Wednesday, May 26, 2010

Inside a Commercial Chinese DIY DDoS Tool

One of the most commonly used tactics by shady online enterprises wanting to position themselves as legitimate ones (Shark2 - RAT or Malware?), is to promote malicious software or Denial of Service attack tooks, as remote access control tools/stress testing tools.

Chinese "vendors" of such releases are particularly interesting, since their front pages always position the tool as a 100% legitimate one, whereas going through the documentation, and actually testing its features reveals its true malicious nature. Moreover, once the vendor starts trusting you -- like the one whose DDoS tool is profiled in this post -- you're given access to the private section of their forum, where they are directly pitching you with DDoS for hire propositions, starting from $100 for 24 hours of non-stop flood.
 In this post I'll review what's currently being promoted as "The World's Leading DDoS Testing System", which is basically an improved version of a well known "Netbot Attacker", an old school release whose source code (Localizing Open Source Malware; Custom DDoS Capabilities Within a Malware; Custom DDoS Attacks Within Popular Malware Diversifying) is greatly favored by Chinese hacktivists and script kiddies, based on the multiple modifications they've introduced in it using the original source code.

Interestingly, the "vendor" is offering value-added services in the form of managed command and control server changes, the typical managed binary obfuscation, as well as custom features, removal of features in an attempt to decrease the size of the binary, but most importantly, they use differentiated pricing methods for their tool. Educational institutions, small businesses and home office clients can get special prices.
  • Why would the vendor include anti sandboxing capabilities in the latest version of the tool?
  • Why would the vendor also include P2P spreading and USB spreading modules?
Because the tool is anything but your typical stress testing tool.

Perhaps, one of the most important developments regarding this vendor, is that this is among the few examples that I'm aware of where Chinese hackers known not to care about anything else but virtual goods, are vertically integrating by experimenting with early-state banking malware.

An excerpt from the banking experiment:
"MS-recorder to wear all the safety test shows the major B2C online banking security controls. Received after the first test colt extracting file, which has ma.exe procedures. As the tests are over. Please turn off antivirus software and security software testing. . .

Wear all safety major B2C online banking security controls currently supports more than can be intercepted more than 160 online online payment platform And major online banking. After running ma.exe can log on to the respective online banking program Alipay paypal or procedures to test, test and test interception of information stored in the pony

The same directory, Test will generate Jlz-1, Jlz-2, Jlz-3 ... folder, such files in the folder will be 1.bmp, 2.bmp, 3.bmp ... picture, or there txt Notepad, view the. txt and picture, get the interception of data and information. Test window will prompt pony run, test interception of information larger, there is no written function. To solve the above problem, please purchase the official version, run silent, run automatically delete itself, no process at startup, had all killed, the interception of information

Expected small size, with letters function. VIP version of the generator purchase one year of free updates, free to kill three months to buy the colt package. Set the FTP transmission method to send the interception of STMP FTP. Perfect information theft can steal all the passwords and related information, such as: QQ, ICQ, Yahoo Messenger, Vicq, OutLook, FlashFXP, PayPal, E-mail and paypal (no security control), Legend, mercenary legend, Journey to the West, etc. (include account number, area and other relevant information), of course, the same information on the page steal, such as: mail, forums, close protection, and other (including user name, password and other related information), or even playing in the diagram, Password chip can, because it can record the keyboard and mouse actions. It is worth mentioning that, no matter what way you enter the password (such as Paste from somewhere, then paste the part of the input part, the number before the 0, deliberately enter the wrong password first and then delete the wrong part, etc.) Adopted the "filters" which makes stealing the contents do not appear out of "junk" in precise steal ... The correct password

Clearly, these folks are not just inspired to continue introducing new features within the tool, but are starting to realize the potential of the crimeware market, with the vendor itself representing a good example on how once it was allowed to continue operations, it's naturally evolving in the worst possible direction. The author of ZeuS, however, shouldn't feel endangered in any way. 

Screenshots of the DIY DDoS Platform, including the multiple versions offers, VIP, sample custom made etc.:

Detection rates for the publicly obtainable builders of multiple versions:
- MS.exe - Backdoor.Hupigon.AAAH - Result: 26/40 (65%)
- msn.exe - Win32.BDSPoison.Cpd - Result: 36/41 (87.81%)
- test.exe (crimeware experiment) - Hacktool.Rootkit - Result: 24/41 (58.54%)
- ms1.exe - Backdoor.Win32.BlackHole - Result: 13/41 (31.71%)
- ms1.exe - W32/Hupigon.gen227; Backdoor.Hupigon.AAAH - Result: 35/41 (85.37%)

Based on the profiling the localization of this tool to Chinese since 2007, the diversification of the DDoS attacks introduced in it by Chinese coders (Localizing Open Source Malware; Custom DDoS Capabilities Within a Malware; Custom DDoS Attacks Within Popular Malware Diversifying), perhaps the most important conclusion that can be drawn is that, tolerating their activities in the long term results in the development of more sophisticated capabilities which can now be offered to a well established customer base.

If Chinese hacktivists managed to take offline (The DDoS Attack Against; Chinese Hacktivists Waging People's Information Warfare Against CNN) using nothing else but ping flooders/iFrames loading multiple copies of the site, the collectivist response in a future incident using these much more sophisticated tools -- sophisticated in sense of the diverse set of DDoS attacks offered -- is prone to be much more effective.

Related Chinese hacking scene/hacktivism coverage:
Localizing Open Source Malware
Custom DDoS Capabilities Within a Malware
Custom DDoS Attacks Within Popular Malware Diversifying
The FirePack Exploitation Kit Localized to Chinese
MPack and IcePack Localized to Chinese
Massive SQL Injection Attacks - the Chinese Way
A Chinese DIY Multi-Feature Malware
DIY Chinese Passwords Stealer
A Chinese Malware Downloader in the Wild
Chinese Hackers Attacking U.S Department of Defense Networks
Chinese Hacktivists Waging People's Information Warfare Against CNN
The DDoS Attack Against

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.