JKDDOS: DDoS bot with an interest in the mining industry?
by Jeff EdwardsToday we document JKDDOS, the moniker we have been using for yet another malware family that specializes in DDoS attacks. Looking back through our malware zoo, we observed our first JKDDOS sample as early as September 2009. Since then, we have analyzed almost 50 unique JKDDOS samples, the most recent of which we acquired in December 2010. Based on its recent history of attacks, the operators of this family appear to have an axe to grind against several relatively large international holding companies that have connections to the mining industry.
Malcode Properties
The JKDDOS malware is distributed in the form of a relatively small executable that tends to vary widely in size across different samples; we have seen specimens as small as 17,408 bytes and as large as 240,997 bytes. The most common size for a JKDDOS sample is approximately 33.5 KB; recently, the JKDDOS samples we have analyzed have usually been packed whereas earlier samples were not.
Example MD5 hashes for the JKDDOS samples we have analyzed to date are as follows:
7707d5ac1860aebf2bed9c9c99abb5da b3986acec2a3a61d6174f4fe575c45c6 040a56655edb6fee5a4fdb3aacdddde1 49371b0c05ed3289d8515890f2807a7f 4ba6fdaa03a8c170579bed5053b31862 fc039ac8f5ff296a6c63acaab4749465 0b0358bb8a3b703327efb6d09eea8244 f74e8e3d5761b565c70305feb5a62990 eefb3e68f40e0bd7209e7ccc384261b0 d41e4d17cfc229dae27d32c49f9266b6 3830081c2967c915aae5a7451beff1db 3e4c8061f3593643fd5d534be59cf55b 571270581cfff358acfaa72c742514a1 4eef5008ed2c4882555e88179352f9c1 22eedad84ab8c8adb9b51459fd9bc0ca e6cf74fc1577baf4e82effb99f6e947e ff7b49da99b6bce035dc8215aaa7b164 48b905cfafd0ffb986ac76427aa75e31 e6ce394faa4c44cadc29d11a71efc4f6 6cf3febdf9c184e74cbfb3dc367d5823 d17d244c8495373d383e68031f0dd900
Most of the JKDDOS samples we have observed were originally distributed from Chinese IP space, although at least one was being hosted in the United States; here are some representative sample URLs (defanged) that have recently hosted JKDDOS executables:
hxxp://116.236.136.108:8080/500.exe hxxp://aee11.cn/down/ddos.exe hxxp://8.dnfcity.org:889/xz/desyms.exe hxxp://x9.lajiliang.info:88/1691.exe hxxp://1831.3322.org:111/wm.exe hxxp://8.5295sf.cn/cl.exe hxxp://avzhan.3322.org:81/b.exe
At the time of writing, none of the above URLs are still serving JKDDOS malware, although we are aware of at least one JKDDOS distribution URL that is still live.
Note that the avzhan.3322.org distribution server is quite similar to two host names used as distribution servers for the Avzhan DDoS family: avzhan1.3322.org and avzhan2.3322.org.
Here is a representative sampling of net blocks that have distributed JKDDOS malware:
IP Address Port CC ASN NetName 116.236.136.108 8080 CN 4812 CHINANET SHANGHAI PROVINCE NETWORK 61.147.120.135 81 CN 4134 CHINANET JIANGSU PROVINCE NETWORK 61.147.72.58 111 CN 4134 CHINANET JIANGSU PROVINCE NETWORK
Installation
Once launched, a JKDDOS bot performs a fairly standard installation process. It copies itself into the C:\Windows\System32 directory. In an attempt to be stealthy, it will sometimes name the installed copy of itself so as to appear to be a legitimate system file; the installation names we have observed include:
cyindun.exe ifzai.exe iozaq.exe otalulsxs.exe panp.exe qrhqi.exe scvhosts.exe slsno.exe smssv.exe svchsot.exe szace.exe ubadabi.exe wsmiuqsxf.exe
JKDDOS will then register itself to run as a service that is automatically started upon reboot. Most commonly, the name of this fake service is derived from the name under which the JKDDOS bot installs itself; however, this is not always the case. Service names we have observed include the following:
KKCC VMservices cyindun ewdew ifzai iozaq otalulsxs panp scvhosts slsno smssv.exe szace wsfsdfa60 wsmiuqsxf
The display name of the installed service will usually be identical to the name of the service, although some JKDDOS samples have configured the service with a different display name, such as the following:
bbs.jksing.com The Net Share wyeesfd60 mseir
The JKDDOS bot will also insert a Registry entry, with value “Beizhu” holding data “JK”, under the following key:
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\Set
Communication Protocol
Upon completion of its installation procedure, the JKDDOS bot will phone home to its CnC server by opening a TCP socket and sending a binary block of data exactly 497 bytes in length. This block of data reports information about the infected host, including the version of Windows, the measured clock speed of the CPU, the model of CPU, the name of the infected computer (as returned by the Win32 API GetComputerName), and the amount of physical memory installed on the host.
The format of this data is a rigid structure that contains specific fields at certain byte offsets as follows:
Offset Size Contents 0 4 Always 0x10000000 4 16 OS Version; one of "Windows XP", "Windows 2000", or "Windows 2003" 34 10 Measured CPU speed in format: "%dMHz" 64 8 MBs of physical RAM in format: "%d(M)" 94 10 Name of infected host from GetComputerName() 208 66 CPU model name 394 2 The string "JK"
These values are transmitted in plain, non-obfuscated form and, with the exception of the initial 4-byte “header” value, are all in the form of NULL-terminated ASCII strings. Here is a representative example of a JKDDOS bot-to-CnC message:
00000000 10 00 00 00 57 69 6e 64 6f 77 73 20 58 50 00 00 ....Wind ows XP..
00000010 00 00 00 00 88 f7 8f 00 a8 72 02 20 04 00 00 00 ........ .r. ....
00000020 00 00 33 33 38 36 4d 68 7a 00 00 00 04 00 00 00 ..3386Mh z.......
00000030 b0 f7 8f 00 42 78 02 20 00 00 70 00 70 a4 04 20 ....Bx. ..p.p..
00000040 32 35 36 28 4d 29 00 00 74 35 00 00 98 7b 6b 00 256(M).. t5...{k.
00000050 dc f7 8f 00 e1 29 00 20 09 2a 00 20 30 a4 56 49 .....). .*. 0.VI
00000060 43 54 49 4d 00 00 00 00 48 32 00 00 5f 9b 80 7c CTIM.... H2.._..|
00000070 c4 7e 6b 00 c4 7e 6b 00 98 7b 6b 00 00 00 00 00 .~k..~k. .{k.....
00000080 9c 7b 6b 00 00 f8 8f 00 6e 2d 00 20 96 31 00 20 .{k..... n-. .1.
00000090 c0 14 40 00 00 00 00 00 85 33 00 20 d9 4b 02 20 ..@..... .3. .K.
000000A0 28 f8 8f 01 9c 7b 6b 00 28 f8 8f 00 fd 61 04 20 (....{k. (....a.
000000B0 94 0e 60 00 05 62 04 20 c0 14 40 00 ff ff ff ff ..`..b. ..@.....
000000C0 00 00 20 20 20 20 20 20 20 20 20 20 20 20 20 20 ..
000000D0 20 20 20 20 49 6e 74 65 6c 28 52 29 20 58 65 6f Inte l(R) Xeo
000000E0 6e 28 54 4d 29 20 43 50 55 20 33 2e 30 36 47 48 n(TM) CP U 3.06GH
000000F0 7a 00 6d 00 80 f8 8f 00 e1 29 00 20 09 2a 00 20 z.m..... .). .*.
00000100 30 a4 04 20 11 2a 00 20 18 00 00 00 84 f8 8f 00 0.. .*. ........
00000110 9d ad 02 20 00 00 00 00 c8 46 6d 00 b0 46 6d 00 ... .... .Fm..Fm.
00000120 00 00 00 00 b4 46 6d 00 b8 f8 8f 00 6e 2d 00 20 .....Fm. ....n-.
00000130 c9 3e 00 20 a4 f8 8f 00 52 96 02 20 5a 96 02 20 .>. .... R.. Z..
00000140 00 00 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 ........ ........
00000150 9c 7b 6b 00 32 37 00 01 00 00 40 00 c0 14 40 00 .{k.27.. ..@...@.
00000160 20 f9 8f 00 db 96 02 20 00 00 00 00 00 00 00 00 ...... ........
00000170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000180 5f 06 00 00 00 00 00 00 3d 93 4a 4b 00 00 00 00 _....... =.JK....
00000190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
000001A0 80 05 00 00 01 bb 02 20 07 bb 02 20 00 00 00 00 ....... ... ....
000001B0 dc ff 8f 00 f3 96 02 20 fb 96 02 20 0a 00 00 01 ....... ... ....
000001C0 00 00 40 00 70 f9 8f 00 70 f9 8f 00 42 bb 02 20 ..@.p... p...B..
000001D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
000001E0 00 00 00 00 06 5f 00 00 00 00 00 00 3d 93 78 87 ....._.. ....=.x.
000001F0 20
Upon receipt of the “phone home” message, the CnC will respond with a 1384-byte structured response that contains instructions for attacks or other operations. These instructions are represented as a concatenated string of one or more command codes starting at byte offset 0×08 in the CnC response.
The command codes supported by JKDDOS include the following:
RMH: Uninstall the bot by deleting the Windows Service under which the malware was installed.
DDDON: Download and execute a specified URL.
OOOPN: Execute a particular or command via the ShellExecute() API call.
CCCOS: Shutdown and power off the infected host.
RRRST: Reboot the infected host.
UDB,UDX, UDH, ZDU: Perform various types of UDP flooding attacks.
MNI: Perform an HTTP flood attack using the WinInet library.
CLC: Perform an HTTP flood attack using lower-level WinSock2 API calls (e.g., socket(), connect(), etc.)
SNH, TFN: Perform two types of SYN flooding attacks using spoofed source IP addresses.
TCC, ISC: Perform two types of TCP connection exhaustion attacks.
TCH, SFG, ZDT: Perform various types of TCP flooding attacks.
IPH, IPR, IPQ: Perform various types of ICMP flooding attacks.
STPP: Stop all DDoS attacks currently in progress.
Example Attack Traffic
As described above, the JKDDOS attack engine contains support for 16 different varieties of DDoS attacks. Here are more detailed descriptions on two of the supported attacks:
IPH Attack: The JKDDOS bot will flood the target with large numbers of ICMP echo request packets. Each ICMP payload will contain 31 bytes of data, which consists of four random bytes (different for each packet) followed by 27 bytes with a fixed value (same for all packets.) The ICMP check sums for these packets are correct, unlike ICMP flood packets generated by other Chinese DDoS agents such as YoyoDDoS. In our observations of actual attacks, JKDDOS malware sends this ICMP traffic at rates of between approximately 230 and 435 packets per second.
UDH Attack: The JKDDOS bot will flood the target with large numbers of UDP datagrams. Each UDP datagram will contain a data payload exactly 1035 bytes in size, with each byte holding an identical value that remains constant across all packets. In the case of a combined ICMP and UDP flood (e.g., attack code “IPHUDH”), this byte value will be the same for both the UDP and ICMP data payloads. In our observations of actual attacks, JKDDOS malware sends this UDP traffic at rates between approximately 200 and 540 packets per second.
Control Servers
To date, we have identified at least 19 unique JKDDOS CnC servers. All but one of these CnC IP addresses reside in Chinese IP space:
CnC IP Address Port CC ASN NetName 117.41.166.209 1868 CN 4134 CHINANET JIANGXI PROVINCE NETWORK 121.12.126.79 1986 CN 4134 SHENZHENSHILUOHUQUHEPINGLUYIFENGGUANGCHANGCZUO32H 121.12.170.88 1695 CN 4134 SHENZHENSHILUOHUQUHEPINGLUYIFENGGUANGCHANGCZUO32H 121.14.154.41 3335 CN 4134 DONGGUANSHIWEIYIWANGLUOKEJIYOUX 122.224.34.156 1691 CN 4134 NINBO LANZHONG NETWORK LTD 122.226.223.138 1234 CN 4134 YIWU TELECOM IDC ROOM 124.237.77.210 1631 CN 4134 THE YANDA ZHENGYANG ELECTRON LTD. OF QINHUANGDAO 125.208.2.45 1130 CN 24416 BEIJING PRIMEZONE TECHNOLOGIES INC 125.65.112.191 1691 CN 4134 SC-MY-SJDF-LTD 125.67.64.201 1691 CN 4134 CHINANET SICHUAN PROVINCE NETWORK 211.157.109.77 3344 CN 18245 CECT-CHINACOMM COMMUNICATIONS CO. LTD 222.189.237.22 1633 CN 4134 CHINANET JIANGSU PROVINCE NETWORK 222.189.239.85 1691 CN 4134 CHINANET JIANGSU PROVINCE NETWORK 60.190.176.84 1980 CN 4134 ZHOUSHAN DIANXIN ZENGZHIBU 61.147.120.135 1631 CN 4134 CHINANET JIANGSU PROVINCE NETWORK 61.155.142.88 1670 CN 4134 CHINANET JIANGSU PROVINCE NETWORK 61.155.142.88 1671 CN 4134 CHINANET JIANGSU PROVINCE NETWORK 61.164.108.30 1234 CN 4134 RUIAN TELECOM 66.186.34.146 1690 US 35908 VPLS INC. D/B/A KRYPT TECHNOLOGIES
JKDDOS bots have the identity of their CnC hard-coded within their executable in obfuscated form; as is common, these CnCs are identified by host name rather than raw IP address. The majority of JKDDOS CnC host names reside within the 3322.org and 2288.org domains, large Chinese providers of dynamic DNS services:
12345.23u.info 125.67.64.201 1986.zljtl8.com 604121.3322.org 79wg.net 8895.3322.org crkzt.3322.org d1xs.wd54.com dadaxiaoshuai.3322.org dao521.2288.org ddos.ni37.cn jkqq.3322.org jsz12365.3322.org list.xiaoyaolong.com only2010.2288.org testjks2.3322.org testwm.3322.org wanmeios.3322.org wmjk.3322.org
We have observed JKDDOS CnC servers operating on a variety of ports; usually in the range 1100-1999 or 3300-3399 ranges:
1130 1234 1631 1633 1670 1671 1690 1691 1695 1868 1980 1986 3335 3344
Victims
We have been tracking various JKDDOS-based botnets for several months using our usual technique of periodically connecting to known CnCs and sending 497-byte messages that imitate particular JKDDOS specimens that have been captured and analyzed. During this period of time, we have observed JKDDOS botnets issue DDoS attack commands against approximately 78 unique victims in China (40), the United States (31), Hong Kong (5), and Singapore (2). The victims have been distributed across networks as follows:
CN 4134 CHINANET GUANGDONG PROVINCE NETWORK CN 4134 CHINANET HUNAN PROVINCE NETWORK CN 4134 CHINANET JIANGSU PROVINCE NETWORK CN 4134 CHINANET JIANGXI PROVINCE NETWORK CN 4134 CHINANET-HN ZHUZHOU NODE NETWORK CN 4134 HANGZHOU SILK ROAD INFORMATION TECHNOLOGIES CO. LTD CN 4134 JINHUA TELECOM CO. LTD IDC CENTER CN 4134 JINYUNQINGHSOANIANHUODONGZHONGXIN-POLICE CN 4134 MAOMINGSHIGUANSHANYILU265271HAO CN 4134 NINBO LANZHONG NETWORK LTD CN 4134 SHANTOUSHIJINSHADONGLUJINLONGDASHABDONG12A CN 4134 SHAOXING DINGQI INTERNET SCIENCE CO. LTD CN 4134 SHENZHENSHILUOHUQUHEPINGLUYIFENGGUANGCHANGCZUO32H CN 4134 TAIZHOU YAMA NETWORK TECHNOLOGY CORP CN 4134 VA OFFICE BRANCH OF CHINA TELECOM CORP CN 4134 WENZHOU GAOJIE TECHNOLOGY CO.LTD CN 4134 WENZHOU LIANZHONG NETWORK TECHNOLOGY LTD CN 4134 ZHAOWENBIN FIREWALL CN 4812 CHINANET SHANGHAI PROVINCE NETWORK CN 4837 CHINA UNICOM HEILONGJIANG PROVINCE NETWORK CN 4837 CHINA UNICOM HUNAN PROVINCE NETWORK CN 4837 CHINA UNICOM LIAONING PROVINCE NETWORK CN 4837 CHINA UNICOM SHANDONG PROVINCE NETWORK CN 4837 HANGZHOUJUZHENG HUZHOU ZHEJIANG HK 4058 CPCNET HONG KONG LTD HK 9584 GENESIS NET LIMITED SG 26496 8 CROSS STREET SG 45634 10 SCIENCE PARK ROAD US 3491 BEYOND THE NETWORK AMERICA INC US 7011 FRONTIER COMMUNICATIONS OF AMERICA INC US 15133 EDGECAST NETWORKS INC US 19853 INTERNET EXCHANGE TECHNOLOGY INC US 20248 TAKE 2 HOSTING INC US 21740 ENOM INCORPORATED US 21788 NETWORK OPERATIONS CENTER INC US 25761 STAMINUS COMMUNICATIONS US 26496 GODADDY.COM INC US 30058 FDCSERVERS.NET US 32421 BLACK LOTUS COMMUNICATIONS US 32421 SERVERORIGIN COMMUNICATIONS US 33569 ALLHOSTSHOP.COM US 35908 VPLS INC. D/B/A KRYPT TECHNOLOGIES US 36351 SOFTLAYER TECHNOLOGIES INC US 46844 SHARKTECH INTERNET SERVICES
The list of victims have included the usual gaming sites and online stores. However, JKDDOS is somewhat unusual in that it has a tendency to attack large holding companies and investment firms, especially those involved in the mining industry.
As an example, one large, well-known investment company based in New York City was attacked by a JKDDOS botnet on six separate occasions during the 10-day period starting on October 21, 2010, with the shortest and longest attacks lasting approximately 3 and 33 hours, respectively.
Three different victims have some connection to the gold mining industry, and one victim was a manganese miner. The European website of the most commonly attacked victim describes itself as a “major corporate shareholder” of various gold mining operations. It was attacked no less than 16 times during the last month, including at least once a day during the period from October 22 through October 29. These daily attacks typically started around 6am or so (London time) and lasted until about 4 or 5 pm.
We’ve also observed a JKDDOS botnet attack on November 3, 2010 against a corporate holding company that invests in major wineries.
The longest sustained JKDDOS that we have observed recently lasted approximately 72 hours, and was directed against a Chinese discussion forum site. All of the JKDDOS attacks we have tracked recently were perpetrated by the following seven Chinese-based CnC servers:
CnC IP Address Port CC ASN NetName 117.40.137.170 CN 4134 CHINANET JIANGXI PROVINCE NETWORK 121.11.81.56 CN 4134 SHANTOUSHIJINSHADONGLUJINLONGDASHABDONG12A 123.183.212.240 CN 4134 CHINANET HEBEI PROVINCE NETWORK 124.237.77.210 CN 4134 THE YANDA ZHENGYANG ELECTRON LTD. OF QINHUANGDAO 124.237.78.106 CN 4134 THE YANDA ZHENGYANG ELECTRON LTD. OF QINHUANGDAO 125.91.10.117 CN 4134 SHANTOUSHILONGHUQUHUAMEIZHUANGHUAMEIHUAYUANDI9ZUO601HAOFANG 61.147.120.135 CN 4134 CHINANET JIANGSU PROVINCE NETWORK
A/V Detections
Overall, anti-virus detection of JKDDOS bots is reasonably good. Detection rates for the specimens we have analyzed are typically in the 70%-93% range, although the detections are usually generic in nature. Here are some representative detections, which tend to be all over the map:
DrWeb DDoS.Attack.230 Avast Win32:Rincux-D JiangMin Backdoor/Wanmei.dd F-Secure Backdoor.Win32.Hupigon.hbtu nProtect Backdoor/W32.Hupigon.24064.N Ikarus Trojan-Downloader.Win32.Apher Norman W32/Redosdru.LS Kaspersky Trojan-Downloader.Win32.Apher.gzh PCTools Trojan-Downloader.Murlo.djw VirusBuster Trojan.DL.Murlo.BQR
Summary
From a technical point of view, the JKDDOS family appears quite unremarkable and shares many characteristics common to other Chinese DDoS malware such as YoyoDDoS, Avzhan, Chcod, and Darkshell. However, its choice of large corporate investment groups and mining-related interests as targets makes it a bit more interesting than some of the other DDoS-focused botnets we often see.
Popularity: 4% [?]
[...] (source: Arbor Networks Security) [...]