

Summary ......................................................................................................................................................... 10

About F5 ......................................................................................................................................................... 11


MADNESS

3

Intro “Madness” is a Denial of Service bot targeting Windows machines. While it constantly evolves its capabilities, it certainly

represents the progress attackers made in Layer 7 DDoS expertise.

The bot author proudly states that “Madness” is the superior successor and an actual hybrid of the notorious DDoS

malware families “BlackEnergy”, “gbot”, “DirtJumper”, “Darkness Optima”, “iBot” and “w3Bot”.

While there were several publications covering the infection aspects of this bot, little was said about its Denial of Service

functionality. This report will cover it in detail and compare its different DDoS techniques.

C&C Communication

Persistency Comes First “Madness” uses quite standard persistency techniques, though they keep improving in every version of the bot. First, it

copies itself to a new path (“%APP_DATA%\<UID>\svchost.exe”) and revokes current running user access rights to

prevent the user from deleting the file.

It executes temporary files named “per”, “perper”, “perperper” and “perperperper” to grant itself permissions to change

“autorun” registry keys and also other keys in order to evade the UAC and Windows Firewall checks. It also creates a

mutex named “GH5K-GKL8-CPP4-DE24” in order to prevent multiple infections. After that, the bot executes a “persistency

thread” that will constantly check for its added registry keys and if removed will add them again.


MADNESS

4

Time To Call Home The Command and Control server address is obfuscated in the bot’s configuration using a very simple technique. It

replaces the following characters

^j

@H

*d

and then performs base64 decoding. The following encoded string

YXBvS0FMaXBsaXM9*WVib2toaG@0*@R0*@Rwc@A6OôvLy8vLy8xMTEwM*AuLi4wM*AuLi4wM*AuLi4yMÎvLy9tbW1@YWFkZGRubm5lZWVzc3MvLy9paWl

ubm5kZGRlZWV4e@guLi5wc@BoaG@wc@AwM*A5OTk4O*@mZmY2N^ZiYmô

will eventually be decoded to:

apoKALiplis=uebokhhhttttttppp::://////111000...000...000...222///mmmaaadddnnneeesss///iiinnndddeeexxx...ppphhhppp000999888fff666bbbh

After stripping the hard-coded prefix and suffix and joining the characters we’ll get the correct C&C address.

Its phone-home architecture is based on polling the C&C server. Once a minute it sends a probe to its operator with

information on the infected machine (OS and level of privileges) and the number of attack payloads successfully sent,

while the C&C will respond with the current attacking command (base64 encoded).

C&C PANEL Simply browsing the control panel URL will result in the following error message (saying in Russian that the site is not

available):


MADNESS

5

Analyzing the PHP code shows that the panel reacts differently if it is not provided with the same parameters that the bot

does when sending its phone-home request.

The control panel shows the available commands, their format and statistics on infected machines. The botnet master is

able to send a command both to a specific bot and to the whole botnet. We can notice many DDoS commands that are

named “dd<X>”, while the prefix probably stands for “DDoS”.

DDoS Functionality

As the DDoS market becomes more competitive, noticeable are the efforts that the “Madness” author makes to

differentiate his product and have a richer “portfolio”. Madness DDoS capabilities consist of network floods, such as UDP

and ICMP, however more interesting is its vast diversity of HTTP (Layer 7) floods.

All the floods support up to 10 different URLs which might be used to attack different servers or different URLs on the

same server.

HTTP Floods We can separate “Madness” HTTP floods into two groups: those using "low-level" Windows libraries, and those using

more "high-level" Windows libraries.

Going "low-level" lets the attacker make the flood much faster, and gives him the flexibility in constructing the HTTP

request from head to toe to bypass many DDoS protections. The added value of using "high-level" HTTP libraries is that

they automatically handle all HTTP protocol aspects such as request construction, managing TCP connections, caching,

cookies and redirections.


MADNESS

6

“Low-Level” WinSock Floods “DD1” Flood (GET Flood) - This DDoS attacking command uses Windows Sockets API (“WinSock”), a “low-level”

network communication library (that uses sockets). It might handle layer 3 (IP headers) and layer 4 (TCP headers and

TCP handshake) automatically, however it is the author’s responsibility to implement the layer 7 protocol, such as

constructing the HTTP request and managing cookies.

So why use this API then? Why make things harder?

Using “WinSock” removes the processing overhead of “high level” HTTP libraries resulting in a larger request rate. Also,

the attacker has the ability to control each element of the HTTP request. Specifically, “Madness” has control of the “Cookie”

and “Referer” headers. Many simple DDoS protections rely on these headers.

In a possible scenario the attacker recognizes that a certain victim website is handing a Cookie as a simple anti-bot

protection that might be reused from different IP addresses. He then browses the website with his browser, gathers the

Cookie and simply passes this Cookie as a parameter of the attack to the whole botnet.

However, while trying to be sophisticated, the attacker implements several inconsistencies. One of them is sending

requests containing the “keep-alive” header, which is usually used during HTTP floods as an amplification factor, to reuse

the same TCP connection and thus avoid the overhead of setting up a connection for each request. It seems like the bot

writer uses this header as well, however after opening a socket and sending a request he closes the socket virtually

making the “keep-alive” mechanism ineffective.

“DD2” Flood (POST Flood) – This technique is based on the “WinSock” API as well, however using the POST method

might make it more powerful. Compared to GET requests where the server just needs to retrieve a certain resource, the

POST action might result in a more “expensive” processing, such as querying the database, which might longer consume

the server’s working thread, thus making other requests wait, finally resulting in a DoS attack.

The C&C panel allows the attacker to control the data being sent in the POST payload by typing the following command:

dd2=http://10.0.0.2***cookies$$$referal@@@login=user&password=pass

where the POST body (“login=user&password=pass”) follows the 3 “at” signs.


MADNESS

7

“High-Level” WinInet Floods Similarly to the “low-level” HTTP floods, there are the “high-level” alternatives - “DD3” (GET Flood) and “DD4” (POST

flood) flood methods.

Those attacks are based on the “WinInet” Windows library which is a wrapper for “WinSock” to handle the HTTP protocol.

The added value of using "high-level" HTTP libraries is that they might handle all HTTP protocol aspects such as request

elements construction, managing TCP connections, caching, cookies and redirections.

Those attacks are relatively slow in comparison to the previous attacks. However, using the “Keep-Alive” will be actually

useful as the library handles the TCP connections.

Awkwardly, the bot author didn’t implement support for Cookie handling in those attacks. The reason might be a

“marketing” decision, as there is another GET flood named “DC1” which dedicated for Cookie handling.

“Anti-Cookie” Module The “DC1” command is a GET flood based on the “WinSock” library (same as “DD1”), though it has a dedicated ability

to parse Cookies from server’s response and attach them to its following requests.

The bot is able to parse Cookies issued by several methods. The most common way for the server to set a cookie is via

a “Set-Cookie” response header. Thus, “Madness” will look for this header and extract all the set cookies.

A Cookie might be set using JavaScript as well via the “document.cookie” property. This technique is also used by many

anti-bot solutions to challenge the client whether it is a real browser having JavaScript running capabilities.

The bot will look for the “document.cookie=” pattern in the response and extract the Cookies.

During the analysis, we have noticed another interesting technique related to Cookie challenges. The bot will look for

the strings "Cookie", "realauth=<value>" and "location" in the response and set the appropriate cookie as a legitimate

browser will do after executing the JavaScript.


MADNESS

8

Apparently, this technique is targeting a well-known Russian web-hosting service which uses a weakly obfuscated

JavaScript code to set the challenge Cookie, making it possible for “Madness” to easily bypass the solution without

having a JavaScript engine.

“CloudFlare” Bypass “Madness” has a dedicated technique to target more complex JavaScript challenges, specifically targeting “CloudFlare”,

a popular DDoS protection service. The challenge is a JavaScript code which makes a certain calculation and sends

back the result. If the result is correct, the server will issue an “authorization Cookie” and all the following requests

containing that cookie will be considered legitimate. Bots not having a JavaScript engine should fail this test.

In the past, “CloudFlare” issued a pretty simple script, with a hardcoded calculation and without any obfuscation, making

it possible to be bypassed by parsing the response using a similar technique as the previous “anti-cookie”. However,

when the challenge evolved and was heavily obfuscated, it literally became more challenging for DDoS bots.

Instead of trying to parse the response or simulate a browser, the “Madness” author chose to use a real browser to be

able to bypass even the most heavily obfuscated scripts.

Using another “high-level” Windows library called “Urlmon”, it introduced the “DD7” attack. While this same library is

also used by the “Internet Explorer” core, all cookies that were obtained by “Internet Explorer” will be automatically

appended to every request made by this library, specifically by calling the “URLDownloadToFile” function from

“Urlmon.dll”.

Once attack starts, the attacker issues the “cfa” (apparently “Cloud Flare Attack”) command from the C&C.

cfa=http://10.0.0.2/index.php

The victim machine then runs “Internet Explorer” in a minimized window, browses the targeted website, performs the

JavaScript challenge calculation, as it is a legitimate browser, and gets the “authorization Cookie”. Once the cookie is

saved in the browser, the attacker executes the “DD7” flood (or it is already running), while this Cookie will be

automatically appended to each attacking request.

Although, the minimized window is seen in the Windows task bar, it could not be manually maximized.


MADNESS

9

The “Hold” Flood While analyzing the threat, we have also noticed another “GET” flood variation, which may be referred as a "HOLD" flood.

It sends a “GET” request containing only the “Host” header, sleeps for 0.1 seconds and only then completes the request

by sending "\r\n".

This attack was probably created to perform less “aggressive” HTTP flood by lowering the request rate. Again, this

attack seems awkward, as it missing popular HTTP headers, such as “user-agent” and does not inherit any of the

capabilities (supporting POST method, Cookies, Referer or challenge bypass techniques) from the other HTTP floods.

Network Floods While “Madness” focus is definitely on the HTTP floods it also supports simple ICMP and UDP floods using the

“WinSock” API.

For UDP flood, the attacker has the control on the data to be sent over the UDP packets.

Here is an example of an ICMP flood using “WinSock”:

Here is an example of a UDP flood using “WinSock”:

Other Functionality There are also other common malware functionalities as well:

exe – download a given file and execute it on the infected machine.

wtf – idle command, do nothing.

cmd - execute a cmd command.

def – kill the bot but don’t uninstall it.

upd (version 1.22 and above) – update the bot.


MADNESS

10

Mitigation Although “Madness” uses only 10 threads in all of its attacks, each thread aggressively sends the maximum possible

number of requests/packets making the attacking IP easily spotted by TPS based or Stress (Latency) based detection.

Once detected, the mitigation might be either by using request blocking, “client-side integrity defense” or CAPTCHA.

The “Heavy URL Protection” will provide better detection for “Madness” POST floods (“DD2” and “DD4”) once the

attacker identified and targeted heavy lifting pages.

Broader mitigation strategy which includes “proactive bot defense”, by leveraging JavaScript to test clients whether they

are real browsers, will block all the “low” and “high” level HTTP attacks just when the attack starts. The bot would not be

able to pass the tests as it is not able to execute JavaScript or statically parse the JavaScript test and provide the correct

response, even using the “Anti-Cookie” module.

Although the “cfa” module (“CloudFlare” bypass technique) has the capability to run a real browser and apparently pass

the proactive defense tests, it is not enough to perform it a single time as the proactive defense challenges the client every

period of time making it virtually ineffective. Moreover, having the proactive defense test pass is not enough as the bot

will be marked as suspicious due to its high volume of requests or due to an increase in server’s stress.

Summary As layer 7 DDoS attacks are being effective, “Madness” provides different flavors of GET/POST floods with a high level

of flexibility while integrating more advanced capabilities to bypass security solutions. We expect this bot to be seen more

in the wild with upgraded capabilities.

One of the lessons we learn from this analysis while protecting our servers is that it is not enough to rely on clients simply

answering the challenge, as complex as it might be. It also requires a proactive bot defense which has more integrity

checks and implements more sophisticated logic around those challenges, as well as other detection and prevention

means, such as blocking requests based on TPS or Server’s stress, CAPTCHA, and more sophisticated anomaly

detection methods.


MADNESS

11

About F5

F5’s market-leading security solutions help you seamlessly scale cloud, data center, and software-defined networking

(SDN) deployments—so you can securely deliver applications to anyone, anywhere, at any time. An application-centric

design, unique placement in the network, intelligent services delivery, and unparalleled visibility reduce risk across your

entire application ecosystem.

The world’s largest businesses, service providers, government entities, and consumer brands rely on F5 to stay ahead

of security, cloud, and mobility trends. Learn more at f5.com.


MADNESS

Technology

F5 Networks Threat Analysis: Madness