A quick look at a (new?) cross-platform DDoS botnet
At the beginning of December we started to observe a new botnet spreading on both Linux and Windows machines. In case of the Linux operating systems, the bot was installed through an SSH dictionary attack. The attacker logged in to compromised server and simply downloaded and executed a bot file. The malware itself is relatively simple – its only functionality is to perform DDoS attacks, mainly DNS Amplification. There is also a version targeting the Windows operating system, which installs a new service in order to gain persistence. The antivirus detectability is fairly high for Windows version: 34/48, while the Linux version is detected by only a couple of antivirus solutions: 3/47.
We were able to obtain a 32-bit, statically linked, ELF file. This executable runs in a daemon mode and tries to connect to the C&C server, using a high TCP port. Both the C&C’s IP and port are encrypted using the algorithm presented on the left. Upon running, bot sends operating system information (using
uname function), unencrypted and waits for commands. From the analysis we were able to determine that there are four types of attack possible, each of them a DDoS attack on the defined target. One of the possibilities is the DNS Amplification attack, in which a request, containing 256 random or previously defined queries, is sent to a DNS server. There are also other, unimplemented functions, which probably are meant to utilize the HTTP protocol in order to perform a DDoS attack.
fake.cfg file is created in the bot operating directory. This file contains network interface information. During the attack task status information is sent back to the C&C server. Bot can also check the CPU speed (by parsing the
/proc/cpuinfo file), system load (by parsing the
/proc/stat file), network connection speed (by parsing the
The same bot type is used for Windows infection. However, the Windows infection consists of two stages: first it drops the file
C:\Program Files\DbProtectSupport\svchost.exe and runs it. This file registers a new Windows service – DBProtectSupport, which is started automatically at the system startup. Next a DNS query is sent to the 220.127.116.11 server, requesting the IP address of the
.com domain. This domain is the C&C server and bot connects to it using a high TCP port, different than the one used in Linux version. This behavior is different than in the Linux version – this time the attacker used a domain and did not hardcode the IP address in the bot executable.
C:\Program Files\DbProtectSupport directory also contains the
fake.cfg file, which is the same as the one created by the Linux version. The Windows version of the malware also sends system information to the C&C server in a text form. This text file, along with the fact that the same C&C IP was used in both malware samples make us believe that it was created by the same group.
It seems that the bot was created for the sole purpose of performing DDoS attacks. This means that the attackers were interested only in infecting machines which have a significant network bandwidth, e.g. servers. This also probably is the reason why there are two versions of the bot – Linux operating systems are a popular choice for server machines.
Below are the SHA-256 hashes of the analyzed samples.