The RSA FraudAction Research Lab recently discovered evidence of cybercriminal attempts to sabotage the Swiss white hat site, abuse.ch through new plug-ins to the latest SpyEye Trojan variants found in the wild, SpyEye v. 1.3.10. This move is significant in that it shows how fraudsters are eager to damage the non-profit website’s availability and credibility – a sign of the apparent effectiveness of SpyEye Tracker and that it represents more than just a thorn in the side of many Zeus- and SpyEye-toting botmasters.
RSA researchers have found proof that fraudsters are using a DDoS plug-in for the SpyEye Trojan designed to leverage botnets to knock out availability of abuse.ch. In addition, RSA FraudAction researchers found SpyEye config files into which legitimate website domains were deliberately inserted in an attempt to throw off the white hat site’s blocklists. We go into more detail on both of these plug-ins below.
Why abuse.ch is so Effective
The Swiss security site, abuse.ch, provides the general public with free feeds of known Zeus and SpyEye command & control (C&C) domains and IP addresses, called blocklists. To produce the blocklists, abuse.ch employs automated systems, called Trackers, which analyze various feeds and identify malicious C&C domains, IPs, and servers. These malicious communication points are updated on an ongoing basis to the organization’s blocklists, which are published on the Zeus Tracker and SpyEye Tracker subdomains: https://zeustracker.abuse.ch and https://spyeyetracker.abuse.ch.
Downloading these blocklists enables ISPs, corporate networks, and browser-developers, among others, to protect their users from the SpyEye Trojan. By blocking the Trojan’s numerous command & control points at the ISP, browser, or firewall level, users’ machines are unable to receive critical instructions that could transform them into zombie, PII-aggregating bots. Conversely, DDoSing SpyEye Tracker, and rendering it unable to operate, prevents the same service providers from being able to take precautionary action against SpyEye variants.
In essence, SpyEye botmasters are battling the non-profit website which threatens the very existence and effectiveness of their botnets. The two methodologies that fraudsters are using in an attempt to undermine abuse.ch are summarized below. Interested readers can also see more detailed technical descriptions in the Appendices at the end of this blog.
DDoS Plug-in within SpyEye Variants used to Target abuse.ch
The RSA FraudAction Research Lab recently traced a DDoS plug-in within variants of the SpyEye Trojan v.1.3.10 configured to attack abuse.ch (Figure 1). Specifically, the DDoS plug-in is configured to attack abuse.ch’s SpyEye Tracker subdomain, which is dedicated to tracking SpyEye command & control servers.
Figure 1: Latest SpyEye Variant’s Admin Panel (v. 1.3.10) with DDoS Plug-In (Source: RSA)
It is worth noting that more recent versions of SpyEye support the inclusion of separate modules, in the form of distinct DLLs. The Trojan’s builder is even sold with a Software Development Kit (SDK), to facilitate the development of new modules by individual botmasters. This enables cybercriminals to independently author various plug-ins, like the DDoS plug-in we traced, and include them in their own SpyEye variants.
The DDoS plug-in was discovered when decrypting a SpyEye variant’s configuration, which includes, among other files, one named ddos.dll.cfg. SpyEye’s DDoS plug-in is a third party extension to SpyEye1, which enables performing DDoS operations on a target (or targets) of the botmaster’s choice.
For details on the plug-in’s file structure and workflow, see Appendix A below.
1 The plug-in is not sold as part of the original SpyEye kit, rather it is sold separately by the cybercriminal that authored it, or an associate.
SpyEye Botmasters Insert Bogus Drops into Config Files
In addition to undermining the stability and availability of abuse.ch’s SpyEye Trackers by launching DDoS attacks, SpyEye botmasters are also attempting to undermine the credibility of the Swiss site’s SpyEye Trackers. Contamination of the configuration files is performed individually, by SpyEye botmasters, either before launching their SpyEye variant, or by updating their variant’s configuration file via its update (C&C) point after their attacks go live.
The FraudAction Research Lab recently uncovered this exact kind of contaminated configuration in variants of SpyEye version 1.3.10 (the latest SpyEye version seen to date). In addition to genuine SpyEye drop points, collectors.txt, the file used to configure the Trojan’s drop points, was found to contain legitimate domains, such as google.com, myspace.com, and vkontakte.ru (a popular Russian social network).
This means that all the credentials collected by the Trojan from SpyEye bots, including screenshots, username and password combinations, and stolen certificates and cookies, will be sent to port 443 of the legitimate websites, like the ones mentioned above.
When abuse.ch’s Trackers analyze SpyEye variants like the ones we traced, legitimate website domains will be classified as those variants’ communication points. These, in turn, will show up in the SpyEye Tracker blocklist, and serve to diminish its credibility. A diagram showing this scenario is shown below (Figure 2).
Motivated to disrupt the effectiveness of the abuse.ch SpyEye and Zeus Tracker services, fraudsters are attempting to mount a counterattack against this bastion of white hat public services. If successful, these DDoS attacks and attempts to corrupt the data gathering of SpyEye Tracker would have a two-fold impact. DDoS attacks not only hurt the website’s availability by clogging its bandwidth with junk web traffic. When coupled with data corruption it could also render critical security information used by service providers, security researchers and the general public both unavailable and/or tainted.
Figure 2: Configuration File Poisoning (Source: RSA)
Appendix A – DDoS Attack Types supported by Plug-in
SpyEye’s DDoS plug-in supports the following types of DDoS attacks:
- SYN Flood – The infected machine opens 100 concurrent TCP connections to a given host (such as https://spyeyetracker.abuse.ch) on a given port, waits 100 milliseconds, and then closes the connections.
ssyn target destination-port attack-time
□ target: indicates the DDoS target. This parameter can either be an IP address or a Domain Name.
□ destination-port: indicates the TCP Port to flood.
□ attack-time: indicates the duration, in seconds, of the attack. The attack flow is repeated throughout the specified attack-time, so that the SpyEye bot repeatedly opens 100 connections, pauses for 100 milliseconds, and closes the connections.
- UDP Flood – The infected machine opens 100 concurrent UDP connections to a given host, sends 6,500 bytes of random data on through each UDP connection, waits 100 milliseconds and then closes the connections.
udp target destination-port attack-time
□ target: indicates the DDos target. This parameter can either be an IP address or a Domain Name.
□ destination-port: indicates The UDP port to flood. The caller can specify ‘0’ in this parameter to choose a random port.
□ attack-time: indicates the duration, in seconds, of the attack.
Note: The 6,500 bytes of random data are created once. This means that all the packets sent using this attack throughout the entire duration of the attack will be identical.
Note: In case the caller specifies ‘0’ as the destination-port, the DDoS plug-in chooses a random destination port. However, this port remains the same throughout the entire duration of the attack.
- Slowloris Flood – The infected machine opens 50 concurrent TCP connections to a given host on port 80 (HTTP), and starts a custom-made Slowloris attack. In SpyEye’s case, the Slowloris attack does not consist of making connections to a targeted server that are kept open for an indefinite amount of time, but rather making connections whose duration is deliberately extended with various pauses, and eventually closing them. (For more details on the HTTP request sent by a SpyEye Slowloris attack, refer to he Appendix below.
slowloris target attack-time
□ target: indicates the DDoS target. This parameter can either be an IP address or Domain Name.
□ attack-time: indicates the duration, in minutes, to perform the attack.
More on Slowloris Attacks
Slowloris is a DDoS attack that attempts to consume all the resources (specifically, TCP ports) of a targeted web server by making a multitude of concurrent HTTP requests, which are never completed, and are therefore kept open. As a result, little to no resources (TCP ports) remain available for genuine, incoming web traffic, rendering the requested site inaccessible.
SpyEye’s Slowloris attack, however, is slightly different: Instead of all the connections to the target server remaining open for an indefinite period of time, the connections consist of HTTP requests, which are deliberately carried out over an extended period of time using predefined pauses. SpyEye’s Slowloris connections are eventually closed at the end of the predefined attack-timeout.
In contrast to SYN and UDP flooding, Slowloris attacks can cause the resources of the targeted server to be severely depleted, without using a great amount of bandwidth on the targeted server’s network. For example, 50 TCP connections that send one data packet every second (Slowloris), can be as effective as 100 TCP connections that bombard a targeted server with a stream of successive connections that repeatedly open and close (SYN).
Slowloris connections are especially effective in two scenarios:
- Bringing down one specific server without shutting down its entire network. (Due to low bandwidth consumption, the network itself will not shut down.)
- Evading protection mechanisms that block out sources of high-volume web traffic, as well as evading other network protection mechanisms that are statistics-based.
Plug-in File Structure
To run correctly, the configuration file of the DDoS plug-in has to be comprised of plain text lines. Each line must contain one command from the above list. As the plug-in does not validate its input to identify erroneous commands, the command must be structured correctly.
The plug-in runs according to the information provided in its configuration file. Once the plug-in starts running, it goes over all the lines in the configuration file, performing the commands one at a time. (This means that if given several instructions in the Configuration File, they will be carried out sequentially, and not in parallel.) The plug-in’s execution either terminates after all the commands have been executed, or when SpyEye invokes the stop routine.
Appendix B - SpyEye’s Customized Slowloris Flooding
The sequence of events in a SpyEye Slowloris attack is as follows:
1. The infected machine establishes 50 TCP connections to port 80 (HTTP).
2. It pauses for 100 milliseconds.
3. It sends an HTTP Request that has the following format:
GET/POST / ?number HTTP/1.1\r\n
□ GET/POST indicate a GET or POST-type request. The type of request is randomly selected on a 50-50 basis.
□ number is a random number between 1-99999.
□ host is the target specified in the configuration file.
Note: The code contains a bug: If the target host contains backslashes (“\”), the first appearance is replaced by a Null-Character, which effectively terminates the string at that location.
4. The infected machine waits one second.
5. It enters the second stage of the attack, which it performs for one (1) minute: □ The infected machine sends the string X-a: b\r\n to all the open connections.
□ It waits 2.5 seconds.
□ It repeats the above string.
This stage either terminates after one minute, or terminates when a sending error occurs on all 50 connections.
6. The infected machine sends the string Connection: Close\r\n\r\n to all the open connections, and closes them.
7. If the predefined attack-time timeout has not elapsed, the machine repeats steps 1 through 6.