A quick look at a (new?) cross-platform DDoS botnet
16 December 2013 | CERT Polska | #DNS, #malware


At the beginning of December we started to observe a new botnet spreading on both Linux and Windows machines. In case of the Linux operating systems, the bot was installed through an SSH dictionary attack. The attacker logged in to compromised server and simply downloaded and executed a bot file. The malware itself is relatively simple – its only functionality is to perform DDoS attacks, mainly DNS Amplification. There is also a version targeting the Windows operating system, which installs a new service in order to gain persistence. The antivirus detectability is fairly high for Windows version: 34/48, while the Linux version is detected by only a couple of antivirus solutions: 3/47.


Linux version

We were able to obtain a 32-bit, statically linked, ELF file. This executable runs in a daemon mode and tries to connect to the C&C server, using a high TCP port. Both the C&C’s IP and port are encrypted using the algorithm presented on the left. Upon running, bot sends operating system information (using

<span class="text">uname</span>

function), unencrypted and waits for commands. From the analysis we were able to determine that there are four types of attack possible, each of them a DDoS attack on the defined target. One of the possibilities is the DNS Amplification attack, in which a request, containing 256 random or previously defined queries, is sent to a DNS server. There are also other, unimplemented functions, which probably are meant to utilize the HTTP protocol in order to perform a DDoS attack.
Additionally, a

<span class="text">fake.cfg</span>

file is created in the bot operating directory. This file contains network interface information. During the attack task status information is sent back to the C&C server. Bot can also check the CPU speed (by parsing the

<span class="text">/proc/cpuinfo</span>

file), system load (by parsing the

<span class="text">/proc/stat</span>

file), network connection speed (by parsing the

<span class="text">/proc/net/dev</span>


Windows version

The same bot type is used for Windows infection. However, the Windows infection consists of two stages: first it drops the file

<span class="text">C:\Program Files\DbProtectSupport\svchost.exe</span>

and runs it. This file registers a new Windows service – DBProtectSupport, which is started automatically at the system startup. Next a DNS query is sent to the server, requesting the IP address of the

<span class="text">.com</span>

domain. This domain is the C&C server and bot connects to it using a high TCP port, different than the one used in Linux version. This behavior is different than in the Linux version – this time the attacker used a domain and did not hardcode the IP address in the bot executable.

<span class="text">C:\Program Files\DbProtectSupport</span>

directory also contains the

<span class="text">fake.cfg</span>

file, which is the same as the one created by the Linux version. The Windows version of the malware also sends system information to the C&C server in a text form. This text file, along with the fact that the same C&C IP was used in both malware samples make us believe that it was created by the same group.


It seems that the bot was created for the sole purpose of performing DDoS attacks. This means that the attackers were interested only in infecting machines which have a significant network bandwidth, e.g. servers. This also probably is the reason why there are two versions of the bot – Linux operating systems are a popular choice for server machines.
Below are the SHA-256 hashes of the analyzed samples.

7307eecaa5a0dd0157b8d5abd50a7557f7a8a20dcf96508d4f969c6cfa05ced6 svchost.exe
c2a0e9f8e880ac22098d550a74940b1d81bc9fda06cebcf67f74782e55e9d9cc Windows
3b9cd35c61d8d8cf61bdd874a232bda0905991920e6177f7f497ed6e56af8238 Linux