[News from my colleagues in Russia, Aleksandr Matrosov and Eugene Rodionov.]
Recently, we had a stroke of luck: our TDL tracker picked up a brand new plugin for TDL4 kad.dll (Win32/Olmarik.AVA) which we haven’t seen previously. It took some time to find out what it is intended to do. After some preliminary analysis we discovered that it implements a particularly interesting network communication protocol which attracted our attention and made us dig deeper.
Kad.dll is intended to be injected into the 32-bit svchost.exe process. The main purpose of the module is to download and execute other malicious software on the infected system. Although there is nothing new in its functionality it differs drastically from cmd32.dll and cmd64.dll in the way it receives commands and additional modules. In contrast to other known plugins obtaining bot instructions from C&C servers listed in a configuration file, kad.dll relies on a P2P (Peer to Peer) network generated by other bots. It is the Kademilia Distributed Hash Table (DHT) P2P protocol which kad.dll implements in order to talk with peers over the network.
In contrast to a Client-Server architecture where there is a list of dedicated C&C (Command and Control) servers that the bots should talk to, in a P2P network all the peers are equivalent: that is. each node is a C&C server and a bot at the same time (this is explained in the following figure).
Figure 1
As there is no single point from which bots in a P2P bot network are coordinated , such botnets are much more resistant to takedowns than Client-Server botnets. Configuration information and payload are shared among all the nodes in the network, according to the specific implementation of the P2P protocol, and can be efficiently obtained by any peer node in the network. Individual bots join and leave the P2P network over time, but that doesn’t significantly influence the availability of the information stored in the network. And that makes takedown of the P2P botnet a challenging task. As long as a sufficient number of bots remain alive it is possible to maintain coordination and control of the bot network.
The Kad-protocol is a kind of DHT protocol where the information is stored as a (key, value) pair. The key is an MD4 hash of value which could be a file or a keyword (part of the file name) or a node ID. The resulting hash table is distributed between the peers.
Communication between peers is performed over the TCP and UDP protocols. TCP is used to transmit a file from one node to another, while UDP is used to search files and other peers in the P2P network.
The plugin stores the list of neighboring nodes in the nodes.dat file in TDL4’s hidden file system, which it also downloads from C&C.
File nodes.dat has the layout described by the following structures:
typedef struct _NODES_DAT_LAYOUT{ // Set to zero DWORD Reserved0;// Set to 0x000002DWORD Reserved1;// Number of entries in the file DWORD NumEntries;// Array of size NumEntries of NODES_DAT_PEER_INFO structures describing peers NODES_DAT_PEER_INFO PeerInfo[1];} NODES_DAT_LAYOUT, * NODES_DAT_LAYOUT;typedef struct _NODES_DAT_PEER_INFO{ // 128-bit peer identifier (MD4 of node ID) BYTE PeerId[16];// IP address of the peerDWORD PeerIp;// Peer UDP port number WORD UdpPort; // Peer TCP port number WORD TcpPort;} NODES_DAT_PEER_INFO, * NODES_DAT_PEER_INFO;On the one hand, the file nodes.dat is used to maintain the bot’s contacts during system reboot as it is populated with the information on neighboring nodes. On the other hand, when the number of the bot’s contacts is very small (in this case, smaller than 10) then kad.dll downloads the file from C&C and a sufficient number of peers to contact is therefore guaranteed.
To be sure that the files downloaded from the P2P network are issued by the owner of the botnet, kad.dll verifies the digital signature appended to the files. Each file downloaded by the peer has the following layout:
Figure 2
As we can see from Figure 2 the last 132 bytes (1056 bits) of the file contain the file’s digital signature calculated with an RSA digital signature algorithm.
Eugene Rodionov, Malware Researcher
Aleksandr Matrosov, Senior Malware Researcher
There’ll be more information in a revision of the authors’ paper The Evolution of TDL: Conquering x64: I’ll post another blog article when the revised version goes up on the ESET white papers page.
David Harley, Senior Research Fellow
Leave a reply
