Joe Stewart - Senior Security Researcher, SecureWorks
On Jan 7, an article by John Markoff titled "Attack of the Zombie Computers Is Growing Threat" was published in the New York Times. In the article was a section detailing how I had tracked the spam sent by the Rustock trojan and had detailed the author's pump-and-dump spam operation, even down to the amount of money being made in a single spam run.
On Jan 8, the server hosting my personal website came under a DDoS attack. The attack occurred at 7:01 AM U.S. Eastern Time , as can be seen in the messages logfile excerpt below. Here we can see the kernel is overloaded with traffic, and begins suppressing error log messages because too many errors are occuring at once.
Jan 8 06:45:57 loggerhead -- MARK -- Jan 8 07:01:24 loggerhead kernel: printk: 3945 messages suppressed. Jan 8 07:01:29 loggerhead kernel: printk: 196 messages suppressed. Jan 8 07:01:38 loggerhead kernel: printk: 450 messages suppressed. Jan 8 07:01:39 loggerhead kernel: printk: 1712 messages suppressed. Jan 8 07:01:54 loggerhead kernel: printk: 1046 messages suppressed. Jan 8 07:01:54 loggerhead kernel: printk: 150 messages suppressed. Jan 8 07:02:07 loggerhead kernel: printk: 4399 messages suppressed. Jan 8 07:06:25 loggerhead kernel: printk: 2925 messages suppressed. Jan 8 07:06:30 loggerhead kernel: printk: 12165 messages suppressed. Jan 8 07:06:35 loggerhead kernel: printk: 13611 messages suppressed.
At this point the server is unreachable due to the excessive bandwidth being used. In the Apache access_log file for my website, at the same time we the very last HTTP request before the site becomes unreachable:
220.127.116.11 - - [08/Jan/2007:07:01:07 -0500] "GET / HTTP/1.0" 200 8649 "-" "Opera/9.02 (Windows NT 5.1; U; ru)" 18.104.22.168 - - [08/Jan/2007:07:01:15 -0500] "GET /favicon.ico HTTP/1.0" 404 209 "http://www.joestewart.org/" "Opera/9.02 (Windows NT 5.1; U; ru)"
22.214.171.124 is cryptobitch.de, an anonymizing service out of Germany. But the visitor is clearly using a Russian language version of Opera. The source, timing and the stealth of this request can mean only one thing - the attacker is testing my website to make sure it goes down.
Working with colleagues in the ISP and security community, I was able to get a list of IP addresses involved in the attack. With the assistance of MyNetWatchman, I was able to obtain the malware involved in the attack from one of the infected users. This malware was compiled specifically to attack my site; it has no other purpose.
The DDoS malware has the following properties:
Path to file on infected machine: %temp%\784E1629.exe (name is
Size: 15,872 bytes
Compiler:Borland Delphi v6.0/7.0
Install registry key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\winconf
The executable has the following functionality:
Illustration 1: Disassembly of DDoS Attack Tool
I counted 673 IP addresses involved in the attack in one sampling. This is a fairly small amount of computers given modern botnet sizes, but it was more than enough to swamp the bandwidth of the server, hosted on a business-class cablemodem. It leads me to believe the attacker used only a portion of the botnet for the attack, leaving the bulk of the botnet for use in other activities.
The code that is the core of Rustock's spam functionality is also compiled using Borland Delphi. Additionally, one of Rustock's bot commands is "runexe" - this command causes Rustock to download a file from a URL, and save it into the temp directory with a name generated from a random 32-bit number, converted to an upper-case hexadecimal string.
Illustration 2: Disassembly of "runexe" command in Rustock
The use of the GlobalFindAtom/GlobalAddAtom Windows APIs as a means to prevent multiple copies of the same malware from running is somewhat unique - most malware utilizes the Windows CreateMutex to do the same thing.
Illustration 3: Mutual-exclusivity code from DDoS tool
Interestingly, the Rustock dropper EXE utilizes the GlobalFindAtom/GlobalAddAtom API for the same purpose. This is not to say that use of that API is exclusive to Rustock, but simply that it is an interesting correlation. Generally, choosing which API to use when there are multiple ways to accomplish the same task is a matter of habit/preference, and malware authors will reuse code as would any programmer.
Illustration 4: Mutual-exclusivity code from Rustock dropper
Searching the web for the "winconf" registry key name and a file with a similarly formatted exe name turns up many instances of infected users seeking help in anti-malware forums. These users are also very often detected to be infected by Rustock, as can be evidenced by a Google search for the terms "winconf" and "lzx32.sys".
Additionally, other sources noticed that IP addresses on their networks who were attacking my website were also periodically sending DNS requests every 15 minutes, attempting to resolve the IP addresses for certain domain names, including nothingmore.info, stopwatchingme.name, netwide-company.biz, data-connection12.info, ufdsjbndkjfgd.biz, nobodymoving.biz and damnedqueen.name These are some of the same domain names used by the Rustock trojan's command and control servers.
Illustration 5: Names from data section of Rustock
Given all this evidence, there can really only be one logical conclusion - the Rustock author decided to attack my website in retaliation for me speaking out about his illicit activities. Interestingly, during the course of this investigation I came to learn that other anti-spam sites providing information on pump-and-dump spam were also coming under attack. However, the attack signature was completely different, and analysis showed that a completely different malware family was responsible. Another DDoS attack has been carried out against the website of GMER, an anti-rootkit tool. The attacks on researchers and developers simply providing information pertaining to stock spams or malware removal tools is unprecendented - previously we have seen anti-spam services and forums taken down by DDoS attacks, but it seems now that the attacks are becoming more personal.