Threat Research

Darkness Still Lurks

By He Xu | June 19, 2014

Darkness, a.k.a. Optima, is a bot that majors in performing distributed denial-of-service (DDoS) attacks. This botnet is an old one that has been in the Russian cybercrime underground market for a long time. Since 2013, there has been no new update and so most variants are down. According to our botnet monitoring system's continued tracking, there is still one variant that has been active for almost one year. During this period, this DDoS bot has performed several attacks.

The sample we captured is without a packer, so we could see its code clearly. We could also see its hardcoded version number, which is 2.2+.

DarknessDDoSBot 1

Figure 1. Hardcoded version number.

In order to increase the difficulty for security researchers, the bot uses the Base64 algorithm to encode most of its strings, such as the path and preferred filename of its dropped copy, its registry entries, its command-and-control (C&C) server URL, and its command strings.

DarknessDDoSBot 2

Figure 2. Base64-encoded strings. Highlighted portion is .ahttp when decoded.

Dropped Copy and Registry Entries

Upon execution, the bot creates a folder named nightupdate under the user's Application Data folder then copies itself there. This copy uses the name svchost.exe, which is the same name as the system process that hosts multiple Windows services. This can make it hard for infected users to differentiate the bot process from normal processes.

It creates the following registry entry to make the dropped copy of the bot run automatically every time the infected user logs on.

  • key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  • value: UpdateSvchost
  • data: "%AppData%\nightupdate\svchost.exe"

Furthermore, the bot creates the following registry entry to add itself to the Windows Firewall authorized application list so that its traffic is not blocked:

  • key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
  • value: :*:Enabled:svchost
  • data: "%AppData%\nightupdate\svchost.exe"

The bot repeats all its registry operations every time the system boots up to make sure that it will always automatically execute and that it will be able to perform its network connection activities.

C&C Communication

After decoding its C&C server URL and other necessary strings, the bot begins its communication with the C&C. The figure below is a real example of the network traffic that we were able to catch. Here, we can see the status feedback received from the C&C server, which is the string ok after being Base64-decoded. If this string is received, the bot sleeps for 120,000 milliseconds then connects to the C&C server again.

DarknessDDoSBot 3

Figure 3. Status feedback ok received from the C&C server.

If the bot receives a task command from the C&C server, the traffic will be much longer. In the figure below, the C&C server sent the .stop 0; command, which resets all local environments to prepare for the next attack.

DarknessDDoSBot 4

Figure 4. .stop 0; command received from the C&C server.

The following is the full list of commands that this bot supports. It's very easy to understand the DDoS attacking methods based on these commands.

  • ok
  • .httpflood
  • .ahttpflood
  • .simplehttpflood
  • .posthttpflood
  • .slowposthttpflood
  • .synflood
  • .ontcpflood
  • .udpflood
  • .icmpflood
  • .stop
  • .update
  • .download

DDoS Attacks

While monitoring this bot, we were able to capture several .httpflood commands that were sent by the C&C. Below is an example of this.

DarknessDDoSBot 5

Figure 5. .httpflood command received from the C&C server.

The attacking HTTP traffic that resulted from this command looks like the following:

DarknessDDoSBot 6

Figure 6. DDoS traffic.

Compared with other major DDoS bots, this bot has a special feature; it could generate dynamic referer URLs to increase the difficulty in blocking its traffic.

DarknessDDoSBot 7

Figure 7. Random referer URLs.

The UserAgent string is randomly selected from the following list.

DarknessDDoSBot 8

Figure 8. UserAgent list.


Through our brief analysis of this active bot, we can now completely understand how it works. Our botnet monitoring system will continue to keep an eye on its activities. If it decides to update itself, we will be able respond and protect our customers right away.

Join the Discussion