White hats publish DDoS hijacking manual, turn tables on attackers
(Dan Goodin) Turning the tables on miscreants who paralyze websites with torrents of junk data, security researchers have published a detailed manual that shows how to neutralize some of the Internet’s most popular denial-of-service tools.
The do-it-yourself how-to provides instructions that even hacking novices can follow to exploit critical vulnerabilities in “Dirt Jumper,” a family of tools used to wage the crippling denial-of-service attacks. By targeting SQL injection flaws in the software—which is sold for thousands of dollars in underground forums—counter-attackers can commandeer the master control servers used to distribute commands to large numbers of infected computers, which act as foot soldiers in such attacks. The manual was published on Tuesday by researchers with DDoS mitigation provider Prolexic.
“The authors of this malware overlooked security for critical portions of its toolkits,” the Prolexic researchers wrote in the report, which can be downloaded here, after completing the Web form at the right side of the page. “The weakest link within this malware family is the insecure coding practices used in the creation of the C&C panels. They are simple PHP/MySQL scripts that are pieced together to manage the infected bots.”
A handful of command-line strings, the open-source penetration-testing tool SQLMap, and knowledge of a command server’s location are pretty much all that’s required to gain access to its back-end database and server-side configuration files. Compromise of the server’s Web application can then be used to perform a DIY downing of the host server. Take for instance the following command:
./sqlmap.py --level=5 --risk=3 -u "http://www.evilsite.com/dj5/" -p k --data="k=" --technique=t --dbms=mysql --fileread=”/ var/www/html/evilsite.com/djv5/config.php”
It triggers a SQL-injection vulnerability in Dirt Jumper that dumps the name of the configuration file for the underlying server, as shown in the following screenshot:
Armed with the file name, vigilantes, rival bot masters, and just about anyone else can use SQLMap to download the file, as shown in the next screenshot:
And as demonstrated below, the configuration file contains all the account credentials needed to take full control of the C&C. With this information, it’s game over.
It remains unclear just how easy it is to locate the server address of a Dirt Jumper C&C, although it wouldn’t be surprising if the software transmits a unique signature that can be detected using port-scanning software or other tools. What’s more, using pilfered credentials to access someone else’s account may be illegal, depending on where the hacker and DDoS server are located. Readers are encouraged to seek competent legal advice before trying any of the techniques described here.
It’s not the first time white hat hackers have identified crippling holes in blackhat software tools. In 2010, security researcher Billy Rios devised a script that exploited vulnerabilities in the ZeuS crimeware kit, a feat that allowed him to hijack the servers that fed commands and updates to hundreds of thousands of infected computers.
The manual comes as DoS attacks have surged 82 percent since June 2011, according to a recent report by Arbor Networks. DDoSers kept radical transparency website WikiLeaks offline for 10 days, and BitTorrent tracker Demonoid was also out of commission thanks to the attack technique.
Prolexic said the attacks can be wielded by rival malicious actors, researchers, DDoS victims, law enforcement agents, and “any other interested party in possession of a C&C identity.” The attacks work against a variety of variants in the Dirt Jumper family, which Prolexic says is among the most popular DDoS attack tools on the market today. The vulnerabilities stem from amateur coding mistakes made by the Dirt Jumper developers. Witness, for example, the lack of “input sanitization” in the mysql_query function of the following PHP code:
ip=$_POST['k']; $ip2=$_SERVER['REMOTE_ADDR']; $time=time(); mysql_query(" INSERT INTO `n` (`ip`,`n`)VALUES('$ip2','$time') ") or die("Error"); mysql_query(" INSERT INTO `td` (`ip`,`ip2`,`time`)VALUES('$ip','$ip2','$time')"); include "img.gif"; ?>
The omission is present even in Pandora, the newest member of the Dirt Jumper family. Pandora, which boasts new functionality that makes DDoS attacks more powerful, was recently used against security journalist Brian Krebs’s KrebsOnSecurity site. One ad for the new tool claims that it needs just 10 infected computers to bring down an unhardened site, or just 1,000 bots to slow response times for Russia’s most popular search engine. The previously reported attack on the Krebs site consisted of “several hundred systems repeatedly requesting image-heavy pages.”
In addition to a failure to clean up malicious SQL commands, Pandora contains coding errors that cause infected machines to send broken HTTP requests to C&C servers. We’re guessing many of these bugs will be fixed, but it may take a while for DDoS users to apply a patch.