Lest you think all of the DDoS bots we focus on come only from China, we found one that appears to be from the US. We’re calling this bot “Skunkx”. We have not yet seen the bot’s attacks in the wild, however, and so we do not know its favored victim profiles. We also do not know how big this botnet is at this time.
The bot’s capabilities include:
- Perform DDoS attacks: UDP floods, SYN floods, HTTP floods, and Slowloris attacks
- Detect some analyst tools (Commview, TCPView, and Wireshark) and platforms (QEMU, VMWare, VirtualPC)
- Spread over USB, MSN, YahooMessenger
- “Visit” sites, speedtest
- Download and install, update, and remove arbitrary software
- Detect and stop DDoSer, Blackshades, Metus and IRC bots on the box; it apparently can speak “DDoSer” too
- Spread as a torrent file
- Steal logins stored in the SQLite DB by Mozilla
We have not seen source or the control panel of the bot. The author appears to like the “JoinVPS” service, however. His servers that he has used go back to “Net-0x2a: Zharkov Mukola Mukolayovuch” in the Ukraine, and also “PIRADIUS” in Malaysia. This is someone familiar with underground hosting, it seems.
Some of the samples have been UPX packed, but not all use such simple packing. The hostnames in use suggest one attacker, and we have not seen the kit openly available for sale or review. CnC communications use an obfuscated ASCII protocol that is not unlike a basic IRC method. We are worked with the registrar to shut down the domain name used by the attacker.
Inspection of the bots we captured show a handful of user-agents (my favorite is the Cyberdog one!) and HTTP headers that appear distinctive, enabling us to detect its traffic selectively. The author appears to have imported Slowloris’ attack method without any modification.
We have also been sinkholing this botnet. Inspection shows hundreds of bots checking in from around the world, with most in the US. Here’s a map showing botted hosts:
We continue to work with network providers to get these hosts cleaned up.
Samples by hash and dates:
2010-11-05-8b0ec6c72ba825ef6f6c51ec7940c5d1
2010-10-21-a6bcc047bd5c020d4ab0fc985a955930
2010-09-14-49aa607813acff4d4ee0e6f97a18496a
2010-08-19-201ecebc3ce0a62918c9e03acf2a691b
2010-06-14-678ea804716f80ca1a107467c0ac0d4c
2010-06-03-89d846b4cf063af0c3e34d8f96505299
2010-05-31-659cefcf48c770b9dec7fbc820feb08c
2010-07-27-9105d79b81ec98ff4bb739d65980dbed
2010-07-30-bd9bc177f68823cfd7cc98ce77033787
Many thanks to Jeff Edwards for his help during this analysis.
Related Posts
- DDoS Analysis Process, (Sat, Feb 12th)
Introduction:
We sometimes get requests from people who are undergoing Denial of Service attacks. These days that usually means a Distributed Denial of Service attack. In our role at the Internet St... - Analysis of Chcod, another DDoS Trojan
We have done some analysis on the Chcod malware family, also known as Ogran, which has been showing up in our sandboxes since at least August 2009. Like the Yoyoddos and Avzhan trojans, this family i... - BlackEnergy DDoS Bot Analysis
BlackEnergy DDoS Bot Analysis: by Jose Nazario, Ph.D. (Arbor Networks) Oct 2007 – Source: http://atlas-public.ec2.arbor.net/docs/BlackEnergy+DDoS+Bot+Analysis.pdf Summary BlackEnergy is an HTTP... - Analysis: Black DDoS
Cybercriminals use a variety of bots to conduct DDoS attacks on Internet servers. One of the most popular tools is called Black Energy 2. This malicious program is the subject of this article.
View... - TT-Bot DDoS Bot Analysis
We recently spotted this family in our malware zoo, another HTTP DDoS bot. This one’s identifying mark is the string “User-Agent: TT-Bot 1.0.0″ in the client requests. We do not know... - WhiteLotus DDoS Botnet Analysis
Another new DDoS botnet family we found in our malcode zoo recently, which we have dubbed “WhiteLotus”, resembles BlackEnergy v2 but differs enough that we knew it wasn’t BEv2. Looki... - DDoS hacker who left his wife for a fictitious online lover jailed for two years
For all its positive aspects, there are some pretty ugly things which happen on the internet too.
Take this extraordinary tale, for instance, of how two men falling out with each other, ignited into a... - Analysis of the CVE-2011-0611 Adobe Flash Player vulnerability exploitation
About a month ago, we blogged about an Adobe Flash Player vulnerability (CVE-2011-0609) that was actively exploited in the wild. That exploit was hidden inside a Microsoft Excel document. Ov... - Analysis of TR/Spy.SpyEye
SpyEye is a malware family which we are monitoring for some time. Today we are analyzing a sample which is detected as TR/Spy.SpyEye.flh by Avira products.
The Trojan is able to inject code in running... - A Technical Analysis on the CVE-2011-0609 Adobe Flash Player Vulnerability
On March 14, Adobe released a security advisory (APSA11-01) warning of 0-day attacks affecting Adobe Flash Player (versions earlier than and including 10.2.152.33). These attacks were hidden inside Mi...
Posted on 16 March 2011. Tags: Analysis, DDoS, Skunkx
The above information is reprinted from and copyrighted © by Arbor Networks.
