# Chinese Chicken: Multiplatform DDoS botnets #### Peter Kálnai @pkalnai Jaromír Hořejší @JaromirHorejsi ##### Dec 3[nd] – Dec 5[th] 2014 Nancy, France ----- ### Outline ##### • Timeline (+References) • Binaries, common characteristics • Advertisements • Infection vector • Flooding tools/Trojans: • Elknot & Bill Gates • Mr. Black • IptabLes/IptabLex • XOR.DDoS • gh0st RAT • Statistics and victim preference ----- ### Timeline (+ References) ##### • (Edwards, Nazario (ArborNetworks): “A Survey of Contemporary Chinese DDoS Malware”, VB2011, Barcelona) • First builder of Linux flooding bot received at our backend in November 2013 • Secure Honey honeypot: “Trojan Horse Uploaded”, November 2013 • MalwareMustDie! : “Let's be more serious about (mitigating) DNS Amp ELF hack attack”, December 2013 (Linux:Elknot) • Sempersecurus: “Another look at a cross-platform DDoS botnet”, Dec 2014 • ValdikSS – “Исследуем Linux Botnet «BillGates»”, February 2014 • Associating Elknot name with previous research, March 2014 ----- ### Timeline (+ References) ##### • Kaspersky: “Versatile DDoS Trojan for Linux”, July 2014 • Kaspersky: “elasticsearch Abuse on Amazon Cloud and More for DDoS and Profit”, July 2014 (Infection chain) • Prolexic (Akamai): “IptabLes/IptabLex DDoS Bots”, September 2014 • MMD!: “Tango down report of OP China ELF DDoS'er”, September 2014 • MMD!: “MMD-0026-2014 - Router Malware Warning | Reversing an ARM arch ELF AES.DDoS”, September 2014 (UPX-packed ELF:MrBlack) • Prolexic (Akamai): “Spike DDoS Toolkit”, October 2014 (ELF:MrBlack) • ESET: “G20 2014 Summit Lure used to target Tibetan activists”, November 2014 (Windows gh0st RAT) • MMD!: “China ELF botnet malware infection & distribution scheme l h d” N b 2014 ----- ### Infection chain ##### • Attackers • build ELF malware using a customized builder • start HTTP File Server (HFS) to host the previously built malicious binaries • run port scanners on IP ranges • Some of the distributed Windows binaries infected by file infectors (Parite, Sality, Virut) ----- ### Infection chain ##### • If a port of interest is opened: • script exploiting vulnerabilities • Elasticsearch RCE: CVE-2014-3120 • Shellshock • Apache Struts & Apache Tomcat • MS08-067 – Vulnerability in Server Service • Targets windows machines • Privilege escalation: CVE-2009-2692, CVE-2010-3081, CVE-2013-2094 • SSH brute force attack • Lists of user names and passwords • Runs from windows machine, targets Linux servers ----- ### Infection chain ##### • Usage of several hacking tools • Port scanners • ScanPort • WinEggDrop ----- ### Infection chain ----- ### Infection chain ##### • Lists of target IP ranges • Password lists • All tools and lists acquired from the HFS file listings on a compromised machine ----- ### Infection chain ##### • Result of a port scan (wineggdrop) as found in an archive on a compromised machine • About 2M IPs scanned and 14K hosts with open port 22 found ----- ### Binaries, common characteristics ##### • Trojanized flooding tools • Significant portion of code seems to be shared among all the variants • Chinese locale • Some variants written in C++ (objects; classes) • Debug info often not stripped • Variety of supported flooding methods • UDP, TCP/SYN, ICMP, DNS, DNS amplification • Various communication protocols • Kill competing resource consuming processes ----- ### Binaries, obfuscation techniques ##### • Binaries in plain form or packed with (modified) UPX • UPX header modifications to avoid unpacking by the original UPX tool • UPX magic modifications • UPX magic should be found three times in ELF UPX binary • All three magic values are the same, but different from “UPX!” • All three magic values are different • Checksums do not match • (ELF:MrBlack; DDoS64; 18442c18d407ba32fdfa2bbf0c86565f) • Header checksum (custom, 1 byte) • compressed data (Adler, 4 bytes) • uncompressed data (Adler, 4 bytes) ----- ### Binaries, obfuscation techniques ##### • Architecture mismatch • (ELF:IptabLesx; .SSHH2; 6feb4677db052e9c7e19de52e3503db7) • File with a 32-bit UPX header attempts to call 64-bit unpacking method • Causes reading from wrong offsets • Expected data size modification • Pack Header contains incorrect field “uncompressed size” • Original UPX tool exits with an error • cannot unpack such modified binaries (very sensitive to PackHeader data) • Dynamic behavior not altered ----- ### Binaries, obfuscation techniques ##### • UPX Header Checksum (0xDD  0x39) • Decompressing method change: • UPX_F_LINUX_ELF64_AMD (0x16) •  UPX_F_BSD_ELF_i386 (0x19) • Unpacked file size • 0xB869F  0x8760B • Header Offset • 0xBC  0x80 • Compressed data checksum • 0xBA260B3A  0xF65887DC ----- ### Advertisements ##### • Advertised on Chinese forums ----- ### Advertisements ##### • Advertised on Chinese forums (translation) ----- ### Tools – Elknot ##### • Characteristics: • Presence of fake.cfg (xmit.ini) as a configuration file • Available for Linux x86/x64, Windows x86/x64 and FreeBSD • Command grammar supports 4 tasks: • StartTask (0x01) • StopTask (0x02) • WriteFake (0x03) • SendStatus (0x04) ----- ### Tools – Elknot’s Text -Box Builders ##### • Lightweight bot builders producing just one version of malware (e.g. downloaded from www.wowoinn.com) • The output is a plain Windows, resp. an ELF executable packed with UPX MD5: 124273f1ec89ff6f53a9ff9cca55c493 MD5: f9294d0820de96c6b139cfcea6dec22d ----- ### Tools – Elknot’s Chicken Builder ##### • Large binary with embedded stubs • Setting up the C&C panel details: • The IP address of panel • Port number • Restriction of MAC address • Setting up the bot details: • the IP address of C&C • Port number • Platform of an executable • Potential to produce enormous number of unique samples with MD5: 71f0e327807cf570f1987a6ea9d45f96 ----- ### Tools – Elknot for Linux ##### • System performance statistics • CPU statistics • /proc/cpuinfo • /proc/stat • Network statistics • /proc/net ----- ### Tools – Elknot for Windows ##### • C&C address and port are hardcoded in binary and encrypted by a simple algorithm ###### 2 - 9 1 / 0 : 0 / 1 1 2 / 8 6 2 -1 +1 -1 +1 -1 +1 -1 +1 -1 +1 -1 -1 +1 -1 +1 -1 == == == == == == == == == == == == == == == == 1 . 8 2 . 1 9 1 . 2 0 1 0 7 7 1 |2|-|9|1|/|0|:|0|/|1|1|Col12|2|/|8|6|2| |---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| |-1|+1|-1|+1|-1|+1|-1|+1|-1|+1|-1||-1|+1|-1|+1|-1| |==|==|==|==|==|==|==|==|==|==|==||==|==|==|==|==| ----- ### Tools – Elknot for Windows ##### • System performance statistics (uses Performance Monitor) • CPU frequency ----- ### Tools – Elknot for Windows ##### • Debug info contains the string “Chicken”: • Installs into %PROGRAMFILES%/DbProtectSupport/svchost.exe • Persistence via creating a new item in Run registry key • Dropper (2fd539598af48b8ea96ba39c957ee73f)  32/64-bit version of payload • 32-bit version installs only one file – payload named svchost.exe • 64-bit version installs additional signed components, which are part of WinPcap • Npf.sys = NetGroup Packet Filter driver, allows packet capture, packet injection, network monitoring • Packet.dll = communication with npf.sys f Wi d S 2008 R2 (64 bi l ) ----- ### Tools – Elknot’s C&C Panels ##### • Supported attack methods (SYN, UDP flood, etc.) • List of connected bots with system info • Targeted IP address with a port • Number of threads, attack time etc. • Additional dialogs with more options ----- ### Tools – Elknot’s C&C Panels ##### • Generated C&C panel from the Chicken builder ----- ### Tools – Bill Gates for Linux ##### • named after two files created in /tmp directory; contain PID of itself • /tmp/bill.lock – created by payload • /tmp/gates.lock – created by dropper • Supported flooding methods (controlled from C&C): • CAttackIcmp • CAttackSyn • CAttackUdp • CAttackAmp (DNS amplification) • CAttackCC • CAttackDns • CAttackTns C&C d i il h Elk ----- ### Tools – Bill Gates for Linux ##### • Characteristics: • Persistence • /etc/init.d/DbSecuritySpt • crontab: ``` # Edit this file to introduce tasks to be run by cron. # Edit this file to introduce tasks to be run by cron. */98 * * * * nohup /etc/kysapd > /dev/null 2>&1& */97 * * * * nohup /etc/skysapd > /dev/null 2>&1& */96 * * * * nohup /etc/xfsdx > /dev/null 2>&1& */95 * * * * nohup /etc/ksapd > /dev/null 2>&1& ``` ----- ### Tools – Bill Gates for Linux ##### • Script performing regular actions via cron: • Killing competing processes (Elknot’s node24; .IptabLes) • Updating its executables (> 1hour) ----- ### Tools – Bill Gates for Linux ##### • Configuration data are encrypted with RSA-1024 • On the stack: prime P, prime Q, modulus N & decrypted string • P ^ Q % N = configuration string ----- ### Tools – Bill Gates for Linux ##### • Decrypted payload: 116.10.189.246:35000:1:1:h:579368:579884:580400 • g_strConnTgts = 116.10.189.246 … IP address • g_iGatsPort = 35000 … port • g_iGatsIsFx = 1 • g_iIsService = 1 … persistence • g_strBillTail = h … payload fname suffix • g_strCryptStart = 579368 = 0x8d728 … config • g_strDStart = 579884 = 0x8D92C … exponent • g_strNStart = 580400 = 0x8DB30 … modulus ----- ### Tools – Bill Gates for Windows ##### • Persistence: registry key in Run • Debug string similar to Win32:Elknot: • Dropper (3621a7c9b9b350326dcf4baa880e5771)  32/64-bit version of payload & service VS process; Usage of agony rootkit (source published, 2006); • 2 payloads named svch0st.exe and DbSecuritySpt.exe in %PROGRAMFILES%/DbSecuritySpt; • SafeEngine protection libraries (SeSDKDummy.dll, SeSDKDummy64.dll) • 64-bit version (Windows Server 2008): • Npf.sys = NetGroup Packet Filter driver, allows packet capture, packet injection, network monitoring ----- ### Tools – Mr. Black ##### • Large family containing also a malware group called AES.DDoS • Contains various character strings: VERSONEX, VERS0NEX, Mr.Black, Hacker, DealWithDDoS, “Int Server...” • List of attack supporting procedures • DNS_Flood, SYN_Flood, UDP_Flood, UDPS_Flood, TCP_Flood, CC_Flood, CC2_Flood, CC3_Flood, etc… • Available for architectures: • EM_386, EM_x86_64, EM_MIPS, EM_ARM, PE x86 • 1be4fa407f83c927cfd49ba03af816e2, 861f4c1e8fe1e5c059d558ea1e465d86, 008ecf29e0c95f05be2a83a635d7ac31, fdcefb4b0541453a6d78c42094d71ba7 • Devices may include: desktops, servers, routers, Internet of Things devices ----- ### Tools – IptabLes/IptabLex ##### • Accompanied with a process killing the competing processes • Competition over computer resources • List of all the processes to kill is downloaded and named fuckopen.txt or kill.txt ----- ### Tools – IptabLes/IptabLex ##### • MD5: c17cb63de68a37de222b5315bc0ea47e (EM_386), e79c37e207f8695b61291b2e85636aef (EM_x86_64) (ELF:Iptablesx) • Persistence: • Installs itself into /boot/IptabLex, resp. /boot/IptabLes • symbolic links in /etc directory • List of attack supporting procedures • SynFloodThread • DnsFloodThread • Command grammar supports: add task, delete task, set source IP, self-update • Additional Windows 32-bit variants (iptables.exe, getsetup.exe) • 455068e0444107ee5fb993f34a184e03 ----- ### Tools – XOR.DDoS ##### • MD5: fd3f2c810f4391be2e6b82429c53c318 (ELF:Xorddos) • More advanced Trojan for EM_386 & EM_x86_64 installed in /boot/ and autostarted via a script in /etc/init.d • Flooding features: build_dns, build_syn • Named after encryption method used with xorkeys = “BB2FA36AAA9541F0” • Strings: “/var/run/sftp.pid”, “/lib/udev/udev”, “/lib/udev/”, “/boot/”, “/var/run/”, “http://info.3000uc.com/config.rar”, “/var/run/sftp.pid” • Contains embedded rootkit (LKM) running as rs_dev • Rootkit features: hide_file, hide_proc, hide_tcp4_ports, hide_tcp6_ports, hide_udp4_ports, hide_udp6_ports; firewall_acceptip, firewall_dropip • Trojan (userspace) requests rootkit features (the kernel) via ioctl with the code 0x9748712 ----- ### Tools – gh0st RAT C&C panel & Bot Builder ##### • Strings “Chicken”, “Hacker”; Windows only; source shared; huge number of samples ----- ### Statistics ##### • Number of victims is lower than in case of other Windows threats • HTTP servers running on compromised machines show thousands of downloads, but considering self updates the number could be lower • Download count of ”Bill Gates” installer is highlighted ----- ### Statistics ##### • Downloads from HFS server on a different machine, showing tens of thousands downloads ----- ### Statistics – Preferences of File Names ----- ### Victim preferences ##### • Attacked small or medium sized local businesses • profitability depends of ability to stay online • Victims: • Online gaming site/casinos • E-commerce shops • Forums • Potential methods of monetization: • DDoS as a service • paying ransom for stopping the DDoS attack • Effect of DDoS directly observed: • sites unreachable during the process of receiving attack commands • reachability recovered after the process stopped ----- ### Victim preferences ##### • Online gaming ----- ### Victim preferences ##### • Online casinos ----- ### Victim preferences ##### • E-shops ----- ### Victim preferences ##### • Forums ----- ### Conclusion ##### • Chinese flooding tools continue in tradition of DDoS attacks • Lots of variants with similar flooding methods under multiple platforms • The complexity of Linux Trojans has increased • Attacks significantly more frequent in the past year • Tool development supported by code sharing through Chinese forums for developers • Targeting online services for which online availability is crucial • (intentional) AV evasion technique with (customized) UPX packer • Right time to include a static unpacker for ELF UPX into AV engines? ----- ### Acknowledgement ##### • We thank to: • Lin Song (University of Iowa) • @benkow_ ----- ## Thank you -----