Drive, a variant of the do-it-yourself DDoS toolkit DirtJumper, holds a unique position among malware that organizations targeted by these debilitating attacks need to be aware of.
Researchers at Arbor Networks revealed today that a new version of Drive has been spotted with features that enable it to bypass DDoS mitigation techniques. That capability could force enterprises that employ particular mitigation strategies to shun them going forward, otherwise they stand the risk of whitelisting the malware behind these attacks.
Some of the mitigations that are now relatively obsolete include a set-cookie header which essentially requires a cookie be placed for authentication. The malware now is capable of parsing out either the cookie value or new URL location and using those values in subsequent packets, making it look like a legitimate request. Similarly, a bot can look for a redirect upon making an HTTP request, parsing out the URL and using that redirect in any requests that follow.
“Those are some of the common, basic, low-level mitigations,” said Jason Jones, a researcher with Arbor’s Security Engineering and Response Team (ASERT), adding they will start recommending to customers under active attack to start turning off these mitigations, forcing them to rely on more advanced techniques to stem high-volume attacks. “This makes us think more about how we communicate stuff to customers; we have to think on our feet more because of this.”
Drive and DirtJumper are toolkits that facilitate creation of a homegrown botnet fairly quickly and without the need for a lot of technical savvy on the attacker’s end. It’s thought to be a Russian kit and has been in circulation for at least two years; an upgrade made in June enhanced the DDoS engine and researchers saw the malware connect with 15 unique command and control servers that enable simultaneous attacks on dozens of targets.
For now, the latest Drive capabilities have been found in a handful of samples, Arbor’s Jones said.
“These are diverging much more from older DirtJumpers,” Jones said. “It’s a step up on their hand. I haven’t seen DDoS malware before with mitigation bypass. We’re not sure how widespread it is; someone is at least testing how it works.”
He said he’s seen four new attacks coming out of this variant, but only one with the mitigation bypass capabilities called -smart. The least interesting, according to Jones, is called –icmp which attempts to flood a target with standard icmp echo requests.
Jones said he has not figured out the purpose of another attack called –byte. It sends only one random lowercase alpha byte before a socket is closed. This attack targets port 80 and it can also send small payloads toward a target.
The fourth attack is called –long because it tries to keep a socket open for a period of time while sending data.
“A random payload is generated, sent and then a randomly sleeps for two to six seconds before executing the send up to 10240 times,” Jones said. “It seems unlikely that this attack will succeed for the maximum time as most services will close a socket upon receiving malformed data defined by their service, but it is possible some may not and allow the attack to continue long enough to exhaust available connections.”
Jones speculates that more websites are likely adding DDoS mitigation technologies or appliances, forcing Drive authors to up their game.
“Their customer base is probably clamoring for it like a normal software business would,” he said. “They want updates so the authors have to figure out what the mitigations are doing and this is what they came up with.”