Posted on Monday, November 3rd, 2008 | Bookmark on del.icio.us

MS08-067 Used to Drop DDoS Bots

by Jose Nazario

Earlier today we were informed about a bot that we’ve seen before, KernelBot, being dropped by an exploit tool for MS08-067. The exploit code is “67.exe”, and the bot itself is “6767.exe”. KernelBot is a Chinese origin DDoS bot run by someone we think uses the handle IceKernel; he even names his project KernelBot: d:\Works\KernelBots_Up28\Server\Release\Server.pdb. We first became aware of this bot during the CNN.Com attacks earlier this year; some researchers we were working with brought it to our attention. Since then we’ve been watching this guy’s activities and seen a handful of DDoS targets, but most of them are Baidu. It’s nice to see most of the AV vendors have finally caught up and added detection.

If you want to stop this one, you should block all web access to the domain ushealthmart.com. It’s using a few hosts under that domain name to spread and send out configurations.

We are not seeing significant exploit activity around the CVE-2008-4250 vulnerability still, something that’s a bit unexpected given the number of PoC codes available.

KernelBot can send ICMP, TCP SYN, UDP, and even HTTP flood attacks, among others. It communicates with a server to retrieve the file, usually named “cmd.txt”, which itself is a large INI file describing attacks and next actions. The bot itself doesn’t have any mechanisms to spread, so the exploit code is used to cajole victims into downloading it. A command stanza might look like this:

[DDOS_TcpFlood]
IsTcpFlood=0
CmdID=6
TcpFloodDNS=www.1698woool.com
TcpFloodPort=80
IsSendPacket=0
ThreadCount=6
IsTimer=1
Timer=40

You can see a complete example of the configuration file at this translated forums page.

HTTP headers for this guy should be pretty easy to fingerprint when you compare them to legit HTTP headers:

GET %s HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: zh-cn
Accept-Encoding: gzip, deflate
If-Modified-Since: Sun, 26 Jun 2005 15:43:05 GMT
If-None-Match: "60794-12b3-e4169440"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322; .NET CLR 1.0.3705)
Host: %s
Connection: Keep-Alive
Pragma: no-cache
Cache-Control: no-cache
Range: bytes=1-1

Finally, as a “thumb in the eye” of every infected user, the bot does the cheap way of disabling AV updates: it writes out a hosts file entry with everyone pointed at localhost. Not terribly complex.

127.0.0.1       localhost
127.0.0.1       www.360Safe.com
127.0.0.1       www.360.cn
127.0.0.1       bbs.360safe.com
127.0.0.1       baike.360.cn
127.0.0.1       kaba.360.cn
127.0.0.1       bbs.360.cn
127.0.0.1       360.cn
127.0.0.1       forum.ikaka.com
127.0.0.1       tool.ikaka.com
127.0.0.1       file.ikaka.com
127.0.0.1       update.ikaka.com
127.0.0.1       bbs.ikaka.com
127.0.0.1       bbs.janmeng.com
127.0.0.1       www.ikaka.com
127.0.0.1       forum.jiangmin.com
127.0.0.1       update.rising.com.cn
127.0.0.1       online.rising.com.cn
127.0.0.1       center.rising.com.cn
127.0.0.1       www.rising.com.cn
127.0.0.1       fw.rising.com.cn
127.0.0.1       csc.rising.com.cn
127.0.0.1       buy.rising.com.cn
127.0.0.1       sos.rising.com.cn
127.0.0.1       download.rising.com.cn
127.0.0.1       help.rising.com.cn
127.0.0.1       go.rising.com.cn
127.0.0.1       up.duba.net
127.0.0.1       bbs.duba.net
127.0.0.1       shadu.baidu.com
127.0.0.1       www.kztechs.com
127.0.0.1       security.symantec.com
127.0.0.1       shadu.duba.net
127.0.0.1       online.jiangmin.com
127.0.0.1       cn.mcafee.com
127.0.0.1       bbs.mcafeefans.com
127.0.0.1       mcafeefans.com
127.0.0.1       www.ahn.com.cn
127.0.0.1       www.kaspersky.com.cn
127.0.0.1       www.kaspersky.com
127.0.0.1       www.pcav.cn
127.0.0.1       www.vrv.com.cn
127.0.0.1       bbs.sucop.com
127.0.0.1       www.sucop.com
127.0.0.1       sucop.com
127.0.0.1       bbs.cpcw.com
127.0.0.1       www.shudoo.com
127.0.0.1       alert.rising.com.cn
127.0.0.1       www.dswlab.com
127.0.0.1       dswlab.com
127.0.0.1       bbs.dswlab.com
127.0.0.1       zhidao.ikaka.com
127.0.0.1       bbs.kafan.cn
127.0.0.1       bbs.kaspersky.com.cn
127.0.0.1       www.trendmicro.com.cn
127.0.0.1       bbs.trendmicro.com.cn
127.0.0.1       cn.trendmicro.com
127.0.0.1       www.kpfans.com
127.0.0.1       kpfans.com
127.0.0.1       www.mcafee.com
127.0.0.1       dnl-cn1.kaspersky-labs.com
127.0.0.1       dnl-cn2.kaspersky-labs.com
127.0.0.1       dnl-cn3.kaspersky-labs.com
127.0.0.1       dnl-cn4.kaspersky-labs.com
127.0.0.1       dnl-cn5.kaspersky-labs.com
127.0.0.1       dnl-cn6.kaspersky-labs.com
127.0.0.1       dnl-cn7.kaspersky-labs.com
127.0.0.1       dnl-cn8.kaspersky-labs.com
127.0.0.1       dnl-cn9.kaspersky-labs.com
127.0.0.1       dnl-cn10.kaspersky-labs.com
127.0.0.1       dnl-cn11.kaspersky-labs.com
127.0.0.1       dnl-cn12.kaspersky-labs.com
127.0.0.1       dnl-cn13.kaspersky-labs.com
127.0.0.1       dnl-cn14.kaspersky-labs.com
127.0.0.1       dnl-cn15.kaspersky-labs.com
127.0.0.1       dnl-cd1.kaspersky-labs.com
127.0.0.1       dnl-cd2.kaspersky-labs.com
127.0.0.1       dnl-cd3.kaspersky-labs.com
127.0.0.1       dnl-cd4.kaspersky-labs.com
127.0.0.1       dnl-cd5.kaspersky-labs.com
127.0.0.1       dnl-cd6.kaspersky-labs.com
127.0.0.1       dnl-cd7.kaspersky-labs.com
127.0.0.1       dnl-cd8.kaspersky-labs.com
127.0.0.1       dnl-cd9.kaspersky-labs.com
127.0.0.1       dnl-cd10.kaspersky-labs.com
127.0.0.1       dnl-cd11.kaspersky-labs.com
127.0.0.1       dnl-cd12.kaspersky-labs.com
127.0.0.1       dnl-cd13.kaspersky-labs.com
127.0.0.1       dnl-cd14.kaspersky-labs.com
127.0.0.1       dnl-eu1.kaspersky-labs.com
127.0.0.1       dnl-eu2.kaspersky-labs.com
127.0.0.1       dnl-eu3.kaspersky-labs.com
127.0.0.1       dnl-eu4.kaspersky-labs.com
127.0.0.1       dnl-eu5.kaspersky-labs.com
127.0.0.1       dnl-eu6.kaspersky-labs.com
127.0.0.1       dnl-eu7.kaspersky-labs.com
127.0.0.1       dnl-eu8.kaspersky-labs.com
127.0.0.1       dnl-eu9.kaspersky-labs.com
127.0.0.1       dnl-eu10.kaspersky-labs.com
127.0.0.1       dnl-eu11.kaspersky-labs.com
127.0.0.1       dnl-eu12.kaspersky-labs.com
127.0.0.1       dnl-eu13.kaspersky-labs.com
127.0.0.1       dnl-eu14.kaspersky-labs.com
127.0.0.1       dnl-eu15.kaspersky-labs.com
127.0.0.1       dnl-us1.kaspersky-labs.com
127.0.0.1       dnl-us2.kaspersky-labs.com
127.0.0.1       dnl-us3.kaspersky-labs.com
127.0.0.1       dnl-us4.kaspersky-labs.com
127.0.0.1       dnl-us5.kaspersky-labs.com
127.0.0.1       dnl-us6.kaspersky-labs.com
127.0.0.1       dnl-us7.kaspersky-labs.com
127.0.0.1       dnl-us8.kaspersky-labs.com
127.0.0.1       dnl-us9.kaspersky-labs.com
127.0.0.1       dnl-us10.kaspersky-labs.com
127.0.0.1       dnl-us11.kaspersky-labs.com
127.0.0.1       dnl-us12.kaspersky-labs.com
127.0.0.1       dnl-us13.kaspersky-labs.com
127.0.0.1       dnl-us14.kaspersky-labs.com
127.0.0.1       dnl-us15.kaspersky-labs.com
127.0.0.1       dnl-ru1.kaspersky-labs.com
127.0.0.1       dnl-ru2.kaspersky-labs.com
127.0.0.1       dnl-ru3.kaspersky-labs.com
127.0.0.1       dnl-ru4.kaspersky-labs.com
127.0.0.1       dnl-ru5.kaspersky-labs.com
127.0.0.1       dnl-ru6.kaspersky-labs.com
127.0.0.1       dnl-ru7.kaspersky-labs.com
127.0.0.1       dnl-ru8.kaspersky-labs.com
127.0.0.1       dnl-ru9.kaspersky-labs.com
127.0.0.1       dnl-ru10.kaspersky-labs.com
127.0.0.1       dnl-ru11.kaspersky-labs.com
127.0.0.1       dnl-ru12.kaspersky-labs.com
127.0.0.1       dnl-ru13.kaspersky-labs.com
127.0.0.1       dnl-ru14.kaspersky-labs.com
127.0.0.1       dnl-ru15.kaspersky-labs.com
127.0.0.1       dnl-jp1.kaspersky-labs.com
127.0.0.1       dnl-jp2.kaspersky-labs.com
127.0.0.1       dnl-jp3.kaspersky-labs.com
127.0.0.1       dnl-jp4.kaspersky-labs.com
127.0.0.1       dnl-jp5.kaspersky-labs.com
127.0.0.1       dnl-jp6.kaspersky-labs.com
127.0.0.1       dnl-jp7.kaspersky-labs.com
127.0.0.1       dnl-jp8.kaspersky-labs.com
127.0.0.1       dnl-jp9.kaspersky-labs.com
127.0.0.1       dnl-jp10.kaspersky-labs.com
127.0.0.1       dnl-jp11.kaspersky-labs.com
127.0.0.1       dnl-jp12.kaspersky-labs.com
127.0.0.1       dnl-jp13.kaspersky-labs.com
127.0.0.1       dnl-jp14.kaspersky-labs.com
127.0.0.1       dnl-jp15.kaspersky-labs.com
127.0.0.1       dnl-kr1.kaspersky-labs.com
127.0.0.1       dnl-kr2.kaspersky-labs.com
127.0.0.1       dnl-kr3.kaspersky-labs.com
127.0.0.1       dnl-kr4.kaspersky-labs.com
127.0.0.1       dnl-kr5.kaspersky-labs.com
127.0.0.1       dnl-kr6.kaspersky-labs.com
127.0.0.1       dnl-kr7.kaspersky-labs.com
127.0.0.1       dnl-kr8.kaspersky-labs.com
127.0.0.1       dnl-kr9.kaspersky-labs.com
127.0.0.1       dnl-kr10.kaspersky-labs.com
127.0.0.1       dnl-kr11.kaspersky-labs.com
127.0.0.1       dnl-kr12.kaspersky-labs.com
127.0.0.1       dnl-kr13.kaspersky-labs.com
127.0.0.1       dnl-kr14.kaspersky-labs.com
127.0.0.1       dnl-kr15.kaspersky-labs.com

More information around the net:

Popularity: 6% [?]

This entry was posted on Monday, November 3rd, 2008 at 10:13 pm and is filed under ATLAS, Attacks and DDoS Attacks, Exploit Code, Malware, Trojan Horses, Vulnerabilities. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

8 Responses | Add your own



Comment Post by: BelchSpeak » Post Topic » The MS08-067 Vul Goes Wormy — November 3rd, 2008 @ 11:23 pm EST  Reply

[...] He said: Earlier today we were informed about a bot that we’ve seen before, KernelBot, being dropped by an exploit tool for MS08-067. The exploit code is “67.exe”, and the bot itself is “6767.exe”. KernelBot is a Chinese origin DDoS bot run by someone we think uses the handle IceKernel; he even names his project KernelBot.  We first became aware of this bot during the CNN.Com attacks earlier this year; some researchers we were working with brought it to our attention. Since then we’ve been watching this guy’s activities and seen a handful of DDoS targets, but most of them are Baidu. It’s nice to see most of the AV vendors have finally caught up and added detection. [...]

Comment Post by: technichristian.net » Blog Archive » MS08-067 Used to Drop DDoS Bots — November 4th, 2008 @ 12:20 pm EST  Reply

[...] about a bot that we’ve seen before, KernelBot, being dropped by an exploit tool for MS08-067. The exploit code is “67.exe”, and the bot itself is “6767.exe”. KernelBot is a Chinese origin DDoS bot run by someone we think uses the handle IceKernel; he even [...]

Comment Post by: xeraph — November 5th, 2008 @ 4:11 am EST  Reply

What is IceKernel? I googled a lot pages but couldn’t find it.

Comment Post by: Arriva il Worm | PillolHacking.Net — November 6th, 2008 @ 5:45 am EST  Reply

[...] un exploit e un modulo per Metasploit; poi l’exploit è stato sfruttato come vettore per la diffusione di botnet. Infine è arrivato Wecorl, un worm scoperto il 2 novembre che Symantec considera di scarso [...]

Comment Post by: Solera Networks Blog » Negative Day Threat Detection — November 6th, 2008 @ 6:48 pm EST  Reply

[...] days later, failures to patch leave systems vulnerable, and allow attackers to devise even more methods of concomitant [...]

Comment Post by: Botnets: Keep computers up to date or else | Network Administrator | TechRepublic.com — November 11th, 2008 @ 3:15 pm EST  Reply

[...] trojan worms in the wild that are exploiting the MS08-067 vulnerability, one is ironically called 67.exe (dropper) and the bot code is 6767.exe (rootkit). The bot is familiar to experts. Affectionately [...]

Comment Post by: Network Security Blog — November 14th, 2008 @ 4:19 pm EST  Reply

[...] vulnerability could be exploited. This week, there are now reports of attacks in the wild. One report claims that the MS08-067 flaws are being exploited to drop a DDoS (Distributed Denial-of-Service) bot [...]

Comment Post by: Company - News - Solera Networks™ — August 15th, 2009 @ 3:45 pm EST  Reply

[...] days later, failures to patch leave systems vulnerable, and allow attackers to devise even more methods of concomitant [...]

Leave a Comment