Darkshell DDOS Botnet Evolves With Variants

Darkshell is a distributed denial of service (DDoS) botnet targeting Chinese websites. It was found in 2011 and was www.mcafee.com/activate  first analyzed by Arbor Networks. McAfee Labs recently analyzed a few new www.mcafee.com/activate download samples that turned www.mcafee/activate out to be variants of Darkshell, and we found extensive variations www.mcafee.com/activate product key in network traffic and control commands mcafee.com/activate product key.

The Darkshell bot follows a fairly www.mcafee.com/activate product key standard installation process by copying itself into the System32 directory with a name that appears to be www.mcafee.com/activate legitimate, for example, C:\WINDOWS\system32\WinHe803.exe. It then sends the  mcafee.com/activate product key system information of the infected machine to its control server in encrypted format. Once the control server receives the information, it responds www.mcafee.com/activate download with the victim’s www.mcafee/activate address and the type of DDoS attack to perform.

The binaries we analyzed were compiled in a way that it makes them hard to reverse engineer (and ease our analysis). Each binary www.mcafee.com/activate contained  www.mcafee.com/activate download a lot of junk code and made multiple calls between the www.mcafee.com/activate product key junk codes to complete a single task www.mcafee/activate. We also found that the binaries mcafee.com/activate product key used antidebugging and antidisassembly techniques to evade disassembly and reversing. The code was written in C++.

Let’s dig into some detailed analysis of the new variant of Darkshell. The binary executed fake code along with a debugger detection check www.mcafee.com/activate, and exited www.mcafee/activate the process while debugging. The binary accessed heap flags from the Process Environment Block (PEB) structure www.mcafee.com/activate product key to detect our debugger www.mcafee.com/activate download. (Heap flags are set to “0x50000062” when a process is being debugged.) The following figure shows mcafee.com/activate product key the actual code from the botnet binary

First, the binary decrypted 1917 (hex) bytes of the code with the preceding XOR key, starting at the address 0x00401000. Next, it decrypted all the strings using the same XOR key. Following that, the bot built its import address table using the “LoadLibrary()” and “GetProcAddress()” functions. We found it www.mcafee.com/activate interesting www.mcafee/activate that the bot mcafee.com/activate product key did not call LoadLibrary() and GetProcAddress() in the usual way. In this sample, it first pushed www.mcafee.com/activate product key the www.mcafee.com/activate download address of the LoadLibrary() function on the stack and then returned to it, as shown in the next image:

Comments

Post a Comment

Popular posts from this blog

Introducing tracking prevention, now available in Microsoft Edge preview builds

Image
Today, we’re releasing an experimental preview of tracking prevention for Microsoft Edge. We features of build microsoft edge as one of the concepts we’re exploring www.mcafee.com/activate product key to offer greater transparency and control over your online data . Microsoft Edge Insiders can www.mcafee/activate now try out tracking mcafee.com/activate product key prevention by enabling the experimental flag on Microsoft Edge preview builds starting with version 77.0.203.0 (today’s Canary channel release).  (Note: Today’s Canary release www.mcafee.com/activate download is not currently www.mcafee.com/activate available for macOS due to a build issues. Tracking prevention will be available in the next update to the Canary channel on macOS.) Tracking prevention is designed to protect you from being tracked by websites that you aren’t accessing directly. Whenever a website is visited, trackers from other sites may save information in the browser www.mcafee/activate using cookies and oth
Read more

Powering past limits with financial services in the cloud

Image
At KeyBank, we serve our 3.5 million customers online and in-person, and managing and analyzing data is  www.mcafee.com/activate product key  essential to providing great service. We process more than four billion records every single day   www.mcafee/activate , and move that data to more than 40 downstream systems. Our teams use that data in many ways; we have about 400 SAS users and 4,000 Tableau users exploring  www.mcafee.com/activate download  analytics results and running reports. We introduced Hadoop four or five years ago as our data  mcafee.com/activate product key  lake architecture, using Teradata for high-performance analytics. We stored more than a petabyte of data in Hadoop on about 150 servers, and more than 30 petabytes in our Teradata environment.  We decided to move operations to the cloud when   www.mcafee.com/activate  we started hitting the limits of what an on-premises data warehouse could do to meet our business needs. We wanted to move to cloud quickly and open
Read more

Arrange your Windows in a Snap

Image
Windows 7 indroduce Aero as a way to effortlessly position windows on the desktop just the way you want them. You no longer had to frustratingly fiddle with the sizes and positions of windows just to get  mcafee.com/activate product key  them into common layouts   www.mcafee/activate . Windows 8 increased productivity further, being the first OS to support true side-by-side multitasking on tablets as well. Anyone could effortlessly snap  www.mcafee.com/activate  with a simple touch gesture, resize side-by-side  www.mcafee.com/activate product key  apps simultaneously  www.mcafee.com/activate download , and watch apps automatically adjust to take up available space on the screen. When we started designing Windows 10, we stuck with our original goal of helping you be more productive by reducing the amount of effort it takes to manage your window layouts. By allowing Store apps to run in a window, we gave ourselves more flexibility to blend the best of both Windows 7 and 8 for this new r
Read more