Репутация: 61 / 0
A DDoS Family Affair: Dirt Jumper bot family continues to evolve
Previous blog entries and analysis by others in the security community have shined a light upon the Dirt Jumper DDoS bot. Dirt Jumper continues to evolve (version 5 appears to be the newest) and a variety of other associated bots packages have emerged over time to include Simple, September, Khan, Pandora, the Di BoTNet and at least one private version of Dirt Jumper 5 that I am aware of. While we have collected about 300 malware samples of the Dirt Jumper family, it is likely that other variants are available, as the binaries and back-end PHP for Dirt Jumper has leaked several times. This makes it easy for someone to make slight modifications to the PHP or Delphi binary code and attempt to re-sell the bot, use the bot for their own purposes, or start making money with their own commercial DDoS service. Attacks from the Dirt Jumper family of bots continue to target victims all around the world in a robust manner and we will take a look at who is being attacked, although we cannot always determine the motive.
Let’s start with a quick review of Russkill, which was seen around 2009-2010:
RussKill has been profiled previously, featuring HTTP and SYN flood attacks. The start of things to come.
Back-end panels changed and bot binaries gained new capabilities over time.
RussKill evolved into Dirt Jumper:
Which evolved into Dirt Jumper September:
Another version of Simple has a different look and feel (three back-end panels pasted together in this particular image for a total of 11,878 bots online):
Dirt Jumper version 5
The latest version of Dirt Jumper that I know of is version 5, likely written or at least leaked in mid-2011. A few MD5′s:
ef9c4bfa9906251d52c3658252224d85 (leaked sometime in October 2011)
506ba7a322288cc4dc55b7c32fea9f4f (leaked around Feb 2012)
The attack types supported by version 5 are as follows:
Type 1: HTTP flood -with an example of a dynamic Referer:
Type 2: Synchronous flood
This attack looks the same as type 01 but opens more connections to the target(s).
Type 3: Downloading flood
This flood looks the same as types 01 and 02 (an HTTP GET) but is intended to be aimed at some type of downloadable content in order to burn resources on the server.
Type 4: POST flood
The POST flood is similar in style to attacks 01-03 however it has a body payload that consists of the attacked site. A portion of an attack packet shows a dynamic Referer with a properly calculated Content-Length header. The payload, http://attacked.box corresponds to the attacked site. attacked.box was a locally sinkholed hostname.
Type 5: Anti DDoS flood – NEW as of Version 5 (does not appear to work however)
Attack type 5, “Anti DDoS flood” did not function at all. No attempts to get this to work were successful, despite this feature being hyped in the underground. Perhaps the version(s) I’ve analyzed are not yet fully realized.
Another back-end screenshot with a modified look is seen below, although the exact version number is unknown. I suspect this is a modification to version 5. This is taken from a small botnet with 27 total bots, 5 active.
Some of the more recent evolutions/changes/code ripping of Dirt Jumper include Trojan.Khan, which is very similar to Dirt Jumper. Jeff Edwards from Arbor ASERT wrote about breaking the crypto in Trojan.Khan recently
We do not currently have any screen-shots from the Khan back-end, however I suspect it is very similar to the Dirt Jumper v5 backend based on traffic analysis.
Dirt Jumper has inspired copies or modifications, such as the recent Di BoTNet version 1.0:
The author of the Di-BoTNet doesn’t try to cover it up and states outright that the bot is “Modification Dirt Jumper 5″ on an underground forum.
The listed features of the Di-BoTNet are very similar, if not identical to Dirt Jumper version 5. The feature list, translated from Russian with some text corrections, indicates that Di BoTNet has a “bot killer” feature which can eliminate other bots from an infected box. Also mentioned are anti-virtual machine and anti-debugging techniques and performance increases. Some versions of Dirt Jumper do indeed bog down the CPU of the infected box, which from the botmasters perspective is a bad thing as the bot may then be noticed. Also mentioned is a variation upon the request header that involves rotating between HTTP 1.0 (the Dirt Jumper default), HTTP 1.1 and HTTP 2.0 HTTP versions. Based upon my analysis of a leaked copy of Dirt Jumper v5, it does not perform such rotation, but it does rotate User-Agent and referer values including adding dynamic elements to make itself harder to block. The only “additional functions” explicitly listed for the Di BoTNet is the ability to control the number of threads and the interval from the panel. This is likely an attempt to make the bot less noticeable as a high number of threads can indeed bring the infected box to a near standstill with 100% CPU utilization.
+ HTTP flood
+ SYN flood
+ DoWN flood
+ POST flood
+ AntiDDoS flood
(these are all identical to the aforementioned Dirt Jumper v5 attack types)
+ Killer Unit: Bot destroys the competition.
(This was not seen in Dirt Jumper v5)
+ UPDATE: The bot uses inzhekta to update the main module.
(I believe inzhekta here means injection of some kind)
+ Many threading: Can attack simultaneously up to 300 target.
(back-end resets attacked sites back to 300 if more than 300 are specified)
+ Reproduction: The bot itself is a function of distribution.
+ Statistics Today: Today statistics by country.
+ Statistics Online: Online statistics by country.
+ Anti virtualke: Bot does not work on virtual machines.
+ Anti Debugging: Can not ban the domain, the bot will live longer.
+ Productivity: The bot improved performance, better attacks, the system loads less.
+ Randomly: When you receive a random attack uses the full (but not chaotic requests) – HTTP 1.0 \ 2.0 \ 1.1; referer, etc.
+ Streams: The number of threads during the attack indicated in the admin panel.
+ Interval: The interval is specified in the otstuk config.php, or in the admin panel.
Changes to Command & Control
In addition to other changes seen, Dirt Jumper version five sends a longer unique ID to the Command & Control site than previous versions. In previous versions, this has been the k= value, consisting of a 16 byte number. In version 5 (and in Trojan.Khan) this value is a 32 byte alphanumeric string, unique to each bot install. In the case of Khan, we’ve seen the bot binary use u= instead of k= perhaps in an attempt to evade intrusion detection systems that might flag the suspicious outbound traffic to the C&C.
Dirt Jumper version 3 C&C interaction – red indicates the bot posting its unique ID:
HTTP/1.1 200 OK
Date: Mon, 25 Jul 2011 16:54:37 GMT
Server: Apache/2.2.3 (CentOS)
Content-Type: text/html; charset=UTF-8
One site was attacked with an HTTP flood attack.
Dirt Jumper version 5 (and Khan) feature this type of C&C POST:
HTTP/1.1 200 OK
Date: Thu, 23 Feb 2012 10:01:45 GMT
Server: Apache/2.2.22 (CentOS)
Content-Type: text/html; charset=UTF-8
One site that was previously under attack has its attack stopped (command code 11).
With regards to the samples I analyzed, the 32 byte k value is dropped onto the file system as C:\Documents and Settings\LocalService\Local Settings\Application Data\sLT.exf. This is the exact same filename used by a sample of Trojan.Khan with md5 5c2514c04231f2ca531e368a767f678e for it’s original dropper.
Pandora is the latest bot apparently written by the author of Dirt Jumper.
Who is being attacked and how? A sample of victims
Attacks are diverse and world-wide. Looking at attack logs from our Project Bladerunner we can get a sense of this diversity and learn about some interesting sites. Based on a small sample of 149 attacks, attack types are as such:
Many of the sites that had been attacked in the past were online, however several sites were unfortunately inaccessible, indicating either legitimate downtime or damage from ongoing attacks. One observed target posted about the DDoS attack to their forum and mentioned there were about 50,000 bots attacking. A sample of targets, including targets attacked more than once...
Далее будет =))
Репутация: -2 / 0
I have a problem with the Dirt Jumper 3.
I Created a database> did import> config set up>and on the link install.php set up. Then I had on my comp decided to run the bot in the admin but nothing has changed, as has been and remains 0 (what am I doing wrong??
Последний раз редактировалось Megakill; 17.07.2012 в 11:34.
Репутация: 150 / 0
Сделаю Landing Page качественно быстро . Помогу с вопросами по сайтам.
Репутация: 0 / 0
Create your own database.
You may have incorrectly filled out a file config.php
Be careful. Good luck to use.
Copyright © 2008 - 2013 «HPC» Реклама на сайте Правила Форума Пользовательское соглашение Работа на сайте