A once flawed DDoS attack targeting the world’s most widely used Web servers has improved its cryptography and attack capabilities to become a more serious threat.
MP-DDoser, also known as “IP-Killer,” uses a relatively new low-bandwidth, “asymmetrical” HTTP attack to inflict a denial-of-service attack against Apache Web servers by sending a very long HTTP header. This forces the web servers to do a great deal of server-side work for a relatively small request. Additionally, the malware now incorporates multiple layers of encryption.
Such sophistication is a far cry from the first version that appeared as a proof-of-concept Perl script in August 2011 and again months later in the Armageddon DDoS bot, according to a new report by Arbor Networks.
“These early versions had a number of serious flaws, such as a completely broken Slowloris attack implementation, and really awful crypto key management,” writes Arbor Networks research analyst Jeff Edwards. “But the latest samples (now up to ‘Version 1.6’) are much improved; the key management is quite good, and the buggy DDoS attacks are not only fixed, but now include at least one technique (‘Apache Killer’) that may be considered reasonably cutting edge.”
Using data collected anonymously from more than 200 service providers participating in Arbor’s ATLAS sensor network, Edwards was able to analyze the newest iteration of the DDoS bot and offer instructions for decrypting its transmissions.
“The malware actually uses a pretty straightforward algorithm for encrypting and decrypting the transmissions sent between bot and C&C server. It modulates the plaintext message with a key string using the XOR operator, but it applies this XOR operation only to the least significant four bits of each message byte,” he said in the report.
The key string in earlier versions was simply hard-coded into the bot executable in plain text. It’s since improved to now be encrypted and stored in an RCDATA resource named MP, along with some other sensitive information such as the hostname and port of the C&C and the botnet ID.
“To decrypt the MP resource string, the bot uses a lookup table (‘LUT’) that maps ASCII characters to integers for the initial phase of the decryption loop. But even this lookup table is itself encrypted! Fortunately, it is encrypted using the same algorithm used for crypting the network comms, and thus the decrypt_mpddos_comms() Python function will handle it,” according to the report. “And mercifully, the key string needed to decrypt the LUT happens to be stored in plain text in the bot executable. In all the samples that we’ve encountered to date, that key string is: 00FF00FF00FF, but that could easily change in the future.”
The 50-page report goes into detail on how to break MP-DDoS’s multi-layered encryption and thwart transmissions. In general, Edwards recommends:
- Decrypting the LUT using decrypt_mpddos_comms()
- Then using the LUT to decrypt the MP resource via decrypt_mpddos_rsrc()
- And then pulling the comms key from the plain text resource and providing it to decrypt_mpddos_comms() to decrypt the actual network traffic
“All in all, MP-DDoser uses some of the better key management we have seen,” Edwards wrote in a blog post on his research.
“But of course, at the end of the day, every bot has to contain — or be able to generate –- its own key string in order to communicate with its C&C, so no matter how many layers of encryption our adversary piles on, they can always be peeled off one by one.”
