Dirt Jumper Caught in the Act

By Curt WilsonIn late July 2011, a specific piece of malware came to our attention. Analysis revealed that this particular piece of malware was launching DDoS attacks and we have direct evidence of DDoS attack on two Russian websites. One of these was a gaming website, the other involved in selling a popular smartphone. Further research determined that this malware was also used in attacks on yet another Russian gaming site, test attacks on various other sites, attacks on a large corporations load balancer, and a damaging attack on a Russian electronic trading platform.

In late July 2011, a specific piece of malware came to our attention. Analysis revealed that this particular piece of malware was launching DDoS attacks and we have direct evidence of DDoS attack on two Russian websites. One of these was a gaming website, the other involved in selling a popular smartphone. Further research determined that this malware was also used in attacks on yet another Russian gaming site, test attacks on various other sites, attacks on a large corporations load balancer, and a damaging attack on a Russian electronic trading platform.

A comparison of this threat with other threats that we have analyzed resulted in a determination that this is a newer version of the Russkill bot, also known as Dirt Jumper. We suspect that this is version 3 of Dirt Jumper.

The malware infection begins with the loading of a file named vf4e2ad6800e566_2011723171112.exe which at the time of this writing is still online and dangerous. The MD5 of is f7c0314fb0fbd52af9d4d721b2c897a2. Using this information, we gain additional insight.

A query of the helpful malc0de.com database reveals the following (WARNING: live malware is referenced from these links as of 8/3/2011 – be careful!)

(As of 7/29/2011, a file with this name is still online, however the actual file has changed at least once)

Evidence Points to a Financially Motivated Attack

A Google query for the MD5 of the binary revealed a ThreatExpert report, found at http://www.threatexpert.com/report.aspx?md5=f7c0314fb0fbd52af9d4d721b2c897a2 which indicates some interesting information. When relevant, ThreatExpert reports contain a section that describes outbound traffic. However there may not be any obvious distinction for normal traffic and traffic that might be part of a DDoS attack.  Therefore in accordance with the data capturing capabilities of any given analysis infrastructure, a DDoS flood may not be noticed as it may appear as a simple outbound connection. Such outbound connections are typically used for Command & Control or to fetch additional malware.

The ThreatExpert report revealed outbound traffic to the following URL’s:

http://xzrw0q.com/driver32/update/m_d.php (the Command & Control site – active as of 7/29/2011)

http://etp.roseltorg.ru

The title page of etp.roseltorg.ru translates as such: “A single electronic trading platform – the national operator of electronic trading”. Visits to the site indicate that it was “Created with the assistance of the Government of Moscow”.  I thought this very interesting, since I didn’t expect to see such a site as a malware callback or binary drop site.

Review of contents posted to etp.roseltorg.ru indicated that they were subject to a DDoS attack between July 15 and July 18 2011. The following text is translated from Russian from Google’s cache for http://webcache.googleusercontent.com/search?q=cache:oi5ap9zl6T4J:etp.roseltorg.ru/+etp.roseltorg.ru+ddos&cd=1&hl=en&ct=clnk&gl=us&source=www.google.com

The ThreatExpert report showing the outbound connection indicated the malware was submitted on July 23 2011, 18:26:05, which does not cleanly overlap with the posted DDoS impact, however the attacked site may have developed mitigations such as the deployment of anti-DDoS infrastructure or the use of selective ACL’s at network chokepoints. Stateful firewalls are often used to deploy ACL’s however the stateful nature of these devices can turn them into a liability in the event of a large attack due to their state table becoming clogged with bogus requests.

Additional evidence implicating Dirt Jumper in the attack on etp.roseltorg.ru is obtained in a community message left on the VirusTotal site in response to a scan of the same binary file.

http://www.virustotal.com/file-scan/report.html?id=9cc7baa0756743cebbcd7fab977495e652bda32762e9c1b8367aa38fdfaf5440-1311578189

The ThreatExpert report itself also indicates this information:

  • The data identified by the following URLs was then requested from the remote web server:
  • http://xzrw0q.com/driver32/update/m_d.php
  • http://etp.roseltorg.ru/

An underground forum indicates the use of Dirt Jumper v3 being mentioned on July 4, 2011 as part of a DDoS-for-hire business:

There are many similar messages on underground forums that indicate a clear market for DDoS services. On August 1, 2011, Brian Krebs wrote an article about this phenomenon in “Digital Hit Men for Hire”- https://krebsonsecurity.com/2011/08/digital-hit-men-for-hire/

A Look at the Command & Control & Webpanel

The attacker, or perhaps those who rent space on the botnet, will login via an authentication panel that looks something like this:

The HTTP attack web panel for Dirt Jumper looks something like this:

We can see here that this particular control panel has (had?) 70,446 bots total but only 668 are online at the time that the screenshot was made.  While this screenshot only shows HTTP flooding capabilities, older screenshots of Russkill control panels showed both HTTP and SYN flood capabilities on the same page.

At least in the older versions of Russkill, the webpage for remote administration can be hidden – given a non-obvious path – in order to discourage easy discovery by researchers, law enforcement or rival botmasters. The “Hide url” feature is visible here in a screen capture of an attack panel from a couple of years ago (thanks to Malware Intelligence for the screenshot):

While it is no longer active, we shall soon see that xzrw0q.com was the Command & Control used by this variant of Dirt Jumper. Each infected system made an outbound connection to the C&C and receives instructions on which sites to attack. Since we know that etp.roseltorg.ru was a victim, it is also likely that one other site was also a victim of that particular DDoS attack. It is unknown if there was any actual impact from this attack.

ASERT internal analysis infrastructure provided a packet capture which reveals the following correlation with what we’ve seen so far:

This is an interaction with the Command & Control server, which as we can see was located at xzrw0q.com in late July 2011.

According to DomainTools, xzrw0q.com was using IP address 31.192.109.164 and was located in the Russian Federation, hosted by Mir Telematiki Ltd. This domain was associated with malware for some time and other domain names with slight variations have also been used for malicious purposes.

In this transaction, we can see an HTTP POST to /driver32/update/m_d.php passing the data k=<15 digit value, removed>. The server responds back with a pipe-delimited set of values followed by a list of sites to attack (actual site names removed to protect the attacked):

01|300|150http://q**********.net/

http://www.i******.ru

A traffic flood towards these two sites then ensued, with one of the sites appearing to take a harder hit than the other. Attack traffic observed is based on HTTP GET requests.

It appears that when an attack campaign is not executing, the malware will periodically connect back to its C&C and receive the following pipe-delimited values, minus any URL’s:

12|300|150

From the change in communications, we may make the determination that the first value is a command code and that they may possibly start with 01 (correlating to an HTTP GET flood) through at least 12 (keep-alive message perhaps).  Other research into earlier versions of Russkill showed variations in the command structure; however those particular structures did not function in the version analyzed here.

The second sets the number of threads created to launch the attack. For example, a sandboxed bot showed 13 threads when the middle value was 10, and 305 threads during a sandboxed attack using the values 01|300|150http://attacked.com (attacked.com was locally sinkholed).  We gain additional insight into the offset of the executing thread as well – svdhalp.exe+0430c is obviously a useful point for analysis.

POST messages back to the C&C took place every 150 seconds, which likely accounts for the last value.

Dealing With the Binary Protections

The initial binary file appears to be packed by UPX, however it is likely that this is a modified UPX, or other obfuscation techniques have been deployed to increase the amount of effort required for a successful analysis.

The original file that starts the infection has been renamed to
EVILNESS.EXE for the sake of this analysis, and this file has some
unusual properties as such:

Description: “Signs Blast Egypt Avery”

Copyright: “Sobs Sift 1997-2011”

Company: “Comma Stone”

File Version: “Wolff Diets Cowboy Mig”

Original File name: “Baby.exe”

Product Name: “Picks Air”

It is possible that these values are dynamically added to the binary at build time out of a word list.

According to PEiD, the binary appears to be packed with UPX, which is normally trivial to unpack simply by using the UPX utility.

However attempts to manually unpack the original binary with UPX result in a broken binary file that’s missing important sections of the PE header. Additionally, the file cannot be loaded into analysis tools such as IDA Pro without modification. If we attempt to load the de-UPX’ed file, we receive the following error messages:

IDA Pro then exits.

After a manual unpacking session with a debugger and the import reconstructor tool, the PE header was manually modified to allow for easier analysis.  Imports that were destroyed are then recovered and the malware is then able to be analyzed much more easily. For example, PEiD now easily determines that the post-UPX binary was written in Delphi 5-6.

From here, we are able to load the file into IDA Pro to gain additional insight, or go deeper with a tool such as the Interactive Delphi Reconstructor (IDR) which allows us to see elements such as these components used in an HTTP POST attack:

And the locations of important functions, in this case the httpsend_s function:

Just like many other DDoS bot families, Dirt Jumper aka Russkill continues to undergo active development to help feed a market that’s hungry for DDoS services.

Appreciation is offered to Malware Intelligence and Arbor Networks colleagues on the ASERT and Remote Services teams for additional insight.

Curt Wilson is a Research Analyst for Arbor Networks’ Security Engineering and Response Team (ASERT)

Suggested articles