Wednesday, October 19, 2011

Dirt Jumper DDoS Bot - New versions, New targets

By Andre' M. DiMino & Mila Parkour

End-2012.com
I recently encountered a malware sample that when sandboxed, exhibited a great deal of DDoS-like activity toward a large number of URLs. When I looked at the network traffic a bit more closely, it reminded me of the Dirt Jumper DDoS bot that I read about in an excellent blog post by Curt Wilson of Arbor Networks. This particular version of Dirt Jumper is attacking a variety of organizations and companies in many different countries. The MD5 of this sample is f29b1089b3f5e076d4d4bd2a3a02d3cb using the domain 'asdaddddaaaa.com' for its Command and Control (C&C). Searching for a similar network traffic pattern yielded a number of sandbox analysis pages containing several more C&C servers and DDoS victims. This research also highlighted a lack of proper detection of this bot variant. Many antivirus companies change the name of this bot across variants, detecting it as zbot, pinkslipbot, Kryptic and others. Microsoft at least consistently detects Dirt Jumper as Dishigy.B,  (Dishigy.A is a non-related keylogger with binary in the same directory) and this allowed us to find more examples and prompted further research.  Dirt Jumper is proving to be as popular as Darkness/Optima bot we described earlier this year and is gaining more buyers in underground market due to easy implementation and powerful attack methods.


Table of Contents

September version control panel. Shopworld.biz
  1. Binary analysis
    MD5 F29B1089B3F5E076D4D4BD2A3A02D3CB
  2. Memory analysis using Volatity 2.0MD5 F29B1089B3F5E076D4D4BD2A3A02D3CB
  3. Command & Control servers
    MD5 F29B1089B3F5E076D4D4BD2A3A02D3CB
  4. Dirt Jumper current versions and general information
  5. Review of other samples, command and control servers and DDoS actor groups


1. Binary analysis and comparison
MD5 F29B1089B3F5E076D4D4BD2A3A02D3CB 


There are two ways that Dirt Jumper gets installed on a system - one, as a service,  and two, by adding the malicious binary name to the "shell=" line in the registry under HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\current version\Winlogon. Installation as a service is more common and this is the default method for versions 1-3 and v. September 2011. There are some private and custom versions of Dirt Jumper using the Explorer shell method.


INSTALLATION TYPE 1 - 
REGISTRY - WINLOGON -"SHELL=" MODIFICATION

As seen in Dirt Jumper Caught in the Act - Arbor Networks
Size: 204800
MD5:  F7C0314FB0FBD52AF9D4D721B2C897A2

Company Name Comma Stone
File Description Signs Blast Egypt Avery
File Version InternalName Wolff Diets Cowboy Mig
Legal Copyright Copyright Sobs Sift 1997-2011
Original Filename Baby.exe
Product Name Picks Air
Product Version VarFileInfo
File properties


The following system changes may indicated the presence of this bot
  • The presence of the following files:
    • <system folder>\svdhalp.exe
    • <system folder>\svdhalp.exe.ini
    • <Windir>\syskey2i.drv   - contains nothing but a 15 digit bot id number
    In subkey: HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon 
    Sets value: "Shell" With data: "explorer.exe, svdhalp.exe 



INSTALLATION TYPE 2 - 
AS A SERVICE 
Size: 276480   
MD5 F29B1089B3F5E076D4D4BD2A3A02D3CB

CompanyName Ohokls Vwivanl
File Description Ohokls Uanvbnmsel  Qukxwdrb
File Version 25, 34, 66, 19 InternalName Ohokls
Legal Copyright Copyright Ohokls Vwivanl 1997-2011
Original Filename Ohokls.exe Product Name Ohokls Uanvbnmsel Qukxwdrb VarFileInfo
File properties

The following system changes may indicated the presence of this bot
  • The presence of the following files:
    • <system folder>\drivers\svgtook.exe File name varies, often starting with sv (e.g.svflooje.exe,svcgoow.exe)
    • <Windir>\keys.ini - contains nothing but a 15 digit bot id number
  • The presence of the registry modifications such as the following examples (name of the file may vary)
    HKLM\SYSTEM\CurrentControlSet\Services\svgtook HKLM\SYSTEM\CurrentControlSet\Services\svgtook\Security HKLM\SYSTEM\CurrentControlSet\Services\svgtook\Enum The traffic pattern:



Traffic components
Stream Content
As can be seen below, the two binaries show slight modifications of the same bot.

  
Comparison of two Dirt Jumper binaries
The current IDS signatures for Dirt Jumper can be modified to match this additional version  - The bot ID seems to be the current most common denominator, while C&C URLs and bot commands somewhat vary.
 
Emerging threats signature as proposed by Kevin Ross

 
2. Memory Analysis using Volatility 2.0 
MD5 F29B1089B3F5E076D4D4BD2A3A02D3CB

I've now routinely adopted the use of Volatility as a key tool in any malware analysis that I do. Volatility is described as "a completely open collection of tools.....for the extraction of digital artifacts from volatile memory (RAM) samples".  Volatility's ease of use, especially in obtaining basic forensic information that may shed a quick light on the analyzed specimen, makes it an indispensible tool.  Version 2.1Alpha was recently released, so I used this to analyze Dirt Jumper binary f29b1089b3f5e076d4d4bd2a3a02d3cb.

I executed the malware in my sandbox lab under VMWare Version 7. One of the things I like about VMWare is that you can easily obtain a memory snapshot by suspending the virtual machine, and copying the .vmem file to your analysis directory. That .vmem file is an exact representation of the virtual machine's memory image. If you are not using VMWare, you can also easily snap memory via the MoonSols Windows Memory Toolkit.


The first step in any analysis using Volatility is to get information about the image. This is done via the 'imageinfo' command as seen below.


Volatility 'imageinfo' command
Notice that the suggested profile is "WinXPSP3x86". We will specify this profile for all subsequent Volatility usage by using the '--profile=' option when invoking Volatility..
Now we wish to list all the active processes. This is done with the "pslist" command. Note the use of the "-P" switch to tell Volatility to display the physical memory offset rather than the virtual offset.



Volatility 'pslist' command
The timestamp indicates the date/time that the process started. Note that all the processes except for 'svgtook.exe' started within a few seconds of 00:12. 'svgtook.exe' has a Process ID (PID) of 1900 and began at 10/05/2011 at 00:14. It should also be noted that in this sandbox run, I initiated the malware execution immediately after booting. Note also that there is no browser process or anything else that should initiate an Internet connection.

I next run the Volatility 'connections' command to see all the active network connections. Note that the large number of remote address connections are all associated with PID 1900.




Volatility 'connections' command
The Volatility 'sockets' command will display the listening sockets for any protocol. In the figure below, we see many open sockets for both the UDP and TCP protocol. With one exception, all of these processes are again associated with Process ID 1900, 'svgtook.exe'. By virtue of its many open sockets and dozens of outbound connections, Process ID 1900 certainly seems worth a closer look.

Volatility 'sockets' command
By the way, a great new feature of Volatility 2.0 is the 'netscan' plugin. This plugin will scan for network connection artifacts in Windows Vista, Windows 2008 Server and Windows 7 memory artifacts. From the Volatility wiki, "To scan for network artifacts in Windows Vista, Windows 2008 Server and Windows 7 memory dumps, use the netscan command. This finds TCP endpoints, TCP listeners, UDP endpoints, and UDP listeners. It distinguishes between IPv4 and IPv6, prints the local and remote IP (if applicable), the local and remote port (if applicable), the time when the socket was bound or when the connection was established, and the current state (for TCP connections only)."
Since I ran this analysis on a Windows XP system, I'm not able to show you a 'netscan' output for this particular instance.  In a follow-up analysis, I'll utilize Volatility under Windows 7.

To look more closely at Process 1900, we can dump the process from physical memory. This allows us to examine the process in its executing context as opposed to a packed and possibly obfuscated state. One typical analysis step is to dump the process and use the 'strings' command to look for items of interest.  Let's see the result of performing this against our Process 1900.  Using the Volatility command 'procmemdump', the 'svgtook.exe' process (PID 1900) is dumped to the specified directory. The following image shows this command being run, followed by running strings against the dumped file, and using 'grep' to search for the string "http".

Volatility 'procdump' command
The results show various strings containing "http" being discovered in the dumped file. These include various legitimate sites, as well as the string 'httpsend_s".

One of the best ways to discover evidence pertaining to a suspicious process is to dump the Virtual Address Descriptor (VAD) and examine the dumped sections with the 'strings' command. By examining the dumped VAD segments, you can get an excellent view of the "live" data associated with the examined process.  A good reference for this can be found in the whitepaper, "The VAD tree: A process-eye view of physical memory" by Brendan Dolan-Gavitt. From the whitepaper," The Virtual Address Descriptor tree is used by the Windows memory manager to describe memory ranges used by a process as they are allocated. When a process allocates memory with VirutalAlloc, the memory manager creates an entry in the VAD tree."   Since I'm particularly interested in any URLs or network connection remnants associated with Process 1900, I'll use the 'vaddump' command to dump the VAD memory segments associated with this process.

Volatility 'vaddump' command
The result of this command leaves approx 950 files in the dump directory of the VAD segments associated with PID 1900.  Running 'strings' and grepping for 'http' yields two segments of interest.

Examining VAD segments for the string "http"
In the image above, we see VAD segment 'svgtook.exe.23ce450.00400000-00dadfff.dmp' reference the same web sites as seen in the dumped process, while 'svgtook.exe.23ce450.01420000-0151ffff.dmp' shows references to various DDoS target URLs received, as well as the C&C "http://asdaddddaaaa.com"

So in this brief analysis, we have been able to utilize Volatility to quickly extract key information about the running Dirt Jumper process. This also equips us to further investigate this process, as well as how other Windows processes may be affected. For example, Volatility allows for extensive registry carving and analysis as well as the use of plugins specifically designed for analyzing malicious code.


3. Command & Control servers 
MD5 F29B1089B3F5E076D4D4BD2A3A02D3CB 

Upon execution, Dirt Jumper sample f29b1089b3f5e076d4d4bd2a3a02d3cb attempted DNS resolution for the domain, asdaddddaaaa.com.
The domain registration information for asdaddddaaaa.com is: 
Domain Name: ASDADDDDAAAA.COM
Registrar: BIZCN.COM, INC.
Whois Server: whois.bizcn.com
Referral URL: http://www.bizcn.com
Name Server: NS1.FREEDNS.WS
Name Server: NS2.FREEDNS.WS
Status: clientDeleteProhibited
Status: clientTransferProhibited
Updated Date: 19-jun-2011
Creation Date: 18-feb-2011
Expiration Date: 18-feb-2012
Registrant Contact:
Mark Livingston
Mark Livingston j.hnvns.92@gmail.com
+1.2147899961 fax: +1.2147899961
446 Ridge Point drive Forney TX 75126 


As of this writing, DNS results show that the C&C is running on IP address, 195.3.145.87 which managed by Altnet-Latvia (ASN41390). There are several other domains and nameservers running on that IP address, including:      
  • bestdumps.biz
  • lost-pass.ru
  • mail.asdaddddaaaa.com
  • mittmax.com
  • ns1.euro-2012portal.com
  • ns1.euro2012-portal.com
  • ns2.euro-2012portal.com
  • ns2.euro2012-portal.com
  • open-pass.com
  • pizdaruliu.net
  • skachatiskype.ru
  • skype4download.ru
  • www.mittmax.com
  • www.skype-rf.ru
  • www.skype4download.ru
  • xaker.me 
Prior to hosting on Altnet-Latvia (ASN41390), asdaddddaaaa.com was utilizing the following IP addresses and providers for its domain hosting:
  • 46.108.225.57 - AS50244 - ITELECOM - Romania
  • 46.108.225.60 - AS50244 - ITELECOM - Romania
  • 46.108.225.72 - AS50244 - ITELECOM - Romania
  • 46.252.130.141 - Sagade - Latvia
  • 46.252.130.150 - Sagade - Latvia
  • 46.252.131.5 - Sagade - Latvia
  • 46.252.131.7 - Sagade - Latvia
  • 46.252.131.9 - Sagade - Latvia
  • 94.244.80.217 - AS25190 - Kauno Interneto Sistemos - Lithuania
  • 95.64.50.30 - AS48266 - Netserv Consult - Romania
  • 141.136.16.100 - AS50515 - TIER-DATA-CENTER - Romania
  • 223.25.242.107 - AS55720 - GIGABIT- Malaysia
  • 223.25.242.196 - AS55720 - GIGABIT- Malaysia
  • 195.3.145.87 - AS41390 - RN-DATA - Latvia


It is often interesting to trace the routing information of the hosting provider in question. The diagram below was produced using BGPlay. BGPlay displays the routing information for a network prefix for a defined time period. In this case, I ran BGPlay for the prefix 195.3.144.0/22 from 09/9/2011 thru 10/9/2011. From the results, you can see that during this time, Altnet-Latvia had Telenet SIA in Latvia (ASN24589), as its only upstream. Walking "up the upstream", we see the following relationships:

BGPlay information for Altnet-Latvia (AS41390)
Telenet SIA (ASN24589) is the sole upstream for Alnet-Latvia
BKCNet Latvia (ASN6851) is the sole upstream for Telenet SIA
Telia Latvija (ASN5518) is the sole upstream for BKCNet Latvia
TeliaNet Sweden (ASN1299) is the sole upstream for Telia Latvija

Routeviews BGP Information for IP 195.3.145.87
Based on additional research I did, it's very clear that this Dirt Jumper C&C isn't the only malicious activity on Alnet-Latvia.
PhishTank Report
Spamhaus Report
malc0de Report


I wonder if the folks at TeliaNet Sweden, or the other upstreams to Alnet-Latvia are aware of this?  This would also be a good time to remind hosting providers, ISPs, and network operators to subscribe to the Shadowserver ASN & Netblock Reporting Service.  


DDoS Victims 
This is a very active DDoS bot, with a wide variety of targets across many industries. Over a two week observation period, the asdaddddaaaa.com controller has targeted victims in the following industries:   
  • Aviation Products and Services
        Host-tracker.com  showing problems
        experienced by targeted domains
  • Porn sites     
  • Cargo and Shipping   
  • Jewelry     
  • Auto Dealer Services     
  • Real Estate     
  • Wholesale Shopping
  • Audio Products    
  • Classified ad sites     
  • Office Space providers     
  • Online Forex Trading     
  • Clothing and Gifts 


As described in more detail later in this post, we have detected several other C&Cs that appear to be related to the same group operating asdaddddaaaa.com. Several of them continue to actively initiate DDoS attacks. We are currently monitoring these controllers and sharing the victim lists with appropriate law enforcement agencies and the victim organizations.


4. Dirt Jumper current versions and general information

The bot is binary is relatively large, 170-270 kB and is packed with UPX. The bot tasks are not encrypted as you can see in the pcaps and on the C&C server.


DDoS task for bots as seen on a C&C page

Current Dirt Jumper Versions and Features

Version 3, "September", and private versions  - 2011


  • Multipurpose flood (Light) – combination type of attack when packages with random data sent to the server.  The bot uses a varying User Agent
    Control Panel. Img.src: shopworld.biz
    and referer, receives and sends cookies, builds packages of different lengths, different types of content, changes timeout and sending rate.
  • Multipurpose flood (Full) – Same as Multipurpose flood (Light) but POST data is added POST requests will exhaust server resources due to its need to process the data, requiring participation of apache, php, and any linked database. This also helps to avoid Anti-DDoS measures because it imitates random browser requests.  
  • HTTP flood (DJSFlood) – The author claims it is unique to his bot.  The method is very similar to simple http, but at the same time is not standard structure. It's “something between http and udp”. This method can be used for port attacks. The syntax is: http://IP:PORT/  with 300-500 threads
  • POST flood (TimeOut) - Same as above, but it is possible to send data using POST. There is the way to set timeouts for response after sending the data.
Other features
  • Works with http, https
  • Varied User Agent and Referer
  • Multithreading, can attack up to 999 websites simultaneously
  • Can attack by IP, domain name, port, ftp
  • Access to the admin panel may be limited by IP. Additionally, the first level login page can be accessed only by specifying the correct GET-Passwd. The correct password then allows access to the next level, the regular login page.
  • Can attack up to 999 sites simultaneously  


Version 2 - 2010

Dirt Jumper v.2 Img.Src: Damagelab.org
  • HTTP flood: This type of attack can cause server overload due to frequent, repeated conventional HTTP requests.  As soon as the webserver is ready to answer, the bot breaks the connection and sends a new request 
  • Synchronous flood: This method of attack is effective only when more than 150 threads in use. The bot makes 150+ simultaneous requests, waits until the server responds and repeats it
  • Downloading flood: The bots download  files from the website causing bandwidth saturation. 
  • POST flood:  The bot  can make GET and POST requests at the same time. That is, it can send a random usernames and passwords  to website forms, causing a tremendous load on the server 
Other features are the same as you see above in Version 3.  


Version 1 
Dirt Jumper v.1 Control Panel. Img.Src: xaknet.ru
There is not much information about version 1 available.  The one description found is the following:
  • Multithreaded attack, number of threads can be changed without interrupting the attack
  • Can attack http, https
  • Can attack by DOMAIN:PORT 
  • Can attack several sites at once
  • Can set up the time when you need to bot to call back
  • Can change User Agent
  • Bot is installed as a system service
  • The bot owner can choose the name of the bot process

5. Review of other samples, command and control servers and DDoS actor groups


Analysis of Dirt Jumper C&C servers and their victims was based on publicly available sandbox results from Threatexpert.com, Sssdsandbox.net, Anubis.iseclab.org, and others. The search yielded two dozen C&C servers with groups attackers that utilize both types of the bot described in Section 1 of this post, Binary analysis and comparison. These were frequently seen on the same domains. For example, http://wow-siti.ru/www/m_d.php (type 1) and http://wow-siti.ru/1​/index.p​hp (type 2)

The results showed similar naming conventions for the bot executable file name that is normally chosen by the botnet owner. This was seen as identical names or often starting with "sv" like in "sviooue.exe" and "svgtook.exe", as well as the GET or POST URLs for the drone. 


In addition, some C&C servers had a history of being hosted on same IP addresses in the past and being moved simultaneously from one hosting provider to another. Other attribution points included seeing the same email addresses in the domain registration, and similar domain names (e.g.xruw0q.com, zprw6q.com and xzrw0q.com; jfasfasfasfasf.com and asdaddddaaaa.com). The resulting matrix clearly shows that seemingly unrelated C&C servers may be operated by the same actors.

Group 1
(abacava.net + asdaddddaaaa.com)
Same email address in domain registration, same hosting
+
(jfasfasfasfasf.com)
History of hosting on the same domains as C&C above
+
(xzrw0q.com+whozdadx.org)
Same bot name
+
(xruw0q.com+zprw6q.com)
same domain naming convention as in xzrw0q.com above
Group 2
(wow-siti.ru + mwas.ru)
Same email address in domain registration, same hostng
+
(s0r.ru)
Same hosting
+
(95.211.63.38) -
Same bot file name


exe name    CC IP    IP location    Domain URL    Domain owner    MD5

klhkg.exe    195.3.145.220    RN Data, SIA Latvia    http://abacava.net/s4/index.php    Phinney Business Skye Phinney jh.nvns.92@gmail.com +1.7814548993 fax: +1.6612830438 8536 Kern canyon Road, Sp 35 Bakersfield CA 93306 United States    4C01B3D5B80E18CE2E981E25740B395A

svdhalp.exe    195.3.145.220    RN Data, SIA Latvia    http://abacava.net/f2/m_d.php    Phinney Business Skye Phinney jh.nvns.92@gmail.com    2cc731473ef8d968050aa2c9e914150d

svgtook.exe    195.3.145.87    RN Data, SIA Latvia    http://asdaddddaaaa.com/678/index.php    Mark Livingston Mark Livingston j.hnvns.92@gmail.com +1.2147899961 fax: +1.2147899961 446 Ridge Point drive Forney TX 75126 United States    f9a65bc3a197600d23557eceb1f3125c

svcghkkjl.exe    46.108.225.72    Pixel View SRL Romania    http://jfasfasfasfasf.com/887/index.php    Hartford Business Joe Hartford bezerosavyk@yahoo.com +1.7814548993 fax: +1.7814548993 32 Cedar Street,Apt. #4 Waltham MA 02453 United States    C0FCBF7B96474DCF074339575EC1EF3B

svdhalp.exe    31.192.109.164    Mir Telematiki Ltd Russia    http://xzrw0q.com/driver32/update/m_d.php     BIZCN.COM, INC.    f7c0314fb0fbd52af9d4d721b2c897a2

sviooue.exe    31.192.109.162    Ultra Web Solutions  India    http://xruw0q.com/fcfxD/load.php    No. 61 Wanghai Road, Xiamen Software Park xiamen fujian 361008 China    6D54FB6753D719CA3EC991A9CBD9743C

svdhalp.exe    77.79.11.86    Webhosting, Lithuania    http://whozdadx.org/c4/m_d.php    Jabon Lorkan Inconmun Klopi 12 New-York    627f2bda0c5abe4d3e7ae68b877dcfd0

sviooue.exe    91.217.153.114    Alexey Klimenko Ukraine    http://zprw6q.com/frexpex/index.php    Whois Privacy  gmvjcxkxhs@whoisservices.cn    79a9327dd9f9911c0f08fd4d3c3b26c8

svajnager.exe    184.22.118.89    NOC Scranton PA    http://wow-siti.ru/1​/index.p​hp    Private Person vzlomaem@xaker.ru ns1.antiddos-servis.ru. ns2.antiddos-servis.ru.    9277796C0F8EBF1078C52D88E8FAAA5D

svflooje.exe    184.22.118.89    NOC Scranton PA    s0r.ru    Private Person qwer.vdv@gmail.com    7CA86FB5C76B74390B4E7200E4A09514

svflooje.exe    184.22.118.89    NOC Scranton PA    unknown    unknown    E7B65933F069A81AB089D055D6BDD17A
svflooje.exe    184.22.243.172    NOC Los Angeles CA    http://mwas.ru/666/index.php    Private Person vzlomaem@xaker.ru ns1.reg.ru. ns2.reg.ru.    6f610c089205a6433fc56c58e30840d1

svflooje.exe    95.211.63.38    LeaseWeb Netherlands    http://95.211.63.38/index.php    ip    5998968B6B92E8B8076A8D846C75B855

svsysnt.exe     78.108.84.160    Majordomo Llc Russia    http://startraider.com/login/index.php     smk.majordomo.ru Alex Leman () Fax: 226 E 45th St New York, NY 10017 United States    D65C7F3B29F162F4104FC150614D5BE7

kmhfoot.exe    195.189.226.193    SERVER.UA Ukraine    http://nntudazashel.ru/dj/a.php    Private Person root@dgrad-host.ru ns1.vainet.ru. ns2.vainet.ru.    fb88c02090d9a42fef851b600fd8ec8

svciyyyt.exe    46.252.130.102    users Latvia Andrejs Kaminskis    http://46.252.130.102/www/index.php    ip    4E89DF9540358C4524597856D6A08032
unknown    80.79.118.230    Aktsiaselts WaveCom Estonia    http://hotklass.com/a2/index.php     PrivacyProtect.org Domain Admin (contact@privacyprotect.org ) ID#10760, PO Box 16 Note - All Postal Mails Rejected, visit Privacyprotect.org Nobby Beach null,QLD 4218 Australia Tel. +45.369466    ac65790032bbcdc7f35dce0c0e43c434

svlanager.exe    94.244.80.5    UAB KIS Lithuania    unknown    unknown    54DC76D3F0930A88211207453343E5008BA0161E

svlkanager.exe    unknown    unknown    unknown    unknown    CDBF7C49E3FDDAACC3154F13CE93521D
svcgoow.exe    unknown    unknown    unknown    unknown    f268ee8e4a5091139e5986b23389e80e

No comments:

Post a Comment