blackenergy ddos bot - ausnog.net · blackenergy weaknesses •no authorization –anyone can poll...
TRANSCRIPT
![Page 1: BlackEnergy DDoS Bot - ausnog.net · BlackEnergy Weaknesses •No authorization –Anyone can poll URL •No checks enforced on bot or build IDs •Weak “encoding” of commands](https://reader033.vdocuments.site/reader033/viewer/2022042307/5ed37c41847f87317f77bfd4/html5/thumbnails/1.jpg)
BlackEnergyDDoS Bot
Jose Nazario, Ph.D.
Tony Scheid
![Page 2: BlackEnergy DDoS Bot - ausnog.net · BlackEnergy Weaknesses •No authorization –Anyone can poll URL •No checks enforced on bot or build IDs •Weak “encoding” of commands](https://reader033.vdocuments.site/reader033/viewer/2022042307/5ed37c41847f87317f77bfd4/html5/thumbnails/2.jpg)
Page 2 - Company Confidential
HTTP Bots
• No persistent connection– Unlike IRC bots
• Work with proxies– Uses Win32 APIs to make HTTP requests
• Next generation of botnets?
![Page 3: BlackEnergy DDoS Bot - ausnog.net · BlackEnergy Weaknesses •No authorization –Anyone can poll URL •No checks enforced on bot or build IDs •Weak “encoding” of commands](https://reader033.vdocuments.site/reader033/viewer/2022042307/5ed37c41847f87317f77bfd4/html5/thumbnails/3.jpg)
Page 3 - Company Confidential
Known HTTP Botnets
• Machbot - DDoS bot– Rare, tracking about a dozen active nets– First noticed in AusCERT DDoS, early 07
• Barracuda - DDoS bot– Handful of attack commands in October, 2007– Just started tracking, about a half dozen
• BlackEnergy - DDoS bot– Somewhat popular “commercial” DDoS kit– Lots of .ru, .ua, and regional DDoS targets– Actively tracking about 4 dozen
![Page 4: BlackEnergy DDoS Bot - ausnog.net · BlackEnergy Weaknesses •No authorization –Anyone can poll URL •No checks enforced on bot or build IDs •Weak “encoding” of commands](https://reader033.vdocuments.site/reader033/viewer/2022042307/5ed37c41847f87317f77bfd4/html5/thumbnails/4.jpg)
Page 4 - Company Confidential
BlackEnergy
• Russian in origin
• HTTP-based commands
• No exploits
![Page 5: BlackEnergy DDoS Bot - ausnog.net · BlackEnergy Weaknesses •No authorization –Anyone can poll URL •No checks enforced on bot or build IDs •Weak “encoding” of commands](https://reader033.vdocuments.site/reader033/viewer/2022042307/5ed37c41847f87317f77bfd4/html5/thumbnails/5.jpg)
Page 5 - Company Confidential
Major Features
• Encrypted binary
• Not open source– Builder EXE modifies unencrypted bot EXE– Inserts settings, encrypts– Yields encrypted bot– AV defeated
• Can target all IPs for a hostname
![Page 6: BlackEnergy DDoS Bot - ausnog.net · BlackEnergy Weaknesses •No authorization –Anyone can poll URL •No checks enforced on bot or build IDs •Weak “encoding” of commands](https://reader033.vdocuments.site/reader033/viewer/2022042307/5ed37c41847f87317f77bfd4/html5/thumbnails/6.jpg)
Page 6 - Company Confidential
BlackEnergy Kit
• Reviewed version 1.7
• Summer, 2007
• Price: about US$40
![Page 7: BlackEnergy DDoS Bot - ausnog.net · BlackEnergy Weaknesses •No authorization –Anyone can poll URL •No checks enforced on bot or build IDs •Weak “encoding” of commands](https://reader033.vdocuments.site/reader033/viewer/2022042307/5ed37c41847f87317f77bfd4/html5/thumbnails/7.jpg)
Page 7 - Company Confidential
Kit Contents
• PHP web framework– Authentication, control– Communication with bot (stat.php)– MySQL-backed config, stats
• Bot EXE builder, binary
• Rootkit - hide bots files, processes– Detectable rootkit
![Page 8: BlackEnergy DDoS Bot - ausnog.net · BlackEnergy Weaknesses •No authorization –Anyone can poll URL •No checks enforced on bot or build IDs •Weak “encoding” of commands](https://reader033.vdocuments.site/reader033/viewer/2022042307/5ed37c41847f87317f77bfd4/html5/thumbnails/8.jpg)
Page 8 - Company Confidential
EXE Builder Interface
![Page 9: BlackEnergy DDoS Bot - ausnog.net · BlackEnergy Weaknesses •No authorization –Anyone can poll URL •No checks enforced on bot or build IDs •Weak “encoding” of commands](https://reader033.vdocuments.site/reader033/viewer/2022042307/5ed37c41847f87317f77bfd4/html5/thumbnails/9.jpg)
Page 9 - Company Confidential
Bot Purpose
• DDoS– Has support for new binaries– New versions have SOCKS features
• No exploits built in
![Page 10: BlackEnergy DDoS Bot - ausnog.net · BlackEnergy Weaknesses •No authorization –Anyone can poll URL •No checks enforced on bot or build IDs •Weak “encoding” of commands](https://reader033.vdocuments.site/reader033/viewer/2022042307/5ed37c41847f87317f77bfd4/html5/thumbnails/10.jpg)
Page 10 - Company Confidential
BlackEnergy Weaknesses
• No authorization– Anyone can poll URL
• No checks enforced on bot or build IDs
• Weak “encoding” of commands– Later versions reportedly use some encryption
• These are easy to work around
![Page 11: BlackEnergy DDoS Bot - ausnog.net · BlackEnergy Weaknesses •No authorization –Anyone can poll URL •No checks enforced on bot or build IDs •Weak “encoding” of commands](https://reader033.vdocuments.site/reader033/viewer/2022042307/5ed37c41847f87317f77bfd4/html5/thumbnails/11.jpg)
Page 11 - Company Confidential
Command Vocabulary
• DDoS commands
• Arguments to “flood” command– ICMP - ping flood– SYN - TCP SYN flood, arbitrary ports– UDP - UDP flood, arbitrary ports– DNS - DNS request flood– Data - binary data flood– HTTP - rapid GETrequest flood
![Page 12: BlackEnergy DDoS Bot - ausnog.net · BlackEnergy Weaknesses •No authorization –Anyone can poll URL •No checks enforced on bot or build IDs •Weak “encoding” of commands](https://reader033.vdocuments.site/reader033/viewer/2022042307/5ed37c41847f87317f77bfd4/html5/thumbnails/12.jpg)
Page 12 - Company Confidential
Other Commands
• Download function, “get” and URL
• Idle– Commands: “stop”, “wait”
• Go away– “die” command
![Page 13: BlackEnergy DDoS Bot - ausnog.net · BlackEnergy Weaknesses •No authorization –Anyone can poll URL •No checks enforced on bot or build IDs •Weak “encoding” of commands](https://reader033.vdocuments.site/reader033/viewer/2022042307/5ed37c41847f87317f77bfd4/html5/thumbnails/13.jpg)
Page 13 - Company Confidential
Communications
• Bots poll server– Poll interval specified in command– HTTP POST message
• Server replies with base64 encoded message
• Message specifies parameters, command, pollinterval
![Page 14: BlackEnergy DDoS Bot - ausnog.net · BlackEnergy Weaknesses •No authorization –Anyone can poll URL •No checks enforced on bot or build IDs •Weak “encoding” of commands](https://reader033.vdocuments.site/reader033/viewer/2022042307/5ed37c41847f87317f77bfd4/html5/thumbnails/14.jpg)
Page 14 - Company Confidential
HTTP POST From Bot
ID is from SMB hostname, C: drive volume IDBuild ID is from botmaster
![Page 15: BlackEnergy DDoS Bot - ausnog.net · BlackEnergy Weaknesses •No authorization –Anyone can poll URL •No checks enforced on bot or build IDs •Weak “encoding” of commands](https://reader033.vdocuments.site/reader033/viewer/2022042307/5ed37c41847f87317f77bfd4/html5/thumbnails/15.jpg)
Page 15 - Company Confidential
HTTP Reply From Server
Base64 encode message
![Page 16: BlackEnergy DDoS Bot - ausnog.net · BlackEnergy Weaknesses •No authorization –Anyone can poll URL •No checks enforced on bot or build IDs •Weak “encoding” of commands](https://reader033.vdocuments.site/reader033/viewer/2022042307/5ed37c41847f87317f77bfd4/html5/thumbnails/16.jpg)
Page 16 - Company Confidential
Message Decoding
• Four parts, separated by #– Timing, thread counts– Command– Return interval (in minutes)– Bot ID
10;2000;10;0;0;30;100;3;20;1000;2000#wait#10#xCR2_243AEDBA
![Page 17: BlackEnergy DDoS Bot - ausnog.net · BlackEnergy Weaknesses •No authorization –Anyone can poll URL •No checks enforced on bot or build IDs •Weak “encoding” of commands](https://reader033.vdocuments.site/reader033/viewer/2022042307/5ed37c41847f87317f77bfd4/html5/thumbnails/17.jpg)
Page 17 - Company Confidential
Command Flexibility
• Commands can be mixed
• Some masters choose outrageous values (ienumber of threads)
![Page 18: BlackEnergy DDoS Bot - ausnog.net · BlackEnergy Weaknesses •No authorization –Anyone can poll URL •No checks enforced on bot or build IDs •Weak “encoding” of commands](https://reader033.vdocuments.site/reader033/viewer/2022042307/5ed37c41847f87317f77bfd4/html5/thumbnails/18.jpg)
Page 18 - Company Confidential
• Operator has a simpleinterface
• Help even available! (InRussian)
• Basic stats
![Page 19: BlackEnergy DDoS Bot - ausnog.net · BlackEnergy Weaknesses •No authorization –Anyone can poll URL •No checks enforced on bot or build IDs •Weak “encoding” of commands](https://reader033.vdocuments.site/reader033/viewer/2022042307/5ed37c41847f87317f77bfd4/html5/thumbnails/19.jpg)
Page 19 - Company Confidential
BlackEnergy C&C Locations
33 tracked servers, 11 October 2007
![Page 20: BlackEnergy DDoS Bot - ausnog.net · BlackEnergy Weaknesses •No authorization –Anyone can poll URL •No checks enforced on bot or build IDs •Weak “encoding” of commands](https://reader033.vdocuments.site/reader033/viewer/2022042307/5ed37c41847f87317f77bfd4/html5/thumbnails/20.jpg)
Page 20 - Company Confidential
BlackEnergy DDoS Targets
82 distinct targets, 26 Sep-11 Oct 2007
![Page 21: BlackEnergy DDoS Bot - ausnog.net · BlackEnergy Weaknesses •No authorization –Anyone can poll URL •No checks enforced on bot or build IDs •Weak “encoding” of commands](https://reader033.vdocuments.site/reader033/viewer/2022042307/5ed37c41847f87317f77bfd4/html5/thumbnails/21.jpg)
Page 21 - Company Confidential
Blocking BlackEnergy
• We’re working with CERTs and ISPs to get knownC&Cs killed
• Operators (ISP, enterprise) can:– Block by hostname– Block by IP and port
• Snort sigs are now available
![Page 22: BlackEnergy DDoS Bot - ausnog.net · BlackEnergy Weaknesses •No authorization –Anyone can poll URL •No checks enforced on bot or build IDs •Weak “encoding” of commands](https://reader033.vdocuments.site/reader033/viewer/2022042307/5ed37c41847f87317f77bfd4/html5/thumbnails/22.jpg)
Page 22 - Company Confidential
Our Current Status
• Have trackers in place for known BlackEnergy C&Ccommands
• Most targets are .ru, .ua sites, underground
• Some high profile targets have been hit