A forum for reverse engineering, OS internals and malware analysis 

Backdoor Darkness

Forum for analysis and discussion about malware.

Re: Backdoor Darkness

 #4792  by korczyn
 Fri Jan 28, 2011 2:19 pm
thx very much for files and info...
I hope discussion related to Darkness will be still open ...
As I'm new in this forum (and I'd like to make some investigation of Darkness botnet), all hints and opinions are notable for me...

Re: Backdoor Darkness

 #4830  by korczyn
 Mon Jan 31, 2011 3:58 pm
Hi,

I was analysing both versions that you sent me and third one I discovered recently... I found out that:

1) EP_X0FF was right and the sample that you gave us was in deed related to Darkness. When I run the malware in my lab the host was trying to connect to vkotalke.info C&C server which is supposed to be one of the newest Darkness C&C servers (the full list you can find if you visit link posted by Evilcry: http://www.shadowserver.org/wiki/pmwiki ... r/20110123). Unfortunately, bot couldn't connect... already dead? Or maybe it's the reason of my NAT?

2) The second and third sample was trying to connect to three C&C servers: greatfull-toolss.ru, hellcomeback.ru, greatfull.ru but these are also not working any more... in the attachment I put one sample of traffic if someone wants to take a look closer...

I will probably try to change binaries in order to connect to servers which still exist (if it is possible because in newer versions of Darkness it is said that modification of binaries is not that easy)... Second attachment is the next sample of the malware... maybe someone will be interested in...

Regards,
korczyn
Attachments
malware sample
(33.31 KiB) Downloaded 56 times
traffic sample
(923 Bytes) Downloaded 47 times

Re: Backdoor Darkness

 #4951  by korczyn
 Tue Feb 08, 2011 10:41 am
Conclusions:

Two versions - the one that PX5 sent here and my version are old ones... both of them are 7f (according to shadowserver.org they are relatively old: Nov 04, 2010 - 7f official released)... even if we connect to the existing C&C servers (domains given again by shadowserver.org ) there is no high interaction...

The one given by EP_X0FF is faked one... when we connect to C&C server it appears as version 8g, whereas the last one is 7i (Jan 24, 2011 - 7i official)...

All the conclusions are based on running the malware in our lab as well as comparing our findings with parallel investigation run by shadowserver.org...
If anyone could help me somehow and share the newest malware sample I would be very appreciated cause I'm stuck at the moment...

Thanks,
korczyn

Re: Backdoor Darkness

 #4982  by Evilcry
 Thu Feb 10, 2011 7:19 am
Hi,

Update - February 8, 2011

http://www.shadowserver.org/wiki/pmwiki ... r/20110127
Some of the new features noted that can help in the identification of v.8a include:
Optima 8-0-0 MX Black panel with English instructions
File name and the bot service names are now random
Variable strengh for dd1=http and dd2=icmp commands, with the ability to throttle them using command switches
Experimental support for cookie verification to better emulate a browser and bypass certain anti-ddos systems
New encryption algorithm for URL and other variable user information used in the body of the bot
Support for modules that will be added in the future.
More effective dd1=http attacks
Regards,
Evilcry
 Return to “Malware”