Digging Into the Nitol DDoS Botnet

Nitol is a distributed denial of service (DDoS) botnet that seems to be small and not widely known. It mostly operates in China. McAfee Labs recently analyzed a few samples; we offer here the communications protocol and the Trojan’s capabilities.

Most of the samples we encountered were not packed and were very easy to reverse engineer. The Trojan was written in Visual C++ either in a hurry or by an untrained programmer. We found a lot of bugs in the code.

Nitol copies itself to a random filename ******.exe (where every * is a randomized alphabet character) in the Program Files directory. The new file is registered as a service, “MSUpdqteeee,” with the display name “Microsoft Windows Uqdatehwh Service.”

Bot Activities

After installation, the malware connects to its command server (we found between one and three hardcoded addresses per sample) using a TCP socket and sends a digest of the victim’s computer information.

Both incoming and outgoing packets are 1082 bytes long (including TCP/IP headers, 1028 bytes of raw data) without regard to the actual size of the data.

The transmission to the server can be described by the following structure:

typedef struct _ComputerInfo{

DWORD Command;                 // Always “1″ Computer Info.

char LocaleLanguage[0x40];

char ComputerName[0x80];

char WindowsVersion[0x40];

char PhysicalMemorySize[0x20];

char CPU_Speed[0x20];

char Ndis_Version[0x20];

}ComputerInfo;

It appears this information is used mainly to get an estimation of the botnet’s power and diversity. The data can be used to decide what type of DDoS tasks to give this specific bot. However, this is not enough information for the server to decide whether the bot is running on a virtual machine or is being debugged.

After receiving the information, the command server usually returns a command and parameters.

Possible commands:

enum commands{

GenericFlood = 2,

HTTPFlood = 3,

RawDataFlood = 4,

StopRunning = 5,

UninstallAndDie = 6,

DownloadFileFromUrlExecUrl = 16,  // ?!?!?!?

DownloadFileFromUrlExecFile = 17,

UpdateBot = 18,

ExecuteIE_NoWindow = 19,

ExecuteIE_ShowWindow = 20

}

 

DDos Attacks

In the preceding group of commands, the DDoS functionality is represented by GenericFlood, HTTPFlood, and RawDataFlood.

Each of the flood commands implements several other commands:

Here we have command number 2–GenericFlood–followed by the GenericFloodData structure:

typedef struct _GenericFloodData{

char Address[0x80];                              // 0×00

DWORD NumberOfMinutesToRun;  // 0×84

DWORD NumberOfThreads;               // 0×88

DWORD Command;                              // 0x8C

}GenericFloodData;

enum GenericFloodCommands

{

send_Random_TCP_Data_Every_10_MS = 1,

Send_UDP_Packets_Every_20_MS = 2,

Send_ICMP_Packet_Sleep_Missing = 3,

Open_Socket_Every_500_MS = 4,

Send_UDP_Packets_Every_20_MS_Random_Source_Address_On_Server = 9,

Send_UDP_Packets_Every_20_MS_Random_Source_Address_On_Server_number_of_threads_plus_20 = 16,

Send_UDP_Packets_Every_20_MS_Random_Source_Address_On_Server_number_of_threads_plus_20_no_Passthru = 17,

Send_TCP_Packets_Random_Source_Address_On_Server_number_of_threads_plus_20  = 18,

Send_TCP_Packets_HardCoded_Source_Address_On_Server_number_of_threads_plus_20  = 19,

Same_As_1_20_More_Threads_If_Client_64_If_Server = 20,

Send_UDP_Packets_Every_20_MS_Source_Address_On_Server_number_of_threads_plus_20  = 23,

Send_TCP_Packets_Every_10_MS_Source_Address_On_Server_number_of_threads_plus_20  = 24,

Open_Socket_Send_1000_TCP_Packets = 25,

Connect_Disconnect_loop = 32,

}

Next we have command number 3–HTTPFlood–followed by the HTTPFloodData structure:

typedef struct _HTTPFloodData{

char Address[0x80];                         // 0×000

char Path[0x80];                               // 0×080 // BUG!!! The second DWORD is also NumberOfMinutesToRun

unsigned short Port;                         // 0×100

unsigned short dummy;                   // 0×102

DWORD dummy1;                            // 0×104

DWORD NumberOfThreads;          // 0×108

DWORD IsDummyGetRequest;     // 0x10c

DWORD dummy2;                            // 0×110

DWORD Command;                          // 0×114

}HTTPFloodData;

enum HTTPFloodCommands

{

Get_Image_Every_50_MS = 5,

Get_HTML_Every_50_MS_OR_GET_WITH_IE = 6,  //BUG

Get_HTML_Every_10_MS = 7,

Get_Image_Every_5_MS = 8

}

None of the samples we ran returned the RawDataFloodData, so we don’t have a recording.

Command number 4–RawDataFlood–should be followed by the RawDataFloodData structure:

typedef struct _RawDataFloodData{

char Address[0x80];                     // 0×000

char Buf[0x208];                           // 0×080       // BUG!!! The second DWORD is also NumberOfMinutesToRun

DWORD NumberOfThreads;       // 0×288

DWORD Command;                      // 0x28C

}RawDataFloodData;

RawDataFlood takes two possible commands: SendUDPData and SendTCPData. To use SendUDPData you need to set the command parameter to 21, else SentTCPData will be used. Both commands interpret the Buf parameter as a null-terminated string.

We encountered two important bugs:

  • It looks like the function to stop the attack after a certain amount of minutes was designed to work with the GenericFlood command and only later was also used for the HTTP and RawData floods, so it uses unrelated data as the amount of time to wait in seconds (always using the DWORD at offset 0×84 from the start of the parameters structure).
  • The function in charge of getting the path to the Internet Explorer executable concatenates the string coming back from the GetWindowsDirectory function (usually c:\Windows) to “\Program Files\Internet Explorer\iexplore.exe,” which is normally not the path to the IE executable. The problem resides in the HTTPFlood’s command 6, which performs an infinite loop of running IE from that path.

The following recording shows the traffic of the ICMP attack.

The following recording shows the traffic of the UDP attack.

 

Other Commands

StopRunning: Stops current DDoS attacks

UninstallAndDie: Unregisters the service, runs another process to delete the file, and exits the current process

DownloadFileFromUrlExecUrl: Looks like another bug, downloads a file from a URL to a local temp file, then tries to execute the URL

DownloadFileFromUrlExecFile: Downloads a file from a URL to a local file (random name in %temp% “*****.exe”) and executes the file using WinExec API call

UpdateBot: Downloads a file from a URL to “%temp%\stf******.exe.” If download succeeds, deletes the service, executes the file, and exits. (The current version is not deleted from the disk.)

ExecuteIE_NoWindow: Executes Internet Explorer with command-line arguments supplied by the server, doesn’t show the IE window

ExecuteIE_ShowWindow: Executes Internet Explorer with command-line arguments supplied by the server, shows the IE window

 

Command Servers

We identified the following command server domain names:

zwx5060.3322.org: 121.235.113.52

guangkuo119.3322.org: 125.211.195.29. Targets some diet products hosted on godaddy.com

yezi999.3322.org: 125.211.195.29. Targets some diet products hosted in Hong Kong

kankan902.3322.org: 118.126.16.81

maple110.3322.org: 121.10.24.74

mybaccy.3322.org: 58.221.58.148. Targets a site in China

bcl5736120.3322.org: 121.12.172.67

ylddos.3322.org: 67.215.65.132. This American IP address is registered to opendns.com

xiong97.3322.org: 124.236.128.136

xinxin168.3322.org

sousou123.3322.org

maguss.3322.org

aisini1314.3322.org

fuck0313.6600.org

ksattack.6600.org: 116.255.180.34

fangqi.6600.org

xin9liao.gnway.net

fangqi.7766.org

1.ccddos.net: 182.16.1.42. Hong Kong

rvbwtbeitwjeitv.com: 50.62.3.118. American IP for godaddy.com

rterybrstutnrsbberve.com: 82.165.39.88. German IP for domain registered to a Russian individual

erwbtkidthetcwerc.com: 82.165.39.88

(All the nonspecified IP addresses are in China.)

As we can see, most of the hardcoded domain names are resolved by Chinese dynamic DNS services.

 

I would like to thank my colleagues Zheng Bu and Benjamin Cruz for their input.