Defying the Madness: DDoS Bot Evaluation

March 30, 2016 • Levi Gundert

Recorded Future Entity Alert

On March 28, 2016 we received a strategic Recorded Future alert for a distributed denial of service (DDoS) entity identified in a criminal forum.

DDoS Alert

Over seven unique mentions in the past 24 hours means that this new reference to the DDoS entity is attracting notice, and because these specific alerts are configured only for contextually malicious Web sources, it’s likely to be a reference from a threat actor. Additionally, the Madness DDoS crimeware is at least four years old, thus this may be a repackaging of an older version or it may be legitimately updated with new features.

Assessing the impact of a crimeware tool with new features and/or a change in status from privately held to publicly available is a strategic threat intelligence activity. Denial of service is a directly applicable threat topic for all businesses and governments, regardless of industry vertical. A relevant analysis focuses on new bot functionality, a change in public accessibility, general author/user attribution, and new/improved security control rules to address the specific threat.

Additionally, the analysis should assess the likelihood of future impact. A public crimeware kit release is also a fantastic opportunity to test functionality and measure the efficacy of current security controls in a penetration testing/Red Team created scenario. Since threat actors seize on “freebie” opportunities, operational defenders should do the same to tangibly and measurably decrease operational risk.

Madness Bot Timeline

A visit to the Web source referenced in the Recorded Future alert confirms that this DDoS entity reference is in fact the announcement of an updated Madness version, specifically version 3.0.1. The release features (translated from Russian) appear below:

Madness Version 3.0.1

Fortunately the forum post author — “Admin” — links to the alleged malware suite hosted by Yandex.

A PHP control panel directory (mad) and executable (madbuilder.exe) are contained in the downloaded file — 66209_release.rar (use password “hh” to unzip the file). The following is a strategic analysis of this Madness v3.0.1 release, the alleged authors, indicators of compromise (IOCs), and historical security control rules.

Web Server Control Panel

The mad directory contains a number of typical HTML, CSS, and PHP files designed to provide the botnet operator with a pleasant control panel experience once the files are uploaded to a live Web server. When the Madness bot is installed on victim computers it will communicate with the pre-configured Web server and the control panel will display the number of victim installations, country of origin, and additional victim metadata. The botnet operator will issue DDoS commands that victims’ computers will execute, participating in a distributed denial of service attack against the botnet operator’s target of choice.

The installation guide walks threat actors through the installation process which typically relies on LAMP (Linux, Apache, MySQL, PHP), and the author expects basic knowledge of Linux navigation and MySQL database creation.

Madness Version 3.0.1 Installation

The config.php files contain multiple user-defined variables which are passed to additional PHP files.

Madness Version 3.0.1 Configuration

The correct database values are necessary for a properly functioning control panel. This version of Madness was apparently released on November 15, 2015.

One interesting file included in the mad directory is “logo.gif,” which is a small image that appears to be the logo for “intellect design.” A Google Image Search returns results for five domains where the image is located including: koval503.prv[.]pl, antvz.ts9[.]ru, kova.cba[.]pl, cvn6[.]tk/panel/, and megaxaker[.]ru. Perhaps the company was hired to build the frontend design theme and graphics for the Madness control panel, or perhaps the authors included the image logo for other unknown reasons.

Intellect Design

Intellect Design

megaxaker[.]ru

Executable — madbuilder.exe SHA256: 93d240ef7d1b4cd4648f2f436846c2845fd31e1476f8ac56ae10ae8a3dfa1796

Even though the executable is unpacked, a Jotti scan reveals only six out of 19 anti-virus engines detect the file as malicious, with “trojan” being the only common definition label between the six companies that did detect the file as malicious.

Jotti Scan

Team Cymru’s malware intelligence platform identified two additional samples from 2016 with two of the same AV verdicts respectively — wi32.hllw.autoruner2.22958 and deepscan:generic.malware.fp!dldpk!.68e4aeff. The associated metadata from Team Cymru’s runtime analysis is included below in the IOC section.

One of the samples initiates HTTP POST traffic to r-rai.ru using the same URI structure as contained in the Madness PHP control panel directory structure. FarSight Security’s passive DNS (pDNS – DNSDB) data provides multiple A record and authoritative nameserver (NS) changes over the past two years for the r-rai.ru domain (listed in the IOC section). Domain Tools reports 304 additional websites hosted on the same server (185.42.12.11 – AS56784 MULTIHOST, Moscow). Recorded Future IP address summarizations and risk scores are also included below in the IOC section.

Running strings on madbuilder.exe produces the URI structure for the bot to use when communicating with the pre-configured command and control (C2) server, including index.php, lib/md.sys, and lib/bs.sys which, of course, matches the structure of the Madness PHP control panel.

Strings HTTP POST

The base64 strings “U09GVFdBUkVcTW” decode to “SOFTWARE\MG.”

Additional strings reveal attribution for the current Madness version: “Reversed by abbat-v | Coded by hdsckr.”

Madness Strings Builder

Recorded Future provides quick historical background on these two actors including Pastebin posts that have since been deleted or removed. There’s evidence that both actors have previously been involved in malware propagation and PII (personally identifiable information) theft.

hdsckr References

abbat-v References

Cached Paste

Cached Paste

Conclusion

History has proven that advertising free crimeware is like chumming the water for sharks. The announcement of Madness DDoS bot version 3.0.1 on a criminal forum with corresponding free download is likely to entice threat actors into installing the control panel on a Web server and locally launching the builder (executable) to create a customized Madness DDoS bot.

To summarize, a relatively recent version of Madness produced by abbat-v and hdsckr was repackaged by “Admin” to empower (or potentially victimize, if the builder contains a hidden back door) the criminal masses. At least one live instance of the Madness botnet is operating on r-ai.ru based on a linked malware sample and identical Web server directory structure. If this version of the Madness control panel contains the same SQL injection, (SQLi) vulnerability discovered by Cylance, then unsuspecting criminals may be in for a future surprise.

Collecting and analyzing the latest version of a crimeware kit is often useful to identify evolving patterns and behaviors in crimeware generation, dissemination, and ultimate use. The exercise is worthwhile particularly when the malware functionality is specifically designed to impact business operations, as is the case with denial of service attacks. Obtaining a copy of the crimeware kit and using it in penetration testing/Red Team scenarios is a valuable exercise for measuring the efficacy of current security controls.

Indicators of Compromise

Original Sample

Sample madbuilder.exe
SHA1 04b5357c18d9b848a8d0c39cc3d63df1ac4472ca
SHA256 93d240ef7d1b4cd4648f2f436846c2845fd31e1476f8ac56ae10ae8a3dfa1796

Team Cymru (Related Samples)

Sample win32.hllw.autoruner2.22958 / deepscan:generic.malware.fp!dldpk!.68e4aeff
SHA1 8533a9ce48eec7f685b3a63d9653315c998776fb
SHA256 8ffd47cb7bff596d8d86124c11c17fcb6de6e1f2109d7e28804a65ba31098b24
Host r-ai[.]ru (159.253.22.89 – s9ffd1659.fastvps-server.com, Estonia)
URI hxxp://r-ai.ru/pan/index.php, hxxp://r-ai.ru/pan/lib/md.sys, hxxp://r-ai.ru/pan/lib/mb.sys, hxxp://r-ai.ru/pan/lib/bs.sys
Sample win32.hllw.autoruner2.22958
SHA1 5d05298d965c8d41596c565257003f3ff440c40e
SHA256 19a50a767ed46617a5bd853c0be68a3beaf0f2516b1f0eb4be966a8bb0deeb65
Imphash a0075fd2df47db238dae681eabf40365 (16 related samples)
Packer MingWin32 GCC 3.x

FarSight Security

Historical A records (Epoch time notation) for r-ai.ru:

time_first: 1349727969 rrname: r-ai.ru. rdata: [62.109.30.161] time_last: 1383123524
time_first: 1328381127 rrname: r-ai.ru. rdata: [81.222.215.84] time_last: 1330968444
time_first: 1333680489 rrname: r-ai.ru. rdata: [87.242.73.219] time_last: 1333680489
time_first: 1448536914 rrname: r-ai.ru. rdata: [159.253.22.89] time_last: 1459155174
time_first: 1413819051 rrname: r-ai.ru. rdata: [178.208.83.43] time_last: 1432583311

Historical Authoritative Nameserver (NS) records for r-ai.ru:

time_first: 1328381884 rdata: [ns1-ns2.beget.ru.] time_last: 1330971868
time_first: 1413819051 rdata: [ns1-ns4.mchost.ru.] time_last: 1448022678
time_first: 1337341699 rdata: [ns1-ns2.serv10.ru.] time_last: 1337521619
time_first: 1347236060 rdata: [ns1-ns2.firstvds.ru.] time_last: 1388146575
time_first: 1448536914 rdata: [dns-dns4.fastdns24.com.] time_last: 1459155174
time_first: 1333680489 rdata: [ns1-ns2.expired.reg.ru.] time_last: 1333680489
time_first: 1328381127 rdata: [ns1-ns2.beget.ru.] time_last: 1330968444
time_first: 1422044822 rdata: [ns1-ns4.mchost.ru.] time_last: 1425137598
time_first: 1337341699 rdata: [ns1-ns2.serv10.ru.] time_last: 1337522779
time_first: 1388146575 rdata: [ns1-ns2.firstvds.ru.] time_last: 1388146575
time_first: 1448536914 rdata: [dns-dns4.fastdns24.com.] time_last: 1459155174
time_first: 1388146575 rdata: [ns1-ns2.firstvds.ru.] time_last: 1388146575

Malwr 2015 sample linked via the string “apoKALiplis=uebok” here.

Recorded Future IP Address Summarizations and Risk Score

Recorded Future Intel Cards serve as a starting point for investigation or incident response. The following example is for IP address 62.109.30.161 which is one of the IOCs delivered by FarSight Security.

IP Address Intel Card for 62.109.30.161

Security Control Rules

Madness strings Yara Rule on GitHub here.

BAMF (Botnet Analysis Modular Framework) original Madness python module (2014) on GitHub here.

Updated BAMF Madness python module (2015) on GitHub here.