In product development, it is all about the continuing process of improvement, and for cyber criminals the same thing is true.
That is why a distributed denial of service attack (DDoS) attack targeting the world’s most widely used Web servers improved its cryptography and attack capabilities to become a more serious threat.
MP-DDoser, also known as “IP-Killer,” uses a relatively new low-bandwidth, “asymmetrical” HTTP attack to inflict a denial-of-service attack against Apache Web servers by sending a very long HTTP header, according to a report from Arbor Networks. This forces the web servers to do a great deal of server-side work for a relatively small request. Additionally, the malware now incorporates multiple layers of encryption.
Such sophistication is a far cry from the first version that appeared as a proof-of-concept Perl script in August 2011 and again months later in the Armageddon DDoS bot, the report said.
“These early versions had a number of serious flaws, such as a completely broken Slowloris attack implementation, and really awful crypto key management,” said Arbor Networks research analyst Jeff Edwards. “But the latest samples (now up to ‘Version 1.6’) are much improved; the key management is quite good, and the buggy DDoS attacks are not only fixed, but now include at least one technique (‘Apache Killer’) that may be considered reasonably cutting edge.”
Using data collected anonymously from more than 200 service providers participating in Arbor’s ATLAS sensor network, Edwards was able to analyze the newest iteration of the DDoS bot and offer instructions for decrypting its transmissions.
“The malware actually uses a pretty straightforward algorithm for encrypting and decrypting the transmissions sent between bot and C&C server. It modulates the plaintext message with a key string using the XOR operator, but it applies this XOR operation only to the least significant four bits of each message byte,” Edwards said in the report.
The key string in earlier versions hard-coded into the bot executable in plain text. It has since improved to now encrypt and store in an RCDATA resource named MP, along with some other sensitive information such as the hostname and port of the C&C and the botnet ID.
“To decrypt the MP resource string, the bot uses a lookup table (‘LUT’) that maps ASCII characters to integers for the initial phase of the decryption loop. But even this lookup table is itself encrypted! Fortunately, it is encrypted using the same algorithm used for crypting the network comms, and thus the decrypt_mpddos_comms() Python function will handle it,” the report said. “And mercifully, the key string needed to decrypt the LUT happens to be stored in plain text in the bot executable. In all the samples that we’ve encountered to date, that key string is: 00FF00FF00FF, but that could easily change in the future.”