The intention of this entry is to profile some elements of the Aldi Bot in order to provide value for the security operations community and malware research community.
Aldi Bot is a newer inexpensive DDoS bot that is growing in popularity. Recent data (September 30 2011) suggests that there are at least 50 distinct Aldi bot binaries that have been seen in the wild with 44 unique Command & Control points. We see the bot active in Russia, the Ukraine, the US, and Germany. While it has been stated that Aldi Bot won’t be developed further, the source code has leaked which makes it easy to find and use.
G-Data and others in the security community have discussed this bot in recent weeks. Of special interest to those concerned with availability, Aldi Bot offers HTTP and TCP DDoS capabilities along with Firefox, Pidgin and jDownloader credential theft, the creation of a SOCKS5 proxy and the ability to download and execute malicious code of the attacker’s choice.
To underscore its attack capabilities, Aldi Bot was used to DDoS bka.de, the German federal police website in a demonstration video.
Figure 1 – Aldi Bot demonstration video launching DDoS attack on bka.de
All it takes is one bot such as Aldi Bot or other tool such as a Remote Access Trojan (RAT) to provide an attacker a handhold on the inside of an organization that can lead to a much larger security breach. It is now well-known that attacks involving the exfiltration of sensitive data typically start with one smaller compromise that is then leveraged for additional access. Additionally Aldi Bot steals passwords, and passwords are often re-used for convenience even though it is a dangerous practice. Without proper monitoring of system and network activity, such infected nodes can be long-lived and pose significant risk.
Thankfully in this case it seems that the Aldi Bot back-ends aren’t long lasting. Of the list of 41 back-ends that I obtained on September 30, 2011, it appears that only 13 of them were still online as of October 3, 2011.
Detection & uniqueness of threatThe author of Aldi Bot suggests that the bot will not be FUD (fully undetectable) and indeed Aldi Bot’s initial antivirus detection based on a September 22, 2011 analysis of the sample I analyzed (MD5: c903b63346c90d29b0fe711a68a747ba) features a 72.7% detection rate, with four vendors using a term similar to “Aldi Bot” such as “Abot” or “Albot”. The rest of the detections are generic.
As antivirus detection can be an indicator that triggers an organizations Incident Response function, responders will have to dig a little deeper in many cases because generic alerts don’t provide much context as to the true nature of the threat. An example of this is a user seeking assistance with an Aldi Bot infection using the default filename “jetzt_kommt_aldi.exe” on September 4, 2011 on a Microsoft forum:
While it has been speculated that Aldi Bot has borrowed from the Zeus banking Trojan source code release in early 2011, Aldi bot is written in Delphi with a PHP back-end, while Zeus is written in C++ with PHP on the back-end. The only obvious similarity between Zeus and Aldi Bot that I can see at first glance is that both of them tend to use a filename called gate.php on the web-based back-end as a “drop zone” to process stolen data.
CommandsAldi bot’s commands are as follows:
- ‘StartHTTP’ – starts an HTTP DDoS attack
- ‘StartTCP’ – starts a TCP DDoS attack
- ‘StopHTTPDDoS’ – stops an HTTP DDoS attack
- ‘StopTCPDDoS’ – stops a TCP DDoS attack
- ‘StopDDoS’ – apparently stops all DDoS attacks
- ‘DownloadEx’ – download and execute other code (malware)
- ‘CreateSocks’ – creates a SOCKS5 proxy
- ‘StealData’ – trigger password stealing functionality
- ‘Update’ – updates the bot
A potentially useful tidbit of information was found while reverse engineering the bot stub. While looking at an InternetOpenA API call associated with outbound activity, I noticed that a custom User-Agent “Aldi Bot FTW! :D” is used. It should be trivial to monitor for the presence of this string on the network.
push 10h ; dwFlags
push offset szProxyBypass ; lpszProxyBypass
push offset szProxyBypass ; lpszProxy
push 0 ; dwAccessType
push offset aAldiBotFtwD ; "Aldi Bot FTW! :D"
call InternetOpenA
If the wrong User-Agent is sent, then the back-end will not respond. On the wire a request to gate.php from an infected host looks similar to this (values are obscured for security)
Figure 2 – infected host reaching out to back-end at initial infection time
Once the source code for Aldi Bot was obtained, it was easy to find this function:
Figure 3 – Delphi source code indicates custom User-Agent
The back-end code that performs this checking was found with a datestamp from August 27, 2011 (the initial announcement for Aldi bot itself was apparently made one day later on an underground forum on August 28, 2011). The PHP code that performs the User-Agent checking is as follows:
function dnSOIAN0EWrU($XbJ41W11sYuW){
$XbJ41W11sYuW=str_replace(' ','',$XbJ41W11sYuW);
$XbJ41W11sYuW=str_replace('\x','',$XbJ41W11sYuW);
$XbJ41W11sYPW=pack('H*',$XbJ41W11sYuW);
return $XbJ41W11sYPW;
}
$_SERVER['HTTP_USER_AGENT']!=base64_decode(strrev(dnSOIAN0EWrU(strrev(substr('94320157587b6163524342633157
625c62585943514632514d3d3',-48))))) ? exit(): '';
While decoding what’s going on here would be an interesting exercise, it’s easier just to see what’s happening with a slight modification to echo the expected User-Agent string:
$ua = base64_decode(strrev(dnSOIAN0EWrU(strrev(substr('94320157587b6163524342633157
625c62585943514632514d3d3',-48)))));
echo "Expected User-Agent: [", $ua, "]";
Running the PHP code then displays the expected string:
$ php -f aldi.php
Expected User-Agent: [Aldi Bot FTW! :D]
Outbound traffic to the back-end “drop zone” will use an HTTP GET string that looks similar to this:
/gate.php?hwid=&pc=&localip=&winver=The value for the hwid parameter is uniquely calculated based on the systems hardware. The pc parameter is the PC’s name. The localip parameter is the local IP address of the system and winver is the version of windows installed, with x32 or x64 appended to match a 32 or 64 bit architecture.
When stolen data (only passwords at this time) is exfiltrated, a ‘&steal=’ parameter will be used in the URL that will also include the hwid value as such:
/gate.php?hwid=&steal=
The value passed in the steal parameter will be the type of credential and then the actual password values stolen from the system in the format of URL|User|Pass. Here is the back-end code responsible for storing the stolen credentials:
Figure 4 – PHP code handling stolen credentials
A quick google query as of 10/3/2011 with elements from the gate.php string reveals two obvious infections (both reported for takedown) – one Windows 7 and one Windows XP:
%EE%E9%EB%EC-PC&localip=192.168.123.100&winver=Windows%207%20Professional%20×32.
%20XP%20Professional%20×32.
The corresponding PHP back-end code:
//GET
$hwid = safe_xss($_GET['hwid']);
$localip = safe_xss($_GET['localip']);
$pc = safe_xss($_GET['pc']);
$winver = safe_xss($_GET['winver']);
This screenshot of bot statistics from one C&C shows that there were 239 bots online at one point, however only 8 bots were active, making this particular instance of the Aldi botnet very small. This could be due to reasonably good antivirus detection of the bot. The pie chart looks incorrect, however stats indicate that the Netherlands experienced the highest infection rate at 57.7% followed by the US with 10.5%.
Figure 5 – bot stats found on one C&C
While the Aldi Bot source code has since been obtained, at first we only had a binary copy. In that case, the Interactive Delphi Reconstructor (IDR) does a pretty nice analysis job. IDR worked better than IDA or DeDe when working with Aldi Bot.
Figure 6 – IDR analysis of back-end traffic generation
The default names of other Aldi bot back-end webapp components of interest (useful for network monitoring or probing on a C&C) include:
admin/inc
admin/inc/config.php
admin/inc/sess.php
admin/functions.php
admin/login.php
admin/pie.php
admin/index.php
admin/downlogs/
admin/img/aldi.gif
admin/js
admin/uploads/
geoip.php
index.php?id=stats
index.php?id=bots
index.php?id=bots&p=0
index.php?id=tasks
index.php?id=logs
index.php?id=upload
index.php?id=showlogs
index.php?logout
In addition to getting some value from watching for these patterns on the network, a review of back-ends indicates that sometimes certain folders such as admin/inc have directory indexing enabled which makes for an obvious C&C fingerprint.
Other indicators may include the following strings that have been seen in at least one Aldi Bot server-side install:
- “Aldi Bot – installed by till7”
- “StealData!” (from a misconfigured server)
The back-end login page looks like this:
As an example of the possible use for the “DownloadEx” function, a bit of poking at some active Aldi Bot campaign reveals the following:
1) Installation of yet another DDoS bot called Infinity Bot that has HTTP, ICMP, and TCP flooding capabilities.
2) Execution of the dScriptSt4r Anti-Virus Deleter, a simple batch file that tries to disable as many anti-virus applications as possible
3) Secure-Soft Stealer 5.20 that’s designed to steal credentials from the following applications:
- Trillian, Pidgin, Vitalwerks dynamic update client, DynDNS updater client, Steam, Opera, Firefox, Safari, jDownloader, Outlook, eMule, BulletProof FTP, Flash FXP, Miranda, Windows key, FileZilla, SmartFTP, MSN, ICQ, CoreFTP, and perhaps others.
Aldi Bot is just another in a long line of DDoS tools, however its inexpensive nature seems to have made it quickly popular. Underground forum posts praise its ability to perform effective DDoS attacks, which may have also contributed to the increase in popularity.
Figure 8 – Aldi Bot graphic from the back-end kit
References:
G Data: Botnets on discount:
http://blog.gdatasoftware.com/blog/article/botnets-on-discount.html
H-Online: Malware for everyone – Aldi Bot at a discount price
Aldi Bot – bka.de DDoS video:
Thanks to Arbor’s ASERT Team, Damballa and other anonymous contributors for additional data used in this analysis.
Popularity: 4% []
[...] Arbor SERT [...]