Researchers Find Flaw in Dirt Jumper Bot

A team of researchers has discovered a weakness in the command-and-control infrastructure of one of the major DDoS toolkits, Dirt Jumper, that enables them to stop attacks that are in progress. The discovery gives the researchers the ability to access the back-end servers that control the attack tool, as well as the configuration server, and key insights into the way that the tool works and how attackers are using it.

A team of researchers has discovered a weakness in the command-and-control infrastructure of one of the major DDoS toolkits, Dirt Jumper, that enables them to stop attacks that are in progress. The discovery gives the researchers the ability to access the back-end servers that control the attack tool, as well as the configuration server, and key insights into the way that the tool works and how attackers are using it.

Dirt Jumper is not among the more well-known of the DDoS attack toolkits, but it’s been in use for some time now and has a number of separate iterations. The bot evolved from the older RussKill bot over time, and various versions of the tool’s binary code and back end configuration files have been made public. Researchers have watched as the bot has been used in attacks around the world against a variety of targets, and now they’ve been able to find a crack in the malware’s control infrastructure.

Researchers at Prolexic were able to identify the C&C servers used by the Dirt Jumper bot and then found a way into the server’s backend database and configuration files. That gave them the ability to see attacks in progress and then take action to stop them.

“With this information, it is possible to access the C&C server and stop the attack,” Prolexic CEO Scott Hammack said. “Part of our mission is to clean up the Internet. It is our duty to share this vulnerability with the security community at large.”

There are a number of different versions of Dirt Jumper, including a variant called Pandora that has been used in some recent attacks. One such attack was on the site run by journalist Brian Krebs, Krebs on Security, and it took the site down at one point and Krebs said that the attack came in three waves. 

Dirt Jumper and its assorted variants are among the newer wave of do-it-yourself toolkits that enable attackers to stand up their own botnets quickly and with little technical knowledge. Once the user has his little bot army put together, he can begin firing off DDoS attacks at whatever target he chooses. Thanks to the huge amounts of bandwidth available to normal home users and the use of techniques that leverage open DNS servers and other methods for amplifying the volume of traffic, attackers with even small botnets can bring down major sites.

During the course of the last year or so, researchers have seen a huge spike in the popularity of Dirt Jumper among attackers, putting it far ahead of more famous toolkits such Black Energy. Because there are various unofficial or leaked and modified versions of Dirt Jumper circulating, it’s difficult go get an exact read on how many people are using it.

“Finally, Dirt Jumper’s meteoric rise in popularity in this time frame suggests that author (and any promoters they have working for them) is doing something right. Features are getting incorporated well, new versions are released, and the bot’s got traction in the community. An alternative explanation is that the leaks we see leading to ‘unofficial versions’ are also classified as DJ and explain the rise,” Jose Nazario of Arbor Networks, wrote in an analysis of the bot and others.

 

Suggested articles