Researchers at Arbor Networks have identified a new DDoS bot with a fancy for ferrets.

Following a clue in a tweet, researcher Dennis Schwarz found Trojan.Ferret, including a command and control panel with some insight into targets. To date, a relatively small number of malware samples and command and control servers have been uncovered, Schwarz said, indicating that the full scope of the campaign is not clear yet.

“Some of the targeted site types [are] real estate companies, electronics shop, a wedding dress shop, a Panamanian politician, and a news site,” Schwarz told Threatpost. Victims have been found in the Netherlands, Russia, the United States and Germany.

Trojan.Ferret is written in the Delphi programming language and includes a number of self-preservation capabilities, including UPX packing, string obfuscation, anti-virtual machine and anti-debugging measures, self-modifying code and process hollowing.

The fact that the samples captured by Arbor Networks are written in Delphi indicates a likely Russian origin, Schwarz said.
“There exists a malware stereotype that if it’s written in Delphi, it’s of ‘Russian’ origin,” Schwarz said. “Empirically, it tends to pan out. I have a theory that when the current generation of ‘Russian’ malware authors (or who they base their code on) was going through their computer science curriculums that Delphi was the language of choice. So, that’s what they know and that’s what they’re comfortable with.”

Schwarz said that the malware author’s choice of Delphi also helps keep it viable.

“For a reverse engineer, the major disadvantage of Delphi is that it is a very messy language to disassemble,” he said. “It’s almost an art separating the wheat from the chaff.”

Trojan.Ferret uses two obfuscation methods, both combining base64 and XOR encryption to mask what’s happening under the covers. Different encryption keys are used for different parts of the malware code base, Schwarz said, adding that one method is used mostly to encrypt strings in the malware code, while the other hides communication back and forth with the command and control server.

Command and control communication is done over HTTP, and the bot comes equipped with a phone-home capability as well as a number of commands. The particular server infiltrated by Arbor is in Ukraine.

Schwarz’s research so far has identified 18 commands with this bot, most of them flood commands used to overwhelm websites with fraudulent traffic. Other commands download bots on infected computers, send updates to either all bots, specific bots or just bots running on particular operating systems. There are also removal commands.

“For the DDoS commands, I would say Ferret implements the core set of floods,” Schwarz said. “Missing from the command set are the standard suite of application layer attacks such as Slowloris, Apache Killer, and RUDY.”

Schwarz gained access to the command and control panel and learned from the dashboard—in addition to the author calling bots “ferrets,” that there are close to 3,000 compromised machines out there and the attackers know how many are active within any 24-hour or seven-day period.

Image courtesy Arbor Networks

Categories: Malware