Reverse Engineering a Sophisticated DDoS Attack Bot


Not long ago, the Radware Emergency Response Team (ERT) noticed significant and increased usage of the Tsunami SYN Flood attack against a large customer. This activity strongly indicated the presence of a service related robot and Radware security researchers managed to obtain a sample of the malware binary used to generate these DDoS attacks. The malware was then isolated and used in a controlled environment to study its behavior and its different attack vectors.

Analysis revealed that more than 50,000 sources were involved in the attack.  A closer look, however, led to a more interesting discovery – More than 80% of the traffic bandwidth was generated by a mere handful of the sources. This indicated that the bot involved is targeting machines with some serious fire power. Indeed, those were routers and servers generating the high traffic loads. This malware targeted Linux machines to infect, ones which are likely to be servers with high bandwidth upload capabilities.

During a period of 10 days (June 14-23, 2015), the team monitored more than 2000 attacks against more than 60 different targets in 7 different countries.

The Malware We Saw

  • Three different attack types: SYN Attack, HTTP Attack and DNS Attack. Each attack could also be set with different attacking options such as the destination port, IP and also the attack sub type.
  • The use of a XOR encrypted communication channel to the command and control servers.
  • A standard Linux machine could generate a 100K packet-per-second attack.
  • Self-testing was performed by infected machines to ensure it was able to generate spoofed IP attacks. This was an indication that many of the 50,000 IPs we saw earlier had been actually spoofed.
  • Self-replication was used in order to maintain persistence. It continuously created slightly modified copies of its binary such that detection of the file itself becomes even more difficult.
  • Process names were hidden behind common process names such as bash, grep, pwd, sleep and more. These command strings were hidden in the file in an obfuscated format.

While these techniques are not news in general, they demonstrate that DDoS malware authors now have a financial incentive to become more and more professional. They continue to infect servers and routers by leveraging high end machines and offering them for rent at reasonable prices.

Whether it’s financial gain, espionage, cyber war or hacktivism, attackers are finding reasons to uncover and exploit security vulnerabilities in servers and applications. The abundance of publicly exposed servers and routers with weak password and protection policies enables malware herders to quickly and inexpensively assemble a robot army.
The DDoS-for-hire products are maturing into platforms that offer sophisticated financial fraud and spam capabilities, while providing customers with a cheap, high-quality service.

Organizations should now, more than ever, deploy protection and mitigation technologies…and watch out whose wrath their activities awaken. Anybody who’s angry enough can easily rent themselves a vicious botnet for the low price of a coffee and sandwich.

Read the full case study and an analysis on the malware and incident.


Please enter your comment!
Please enter your name here