25.09.2014
DingleElite DDoS Bot (WOPBOT)
re: http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3505
sha256: 73b0d95541c84965fa42c3e257bb349957b3be626dec9d55efcc6ebcba6fa489
malware family: DDoS Bot used by DingleElite (WOPBOT, according to Emanuele Gentili)
context found here:
"I am a security researcher and found a bot network of infected devices used to perform the DDoS attacks the twitter account thats linked with the botnet is https://twitter.com/TheDingleElite the command and control of this botnet can be watched by using a telnet client and connecting to 89.238.xxx.xxx on tcp port 5 if you need to be made aware of any more information please contact me directly I will privatly disclose the rest of the CnC IP to anyone who is interested."
quick static analysis:
hardcoded C&C: 89.238.150.154:5
CloudFlare IP: 108.162.197.26 (used for deriving the bots own MAC via route lookup?)
C&C protocol: single line exchange via telnet
Commands / Features:
CMD: PING
PARAMS: -
RESPONSE: "PONG!" GETLOCALIP | - | "My IP: <local_ip>"
CMD: SCANNER
PARAMS: <MODE>
RESPONSE: "SCANNER ON | OFF" if num_args != 1, spawned thread responds otherwise?
CMD: HOLD
PARAMS: <IP> <PORT> <SECONDS>
RESPONSE: "HOLD Flooding <IP>:<PORT> for <SECONDS> seconds."
CMD: JUNK
PARAMS: <IP> <PORT> <SECONDS>
RESPONSE: "JUNK Flooding <IP>:<PORT> for <SECONDS> seconds." or error messages
CMD: UDP
PARAMS: <IP> <PORT> <SECONDS> <RAW/DGRAM> <PKT_SIZE> <THREADS>
RESPONSE: "UDP Flooding <IP>:<PORT> for <SECONDS> seconds." or error messages
CMD: TCP
PARAMS: <TARGETS,> <PORT> <SECONDS> <?> <TCP_FLAGS,> <PKT_SIZE> <PKT_BURST>
RESPONSE: "TCP Flooding <IP>:<PORT> for <SECONDS> seconds." or error messages
CMD: KILLATTK
PARAMS: -
RESPONSE: "Killed <NUMBER_OF_ATTK_THREADS>." or "None Killed."
CMD: LOLNOGTFO
PARAMS: -
RESPONSE: None (exits bot process)
UDP flood:
payload characteristics: PKT_SIZE * RANDOM(UPPER_CHARS)
TCP flood:
TCP_FLAGS: (all,syn,rst,fin,ack,psh) (<- choose your very own comma separated list)
PKT_BURST: packets sent without a pause (for checking if SECONDS of attack is reached)
related sources (stringdumps, ...) for the same malware family:
Aug 20th, 2014 Pastebin
Aug 9th, 2014 Pastebin (hints to potentially old C&C server: 89.248.172.14:9 | 192.99.200.69:57)
Mar 7th, 2014 Pastebin (hints to potentially old C&C server: 192.99.200.69:57)
Jan 18th, 2014 Malwr (hints to potentially old C&C server: 142.4.215.135)
Further hashes:
sha256: 2d3e0be24ef668b85ed48e81ebb50dce50612fb8dce96879f80306701bc41614
(C&C: 162.253.66.76:53)
sha256: ae3b4f296957ee0a208003569647f04e585775be1f3992921af996b320cf520b
(C&C: 89.238.150.154:5)
Abonnieren
Kommentare zum Post (Atom)
Keine Kommentare:
Kommentar veröffentlichen