Botnet Flaw Lets Researchers Disrupt Attacks

Trailrunner7 writes "A team of researchers has discovered a weakness in the command-and-control infrastructure of one of the major DDoS toolkits, Dirt Jumper, that enables them to stop attacks that are in progress. The discovery gives the researchers the ability to access the back-end servers that control the attack tool, as well as the configuration server, and key insights into the way that the tool works and how attackers are using it. Dirt Jumper is not among the more well-known of the DDoS attack toolkits, but it's been in use for some time now and has a number of separate iterations. The bot evolved from the older RussKill bot over time, and various versions of the tool's binary code and back end configuration files have been made public. Researchers have watched as the bot has been used in attacks around the world against a variety of targets, and now they've been able to find a crack in the malware's control infrastructure."

crack in the malware's control infrastructure

[fustakrakich]

Yet another example of country coming apart at the seams.

Re:crack in the malware's control infrastructure

[Razgorov+Prikazka]

Well, the first crack of course is getting rid of M$ and use a proper OS instead.
After that one could go after the baddies...

Re:crack in the malware's control infrastructure

[Krojack]

Correction, The proper fix would be to not let click happy stupid people use the internet.

It's already been proven that Linux & Mac OS's can also be infected so it really doesn't have anything to do with MS. It all comes down to the end user and installing every little stupid thing and clicking on anything that jumps in front of them.

Re:crack in the malware's control infrastructure

[tlhIngan]

It's already been proven that Linux & Mac OS's can also be infected so it really doesn't have anything to do with MS. It all comes down to the end user and installing every little stupid thing and clicking on anything that jumps in front of them.

Not to mention it seems a lot of malware these days are usermode based. They're not trying to hide from users anymore, other than being plausibly-sounding processes with plausible paths. Everything they need to do the user can do - they don't need admin anymore (admin was required because they wanted to hide).

Getting admin these days often requires a dialog box popping up on the user for admin priviledges. Which is a great way to announce your presence to the user. But just being an innoculous sounding process that can hide amongst the other processes is often good enough. After all, if the malware decided it would be called "init" on Linux or "launchd" on OS X, most users wouldn't know that something is wrong (other than it not being PID 0). Or perhaps the malware can see the user runs GNOME, and call itself gnome-terminal. Or on OS X, Safari.app.

Re:crack in the malware's control infrastructure

[tlhIngan]

The proper fix would be to not let click happy stupid people use the internet.

Then we might as well bottle the internet back up as a DARPA research curiousity then.

Generally speaking, the security model assumes people know what they're doing, which is patently false. The computer and the internet are essential tools these days for many occupations, whether or not the people want it. A mechanic probably has to use a computer to diagnose a modern car, but he certainly doesn't need to know how to reinstall Windows or compile a kernel or other crap (to him). He just wants to see what errors there are, use his experience and then find the mystical place to do the $1000 tap to fix the problem.

Ditto the internet - the sales guy is wheeling and dealing and sending specs to customers trying to make money for the company over the 'net. He doesn't need to know the details of TCP/IP or Ethernet or how the packet gets from here to there - he just makes the sales.

Basically these days, the security model should include the fact that people who do not know better have a necessity to use the computer and the internet. We don't train the mechanic how to type and install Windows/Linux/blah and admin it, we train the mechanic how to most effectively extract the data the ECU provides to solve the problem.

It's time security models take note that Dancing Pigs are here to stay. Which may explain the rise of locked down tablets and walled gardens.

Re:crack in the malware's control infrastructure

[jones_supa]

Hmm, seems that you could actually create some sort of protection against this by writing a program which checks for spurious duplicates of system files.

Re:crack in the malware's control infrastructure

"happy stupid people" are the Internet.
Without them, we would still have only documents and missile control commands taking up the bandwidth

Re:crack in the malware's control infrastructure

[somersault]

I'm pretty sure we'd still have plenty of online gaming too.

Re:crack in the malware's control infrastructure

[mcgrew]

It's already been proven that Linux & Mac OS's can also be infected

I don't think "infected" is the right word for a trojan. However, Windows is the only OS that one could get infected by a virus (not trojan) by simply opening an email or visiting a web page.

That said, Windows is a lot more secure than it used to be. I doubt anyone but the click-happy who are dumb enough to answer "would you like to let this program change your computer?" would say "yes" if they thought they were going to a linked web page.

It writes itself

[marcello_dl]

Yo dawg,
I herd you like to exploit flaws,
so I put a flaw in your flaws exploit kit,
so you can exploit flaws while your devkit's flaw is exploited.

binary code

[GuldKalle]

The bot evolved from the older RussKill bot over time, and various versions of the tool's binary code and back end configuration files have been made public.

What does that mean? Was some of the code stored in another numeral system? And why was the code so hard to get hold of?

Re:binary code

Not sure if serious...
"Binary code" means compiled code (i.e. executable files) as opposed to the original source code.

Re:binary code

[X0563511]

Work with me here...

What do you get out of a compiler? A binary.

Re:binary code

[GuldKalle]

Yeah, OK. But why was it so hard to get hold of? Couldn't they just pull it from any infected machine?

Re: NO MICROS~1 HOMOS~1 ..

YOU'RE SO WITTY~1 AND SMART~1! OH, AND FUNNY~1, HOLY BALLS~1 THAT'S FUNNY~1. PLEASE HAVE MY BABIES~1, UNLESS YOU'RE MALE~1. THEN I'LL HAVE YOUR BABIES~1. NO HOMOS~1.

Not bricked yet?

[tomhath]

I'm surprised some company or country hasn't gotten PO'd enough to write a counterattack that just bricks all the infected machines in a botnet.

Re:Not bricked yet?

How do you brick spoof'ed IPs?

Re:Not bricked yet?

[GuldKalle]

Does it spoof the IP? Wouldn't ISPs spot IP packets originating in their own network, but not looking like they did?

Security Flaw in the Security Flaw!

[fm6]

Really, how could the editor overlook such a cute headline?

If the botnet was open source....

.... the researchers would be able to submit a patch.

Why are they telling us?

[mdfst13]

I wonder why they are announcing the security flaw in the malware. Shouldn't they try to exploit the security flaw to find the malware users first?

What's the benefit of reporting the flaw? Usually, people report security flaws so that the application writer can close them. Do they actually want the DDOS kit to close its security flaw? Does that make the world better in some way?

The only possible advantage that I can see is that it might make other malware users more careful about using similar software. And of course, smart malware users will no longer use Dirt Jumper. However, if they just switch from Dirt Jumper to another DDOS kit, it seems that we are worse off (DDOSed by a kit without a security flaw to exploit).

The optimal time to make this kind of announcement would be after it becomes common knowledge in the malware community, preferably by publication of the proceedings of some prosecutions. At that time, it gives minimal benefit to existing malware users while still scaring potential malware users from jumping on the bandwagon. I wouldn't expect the scare benefits to be that large, so the benefit from an early announcement is small.

Re:Why are they telling us?

[SomeJoel]

If they don't report any progress, they'll lose their funding.

I disrupt ALL botnets constantly... apk

See subject-line above: I get a daily listing of their C&C Servers and block them off in my custom hosts file (currently @ 1,800,275++ of KNOWN bad sites-servers/hosts-domains that serve up malicious content, &/or botnet C&C servers, as well as bogus DNS servers they use).

For those of you that run Microsoft Windows 32 or 64 bit? An automated hosts file creation & mgt. program:

---

APK Hosts File Engine 5.0++ 32/64-bit:

Screenshot -> http://start64.com/images/win64/security/apk-hosts-file-engine-1.png

&

Download Site #1 -> http://start64.com/index.php?option=com_content&view=article&id=5851:apk-hosts-file-engine-64bit-version&catid=26:64bit-security-software&Itemid=74

or

Download Site #2 -> http://securemecca.com/public/APKHostsFileInstaller/2012_06_01/APKHostsFileEngineInstaller32_64bit.exe.zip

---

INSTALLATION:

a.) Extract its sfx installer file from the zipfile
b.) Run the installer from inside ANY folder you like, extracting the executables + datafiles to any folder you wish (usually one you create for it, doesn't matter where, but you MUST run it as administrator for FULL functionality (simple & the "read me" tab shows how easy THAT is to do))
c.) Then, & lastly - Run either the 32-bit OR 64-bit version (rightclick on the executable & set it to run as Administrator, OR, make a shortcut that can for FULL functionality (like write-protecting the hosts file, & more...))

---

What's it do for you?

Custom hosts files gain me the following benefits (A short summary of where custom hosts files can be extremely useful):

---

1.) Blocking out malware/malscripted sites
2.) Blocking out Known sites-servers/hosts-domains that are known to serve up malware
3.) Blocking out Bogus DNS servers malware makers use
4.) Blocking out Botnet C&C servers
5.) Blocking out Bogus adbanners that are full of malicious script content
6.) Getting you back speed/bandwidth you paid for by blocking out adbanners + hardcoding in your favorite sites (faster than remote DNS server resolution)
7.) Added reliability (vs. downed or misdirect/poisoned DNS servers).
8.) Added "anonymity" (to an extent, vs. DNS request logs)
9.) The ability to bypass DNSBL's (DNS block lists you may not agree with).
10.) More screen "real estate" (since no more adbanners appear onscreen eating up CPU, Memory, & other forms of I/O too - bonus!)
11.) Truly UNIVERSAL PROTECTION (since any OS, even on smartphones, usually has a BSD drived IP stack).
12.) Faster & MORE EFFICIENT operation vs. browser plugins (which "layer on" ontop of Ring 3/RPL 3/usermode browsers - whereas the hosts file operates @ the Ring 0/RPL 0/Kernelmode of operation (far faster) as a filter for the IP stack itself...)
13.) Blocking out TRACKERS
14.) Custom hosts files work on ANY & ALL webbound apps (browser plugins do not).
15.) Custom hosts files offer a better, faster, more efficient way, & safer way to surf the web & are COMPLETELY controlled by the end-user of them.

---

* The malwarebytes/hpHosts site admin another person/site hosting it (Mr. Steven Burn, a competent coder in his own right), said it's "excellent" in fact and has seen its code too...

(Write him yourselves should anyone doubt any of this -> services@it-mate.co.uk , or see his site @ http://hosts-file.net/?s=Download [hosts-file.net] )

A Mr. Henry Hertz Hobbitt of securemecca.org &/or hostsfile.