Drive Returns with New Tactics and New Attacks

The last time I blogged about Drive, it had just added some new attacks and obfuscation to its attack commands. Fast forward seven months, and Drive has another new variant that has adopted a completely new set of tactics while being used in some recent high-profile attacks.

Similar, Yet Different

I first discovered this new Drive variant in early January 2014 when I noticed that my previous Yara rule was alerting on samples that my network classifiers were not. Upon taking a closer look, I noticed that 2 new parameters were included on the phone-home and the bot id parameter, req, was shortened from 15 bytes to 9 or 10 bytes.

99=1&ver=[0-9]{5}&req=[0-9]{9}

The CnC still used the same obfuscation techniques for attack commands as Drive2 and also supported the exact same set of attacks with a slight tweak on the return of attack commands. Responses from the CnC are now expected to be terminated with “^^^” and a response will be ignored if that string is not present.

Where it did improve over its predecessor was in parsing of responses from both CnC and from the “-smart” attack. The malware now validates a 200 response code from the CnC and makes sure the “^^^” string is present in the response before proceeding down the path of attempting to decode and parse attacks out of the response. Similarly, the “-smart” attack parsing now validates a 302 response code is present when looking for a Location: header and also verifies that the javascript cookie setting methods are between “<script>” and “</script>” tags. There are some other parsing improvements that I will not go over as they become tedious to talk about in a blog post ;).

The next major difference I noticed was the removal of the newd=1 command that was used to change the CnC of the bot in the event that the current CnC went down. This has been replaced with a hard-coded list of CnC URLs embedded in the binary encoded using the method I detailed in my first blog post on Drive.

Tactical Shift

This leads to the first new tactic I discovered when investigating the list of hard-coded CnC. The majority of the domain names were extremely old and when I first started browsing the sites via TOR to investigate them more, they all appeared to be legitimate. Unfortunately, especially for the sites, they were indeed legitimate sites that had been compromised and used to direct an army of DDoS bots towards various targets. Judging by the paths present for the PHP scripts, many of these were sites were running some version of WordPress with plugins. It is not known whether they were compromised via a WordPress or plugin vulnerability as once I realized they were legitimate I stopped all probing on them. By visiting the main portions of the site, I was able to validate the presence of a WordPress blog. We have taken action with relevant CERTs in an attempt to get the sites cleaned up, but there are still some available.

The targeting of vulnerable sites to serve as CnC is a major shift from the past variants of DirtJumper and a newer tactic in the DDoS malware world. The last time we saw compromised sites used in the DDoS  tactic was with the BroBot attacks of 2013 where the compromised sites were used to launch attacks instead of ordering compromised PCs to order the attacks. As far as I know, this is the first time this tactic has been seen for DDoS malware targeting PCs. One major issue with using a compromised site to send attack commands is that you cannot just block access to the host since it is entirely possible that users may be going there legitimately and instead need to do deeper inspection at the network level to verify that a system visiting the site is indeed compromised.

The current best guess is that these sites are only housing  scripts that act as a proxy between the real CnC and the bots . Without a copy of the script on any of the hosts, it is impossible to link any of the attacks we have seen to specific actors or groups since we can’t see who the actual CnC behind the attack is.

The unique script-file names we have seen samples phoning home to are listed below. Many of these end up located under some variation of “/wp-content/{uploads,plugins,uploads}”, but other paths have been observed.

gasf3sfasf.php
gbomberman2.php
gchtogde1.php
gcore.php
gdomberman1.php
ghddchtohge.php
gsims32.php
gsnowthread.php
gsuleiman3.php
gtwohddchtogde.php
gvasrhon.php

The 128 total CnC we have detected have a wide geographic distribution as seen in the graphic below:

Drive3 Compromised CnC Locations

Drive3 Compromised CnC Locations

Attacks

Sochi Olympics-related

After finding this new variant and then adding it to our monitoring system we detected attacks shortly before the start of the Sochi Olympics that were targeting multiple Sochi-related websites – these websites included hotels, universities, airports and Winter Olympics-related – and were able to coordinate mitigation of the attacks as well as coordination with CERTs to help neutralize the CnCs involved in the attacks.

MtGox

Recent news reports have also outed the existence of DDoS attacks in early February against Mt. Gox during the time when the site went dark during the alleged cyberheist of the majority of the bitcoins that they managed. I can now confirm that this variant of Drive was involved in these DDoS attacks ordering a mixture of GET, POST and Smart attacks at the site. At the time, it looked like a typical DDoS attack against a site by a disgruntled user / extortionist. Once new details were released  on a timeline with possible links between a DDoS attack and the theft, we were able to more positively link the attacks ordered with the events surrounding Mt. Gox.

Identification

A yara rule to identify binaries is presented here and also available in our GitHub repository:

rule dirtjumper_drive3
{
 strings:
 $cmd1 = "-get" fullword
 $cmd2 = "-ip" fullword
 $cmd3 = "-ip2" fullword
 $cmd4 = "-post1" fullword
 $cmd5 = "-post2" fullword
 $cmd6 = "-udp" fullword
 $str1 = "login=[1000]&pass=[1000]&password=[50]&log=[50]&passwrd=[50]&user=[50]&username=[50]&vb_login_username=[50]&vb_login_md5password=[50]"
 $str2 = "-timeout" fullword
 $str3 = "-thread" fullword
 $str4 = " Local; ru) Presto/2.10.289 Version/"
 $str5 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT"
 $newver1 = "-icmp"
 $newver2 = "-byte"
 $newver3 = "-long"
 $drive3 = "99=1"
 condition:
 4 of ($cmd*) and all of ($str*) and all of ($newver*) and $drive3
}

In addition to the Yara rule to identify the binaries, here is a Snort rule to help  identify this variant on the network:

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"[ASERT] TROJAN W32/Drive3 Checkin"; flow:established,to_server; content:"POST"; http_method; content:"99="; fast_pattern; depth:3; http_client_body; pcre:"/^99=1\x26ver=\d{5}\x26req=\d{9,10}$/P"; reference:url,www.arbornetworks.com/2014/03/drive-returns-with-new-tactics-and-new-attacks; reference:md5,237c98f2b31a3353b1d81bd3bdb2c8ed; classtype:trojan-activity; sid:3000002; rev:1;)

A common imphash seen across a number of samples is b873ada755d22741a4680705c9afdc5c and here is a small sampling of MD5 to wrap up this section:

7a6b01fc77c6b89c0b76db5e053a1d1c
237c98f2b31a3353b1d81bd3bdb2c8ed
a28d6b0134e86663b41016eafe32e7a9
15d8e6090eda49677b3a23b5af17d700
3c69a4aed59ae68e550c9734513adcaa

Conclusion

The Drive family of DDoS malware continues to evolve, this time with tactics that help protect the actual CnC from takedowns and help protect the actors behind the CnC from identification. As Drive continues to evolve, it is being used in higher-profile attacks while also improving the robustness of the malware itself. Drive continues to push the envelope for “state-of-the-art” DDoS malware and as long as it does we will continue our tracking and protection efforts.

  • Posted in Uncategorized
  • Comments Off on Drive Returns with New Tactics and New Attacks

Comments are closed.