Botnets cover a wide range of application domains, and one of the more common ones is distributed denial of service. I try to avoid covering DDoS-oriented botnets since others are often larger threats to the public, but at a certain scale of infection, anything that can update or download other malware is a serious threat.
Madness Pro
Madness Pro is a distributed denial of service botnet growing in size and popularity. It infects computers running Windows with a PE bot, and communicates with its command and control server via HTTP using a simple client-server model. It does not demonstrate the resilience of P2P botnets. After a somewhat dated version was leaked, there was an increase in the number and size of these botnets and it caught my attention.
Bot
On execution, the bot will copy itself to %APPDATA%\<bot id>\svchost.exe then use CACLS to make it so the current user can no longer write to the file. It also stores its original location in the registry temporarily then executes the new version and exits.
Once executed from its new location, it gathers the original location from the registry and deletes the original file. After this, it attempts to add itself to the Windows Firewall policy as an allowed application. In the temporary directory, it creates files named "per", "perper", "perperper" and "perperperper". These list registry locations where it attempts to install means of persistence. Afterwards, it starts its loop of checking the command and control server. The communication protocol and commands will be covered later. For more specific information about the bot's general execution, you can check out the analysis provided by Malwr.com here.
Static Analysis
Many botnets that are sold by the developers on a per use basis are distributed with utilities called "builders". Instead of supplying the bot source code, they supply building applications that modify a stock binary and overwrite the configuration with values supplied to the builder. This allows for the malware developers to protect their investment and obscure/encrypt/hide the configuration. Builders can also be developed by other malicious agents looking to pirate the malware. In this case, the configuration is stored in various strings in the application, encoded with base64 that has been tampered with to not appear to be base64. This tampering is done with a simple substitution.
^ <=> j @ <=> H * <=> d
Once these substitutions are applied to strings found in the bot PEs, they can be base64 decoded and parsed for configuration information. Depending on the version, there can be differences in the configuration format. The command and control definition format changed between version 1.13 and 1.14.
1.13: YXBvS0FMaXBsaXM9*WVib2to*@RwOi8vNDVnNWJoLnRyYWRpbm*^ZW50ZXIuYml6L20wZmU5YmRo apoKALiplis=uebokhttp://45g5bh.tradingcenter.biz/m0fe9bdh 1.14: YXBvS0FMaXBsaXM9*WVib2toaGh0*@R0*@Rwc@A6O^ovLy8vLy9sbGxvb29^Y2NhYWFsbGxoaGhvb29zc3N0*@QvLy9wc@BhYWFubm5lZWVsbGxiYmJiYmIzMzNiYmI2N^YyM^Jo apoKALiplis=uebokhhhttttttppp::://////lllooocccaaalllhhhooosssttt///pppaaannneeelllbbbbbb333bbb666222h
The difference in the format is essentially tripling each character being written into the configuration. From these configuration strings we can get our needed information to access the command and control server as a bot. The URI of the panel and the "mk" GET parameter are what we need for any panel past version 1.14. A proof of concept of extracting configuration data statically can be found here.
Yara Identification
The following is a very loose Yara rule which has been effective at detecting the bot binary, even when packed with ASPack.
rule mp_strings { meta: author = "@botnet_hunter" date = "2014-03-13" description = "Identify Madness Pro" strings: $c = "YXBvS0FMaXBsaXM9" $str5 = "d3Rm" fullword $str6 = "ZXhl" fullword condition: all of them }
Detection
There appears to be a learning curve for signature based detection when it comes to detecting the bot PEs. There is a trend of new versions appearing, but only being detected by a few engines at first. With mathematical model-based detection, we do not have those types of delays. With Infinity-based products, detecting these bots is a cinch, as our lowest detection confidence is 98% across all Madness Pro samples.
Here we can see CylanceV making no mistake about detecting these as malware across the board.
Command and Control Communications
These bots calls back to the index.php file in the root of the command and control panel. It only uses HTTP GET requests with a fairly easy to identify set of parameters. In the following example, the command and control panel is in the root of the web server.
GET /?uid=88037690&ver=1.14&mk=bb3b62&os=WinXP&rs=adm&c=1&rq=0 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; U; Linux 2.4.2-2 i586; en-US; m18) Gecko/20010131 Netscape6/6.01 Cache-Control: no-cache Connection: Keep-Alive
If all the parameters are accepted, the command and control panel responds with a 200 HTTP response code and base64 encoded commands in the response body. In some early versions of the panel, there was no validity checking on the parameters. After a few versions, a mandatory 'mk' parameter containing six characters in the hex range was introduced to restrict access to the command and control server. It is likely more request filters will be implemented to make monitoring these botnets more difficult.
Commands
The commands for the bots are mostly for distributed denial of service attacks, but not exclusively. Most commands can have a parameter, which is separated by the original command by an equals sign. Below are the commands gathered from version 1.19.
cfa - Opens iexplore.exe to supplied parameter, then over a span of 15 seconds, attempts to hide the window, but never closes it (speculating this stands for "click for affiliate") cmd - Calls the command parsing function on the supplied parameter (nested commands) exe - Downloads and executes exe from supplied parameter upd - Self updater from supplied URL wtf - Idle command def - Causes the bot to self terminate but not uninstall ds1 - Simple HTTP GET flood with WinSock dd1 - HTTP GET flood with WinSock and configurable User-Agent, Cookie and Referer dd2 - HTTP POST flood with WinSock dd3 - HTTP GET flood with InternetOpenUrlA dd4 - HTTP POST flood with HttpOpenRequestA dd5 - ICMP flood with raw WinSock dd6 - UDP flood with WinSock dd7 - HTTP GET flood with URLDownloadToFileA dc1 - HTTP GET flood similar to dd1 but applies received cookie to following requests
Detecting Communications
As part of the Cuckoo Sandbox project, the developers created a Cuckoo module type called "Signatures". These are great for gathering somewhat abstract information from the report and identifying behavior with a signature. One of the public signature modules is for detecting these bots' command and control communications. It can be found here and is a great addition to the Cuckoo Sandbox project. It should be noted that these communications will only be detected if the bot is able to connect to anything it believes is the command and control server, and will not appear if the virtual machine is running completely isolated.
Panel
The panel has a more appealing design than others, and has a few tactics implemented to remain hidden. If the root of the bot panel is accessed without the correct request parameters (if the request is not done as a bot would connect), the following page is presented.
It is likely this page has been stolen from a legitimate host (intellectdesign.ru appears to be a valid Russian web hosting provider). The text translates to the following:
Warning:
Site is disabled. Perhaps this is due to non-payment of bills for hosting.
Contact Technical Support by phone: (495) 542-39-84 or e-mail: info@intellectdesign.ru
The botnet administration login page of the version I acquired looks like the following:
Once we login, we can see a traditional panel with basic functionality of bulk or individual commands being set.
There are a few options for selecting different bots and putting commands on timers. If we add our own fake bot, we can see it added to the bottom.
TL;DR
This is by far not the most dangerous or advanced botnet out there, but these botnets are commonly over 1,000 nodes. This botnet is capable of dropping other malware as well as a wide range of denial of service attacks. This malware is not hard to identify, but only about half of conventional AV engines are detecting new versions.
Samples
Panel
137ca38f2b52ec075ffb38b398e56060
158b060a6beea39a3afe5283043c9dd2
2052430c55ddd0b782aed6ed693a11fe
28e3f89dd9f954ef6f990a4ce2ef4c6b
2997d7b913fd1dea2c4d12284ba5694a
4180e295875cd8e6547eab8ddaf1131d
4b1a6e12e6390f4000cc4d9886763b37
68f4cc266ec5b3fe7ec864859e4c6e0a
96e72e5177e3e26dff70e9c53e18f5d7
9ad3fef8315a130efbb90c3fd88866f3
dda5c03865947926d5bd522ec7fa98f9
e9e0a5528fd82b800692ad6652a9f6e6
fe23c2843a90c897b1ae0f6f0c835c0b
1.13
040bc811ae06ad9edb822c7f380f60c8
3cade25b09380ea8358ae3b480a916a3
4ead5cc675ff6a5eda8944c71502f1ed
531f1cbb3b03ce8cd922dc87b37ffd30
61d239a5e59604e4e7fad3c3b2df89f4
6b27fb1431b9072276fbab9febdf3748
90af486bba991f5a86d42a1912a62c4a
c624e7f21238c04c8997cb77fe933d29
cc303da2c4b7a031d578c1dbf5af1970
f30f5aa9c26fd9df3220ca12e9cf63f8
1.14
027dcd2e6d231598c47557bdea98843d
32187e96c5af1177c35813c17302babf
3fb38453a63dca35c0e751a709485e2b
478419334ffd286ca9db5a8c84967133
4bd9c72892be3cda6f179b3022fed959
4ff33c498c5382fee8d676143a09613d
b5d040877650f7dcd05359daf21570df
b67688b50327a779728e489d52b819f1
c45034111810d1a56ba6b72acc63bdf5
c56bc2b9ec0109c02b1ea55f1c73122e
ccbd42109a77fd9c22926f489ba1db71
db37699d6e48d7e8f9ba81c41e3fe881
deeb745ee025e4dfa651d5ae0cd72101
ef3ebe777925bfea7eb289e649a8021e
1.15
60c77216bfcc21a2b993ca7e688f5b20
9eb7b96c2d274fbb0aa9e990c6d3b111
bf06e8211567f498a921c825fe85c9a2
eaaae9300345caae0a4215e587e25d51
1.16
e88817fb6dd1b1340e29b73eed09a106
1.18
056282e8583c61f40e52881eba35b96e
164a98906478b91cba15b2c19aa56d97
64f36e525fb44a5f7575b3485811f0af
6647df3a4826065fc5c0c6e651cfc7a0
a2bfd5814454ee3a58608ac73232fe89
b068ac4122ef4d021fd7c5c409916379
c3576383b608cb39ef41dd37b30ae903
1.19
2227b3330940d5255ca66f22216030dc
1.20
0948f69e0d7567dac5d7225d547d71ee (first seen on 2014-04-07) (ASPack)
1.21
495e8b08575e0ae51a9108d32f2e0066 (first seen on 2014-04-11)
1.22
40aecbf8cb8cda3869bfa0334301d463 (first seen on 2014-04-13)
