DingleElite DDoS Bot (WOPBOT)

re: http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3505
sha256: 73b0d95541c84965fa42c3e257bb349957b3be626dec9d55efcc6ebcba6fa489
malware family: DDoS Bot used by DingleElite (WOPBOT, according to Emanuele Gentili)

context found here:

"I am a security researcher and found a bot network of infected devices used to perform the DDoS
attacks the twitter account thats linked with the botnet is https://twitter.com/TheDingleElite
the command and control of this botnet can be watched by using a telnet client and connecting
to 89.238.xxx.xxx on tcp port 5 if you need to be made aware of any more information please
contact me directly I will privatly disclose the rest of the CnC IP to anyone who is interested."

quick static analysis:

hardcoded C&C: 89.238.150.154:5
CloudFlare IP: 108.162.197.26 (used for deriving the bots own MAC via route lookup?)
C&C protocol: single line exchange via telnet

Commands / Features:

CMD:      PING
PARAMS:   -
RESPONSE: "PONG!" GETLOCALIP | - | "My IP: <local_ip>"

CMD:      SCANNER
PARAMS:   <MODE>
RESPONSE: "SCANNER ON | OFF" if num_args != 1, spawned thread responds otherwise? 

CMD:      HOLD
PARAMS:    <IP> <PORT> <SECONDS>
RESPONSE: "HOLD Flooding <IP>:<PORT> for <SECONDS> seconds." 

CMD:      JUNK
PARAMS:   <IP> <PORT> <SECONDS>
RESPONSE: "JUNK Flooding <IP>:<PORT> for <SECONDS> seconds." or error messages 

CMD:      UDP
PARAMS:   <IP> <PORT> <SECONDS> <RAW/DGRAM> <PKT_SIZE> <THREADS>
RESPONSE: "UDP Flooding <IP>:<PORT> for <SECONDS> seconds." or error messages 

CMD:      TCP
PARAMS:   <TARGETS,> <PORT> <SECONDS> <?> <TCP_FLAGS,> <PKT_SIZE> <PKT_BURST>
RESPONSE: "TCP Flooding <IP>:<PORT> for <SECONDS> seconds." or error messages 

CMD:      KILLATTK
PARAMS:   -
RESPONSE: "Killed <NUMBER_OF_ATTK_THREADS>." or "None Killed." 

CMD:      LOLNOGTFO
PARAMS:   -
RESPONSE: None (exits bot process)

UDP flood

payload characteristics: PKT_SIZE * RANDOM(UPPER_CHARS)

TCP flood

TCP_FLAGS: (all,syn,rst,fin,ack,psh) (<- choose your very own comma separated list)
PKT_BURST: packets sent without a pause (for checking if SECONDS of attack is reached)

related sources (stringdumps, …) for the same malware family:

Aug 20th, 2014 Pastebin
Aug 9th, 2014 Pastebin (hints to potentially old C&C server: 89.248.172.14:9 | 192.99.200.69:57)
Mar 7th, 2014 Pastebin (hints to potentially old C&C server: 192.99.200.69:57)
Jan 18th, 2014 Malwr (hints to potentially old C&C server: 142.4.215.135)

All hashes:

sha256: 73b0d95541c84965fa42c3e257bb349957b3be626dec9d55efcc6ebcba6fa489 (C&C: 89.238.150.154:5)
sha256: 2d3e0be24ef668b85ed48e81ebb50dce50612fb8dce96879f80306701bc41614 (C&C: 162.253.66.76:53)
sha256: ae3b4f296957ee0a208003569647f04e585775be1f3992921af996b320cf520b (C&C: 89.238.150.154:5)

link to original post on blogspot.

Daniel Plohmann
Malware Researcher @ Fraunhofer FKIE.
buymeacoffee Buy me a coffee

keybase pnx
push_pnx
github danielplohmann

RSS Feed