25.09.2014

DingleElite DDoS Bot (WOPBOT)


re: http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3505 
sha256: 73b0d95541c84965fa42c3e257bb349957b3be626dec9d55efcc6ebcba6fa489
malware family: DDoS Bot used by DingleElite (WOPBOT, according to Emanuele Gentili)

context found here:
"I am a security researcher and found a bot network of infected devices used to perform the DDoS attacks the twitter account thats linked with the botnet is https://twitter.com/TheDingleElite the command and control of this botnet can be watched by using a telnet client and connecting to 89.238.xxx.xxx on tcp port 5 if you need to be made aware of any more information please contact me directly I will privatly disclose the rest of the CnC IP to anyone who is interested."

quick static analysis: 

hardcoded C&C: 89.238.150.154:5 
CloudFlare IP: 108.162.197.26 (used for deriving the bots own MAC via route lookup?) 
C&C protocol: single line exchange via telnet 

Commands / Features: 
CMD:      PING
PARAMS:   -
RESPONSE: "PONG!" GETLOCALIP | - | "My IP: <local_ip>"

CMD:      SCANNER
PARAMS:   <MODE>
RESPONSE: "SCANNER ON | OFF" if num_args != 1, spawned thread responds otherwise? 

CMD:      HOLD
PARAMS:    <IP> <PORT> <SECONDS>
RESPONSE: "HOLD Flooding <IP>:<PORT> for <SECONDS> seconds." 

CMD:      JUNK
PARAMS:   <IP> <PORT> <SECONDS>
RESPONSE: "JUNK Flooding <IP>:<PORT> for <SECONDS> seconds." or error messages 

CMD:      UDP
PARAMS:   <IP> <PORT> <SECONDS> <RAW/DGRAM> <PKT_SIZE> <THREADS>
RESPONSE: "UDP Flooding <IP>:<PORT> for <SECONDS> seconds." or error messages 

CMD:      TCP
PARAMS:   <TARGETS,> <PORT> <SECONDS> <?> <TCP_FLAGS,> <PKT_SIZE> <PKT_BURST>
RESPONSE: "TCP Flooding <IP>:<PORT> for <SECONDS> seconds." or error messages 

CMD:      KILLATTK
PARAMS:   -
RESPONSE: "Killed <NUMBER_OF_ATTK_THREADS>." or "None Killed." 

CMD:      LOLNOGTFO
PARAMS:   -
RESPONSE: None (exits bot process) 


UDP flood: 
payload characteristics: PKT_SIZE * RANDOM(UPPER_CHARS) 

TCP flood: 
TCP_FLAGS: (all,syn,rst,fin,ack,psh) (<- choose your very own comma separated list) 
PKT_BURST: packets sent without a pause (for checking if SECONDS of attack is reached) 

related sources (stringdumps, ...) for the same malware family: 
Aug 20th, 2014 Pastebin 
Aug 9th, 2014 Pastebin (hints to potentially old C&C server: 89.248.172.14:9 | 192.99.200.69:57) 
Mar 7th, 2014 Pastebin (hints to potentially old C&C server: 192.99.200.69:57) 
Jan 18th, 2014 Malwr (hints to potentially old C&C server: 142.4.215.135)

Further hashes:

sha256: 2d3e0be24ef668b85ed48e81ebb50dce50612fb8dce96879f80306701bc41614 
(C&C: 162.253.66.76:53)
sha256: ae3b4f296957ee0a208003569647f04e585775be1f3992921af996b320cf520b 
(C&C: 89.238.150.154:5)

24.09.2014

Intro

From now on I'll use this blog as a platform to publish loose bits of information on different when playing with malware that crosses my path.

This will hopefully range from comments or additional details on samples covered in other sources up to full-blown analyses, depending on my mood and time. :)