Inside The DDoS Botnets - BlackEnergy and Darkness - Part 2

Darkness bot – Successor of BlackEnergy

Recently in the December last year , we came across a new DDoS bot found to be fairly active in the wild targetting number of websites . During our analysis , the samples of bots were using particularly 3 domains as their command and control channnel.

greatfull-toolss.ru
greatfull.ru
hellcomeback.ru

However , couple of domains out of these were already unavailable , querying the whois database for greatfull.ru gives the following whois record :

nserver:    ns1.reg.ru.
nserver:    ns2.reg.ru.
state:      REGISTERED, DELEGATED, UNVERIFIED
person:     Private Person
phone:      +380686548525
fax-no:     +380686548525
e-mail:     smilefrince@yandex.ru
registrar:  REGRU-REG-RIPN
created:    2010.11.03
paid-till:  2011.11.03

Googling for the above email address used for registering the domain showed up several adds related to the DDoS service. One of the add that we came across displayed the services and capabilities this botnet can provide.

Darkness bot command and control

During our investigation , we came across the C&C UI used to track the botnet infections and instruct the DoS commands to the bot client . One of the control panel we observed posted on the underground forums looked like this: 

Above control panel UI is in the Russian language , However , we have been able to translate and understand the purpose of quite a few commands through our command simulation setup Following are the DDoS commands used by this Bot .

exe --- > download specified binary from the server

dd1 --- > HTTP GET DDoS attack

dd2 --- > ICMP DoS attack

wtf  --- > Stop all the commands

tot   --- > Bot synchronization time . 

vot  --- > Voting

During our static Analysis , we were able to unpack the and reverse the binary during which we located the Command and Control code within the  binary and some other functionalities which gives us the fair enough idea on how the malware runs on the victims system .

Below is the code segment for one of the command and action it takes if the command matches. After checking the command , it calls the same routine multiple times and calls the CreatThread API to initiate the DoS attack.

Above unpacked view of the binary just gives an idea of 3 hardcoded encrypted+B64 encoded URLs, the string “darkness” , copies itself as dwm.exe and runs as IpSectPro service.

Network communications with the bot client

During our extensive research on this Bot , given that we had an idea of how the command format of the bot looks like , we were able to simulate the DDoS attack . Once executed , client sends the Registration request to the control server and we were able to make the server reply with the B64 encoded DoS command as shown below :

Decoded command is an instruction to DoS the websites

dd1=http://www.abc.com/;http://www.xyz.org

And we were able to see the DoS attack initiated from the client . Within the span of 5 minutes , we were able to see approximately 80,000 hits logged on the server .

Next , we also simulated the ICMP DoS attack . We made the server reply with the “dd2” command to be able to see the ICMP DoS. Server response in this case was as below.

HTTP/1.1 200 OK

Date: December 13, 2010 2:47:53 AM PST

Server: Xerver/4.32

Connection: close

Content-Type: text/html

ZGQyPWh0dHA6Ly93d3cuYWJjLmNvbS87aHR0cDovL3d3dy54eXoub3Jn

Above B64 command when decoded :  dd2=http://www.abc.com/;http://www.xyz.org which initiated the ICMP DoS.