Threat Research

DDoS-for-Hire Service Powered by Bushido Botnet

By Rommel Joven and Evgeny Ananin | October 26, 2018

Distributed Denial-of-Service (DDoS) service offerings, often disguised as legitimate “booter” or “stresser” services, continue to increase in the cyber underground market. This relatively new Crime-as-a-Service trend has created an entry point for novice DDoS attackers, offering a simple option to anonymously attack nearly any website and forcing it offline for a small fee.

Sadly, due to the public release of the source code of some popular bots, building a botnet to provide these services is simpler than ever. A quick Google search returns lists of resources for botnet builders, usually with complete step-by-step instructions. Being able to re-use and even modify the source code has enabled cyber criminals to create their own versions that implement new functionalities.

NOTE: If you would like more information regarding the re-use of the Mirai code and its effect on the development of others botnets, you are most welcome to attend our talk entitled “Mirai: Beyond the Aftermath” at the Botconf 2018. This will be held alongside other great talks on December 4-8, 2018 at Toulouse, France. 

Ox-booter

During our regular monitoring, the FortiGuard Labs team recently discovered a new platform offering DDoS-for-hire service called “0x-booter.” First appearing on October 17, 2018, 0x-booter is available to anyone who signs up on the website. As shown in the following figures, this service comes with an explicitly defined user interface which enables practically anyone to learn and use the service.

Fig 1. 0x-booter Facebook post

Once logged in, a dashboard is displayed showing profile information, navigation to other functions, a summary of attack data, and the botnet details. The 0x-booter Facebook post advertises over 500 gbps of power and 20,000 bots. To put that in perspective, the DDoS attack on the website KrebsOnSecurity peaked at 620 Gbps and was able to take it offline. Which means that 500 Gbps traffic size would be more than enough to force most websites offline. At the time of our analysis, we didn’t get the same data as advertised in the developer’s Facebook post. Our network speed was 424.825 GB/s and only 16,993 bots were connected. However, that is still more than adequate in most cases.

Fig 2. 0x-booter dashboard

Like any other DDoS-for-hire, initiating a DDoS attack is made through a web user interface, which is avoids the need for direct contact between the user and the bot master. In the attack hub interface, as shown below, the details of the host or domain, port, attack duration, and the type of attack can all be configured before launching an attack.

Fig 3. Attack hub

The following attacks are available. DDoS attacks are primarily targeted at layer 4 and layer 7 of the OSI model, which are the Transport and Application layers.

Fig 4. Attack options

Prices for 0x-booter service range from $20 to $150, depending on the number of attacks, the duration of an attack, and customer support. In today’s current cybercrime economy, a few dollars combined with malicious intent can be translates to considerable damage to virtually any target.

Fig 5. Subscription fee

What's in the Server?

The author uses Uptime Robot to monitor the status of not only the 0x-booter website, but also other servers such as Loading, Mirai, and Scanning servers. Below are the details for the past seven days prior to writing this blog. While the site had some hiccups on October 23, most days it was 100% online. 

Fig 6. Uptime of servers

After further analysis of the website, we were able to uncover two interesting JSON files at:

typeattack.php – this file contains a list of every available DDoS method with its corresponding value of conducted attacks

dateattack.php – this file contains a list of dates with the corresponding number of all attack methods conducted per day

If the files are to be believed, more than 300 attacks have been launched from this site since its servers first came online on Oct 14th. 

Fig 7. Number of attacks

Bushido Botnet

Sample: 1e16db506c1b8376f8998907d75a4353c798530889224e5cfa8b21a36561a21f

As confirmed in our analysis, Bushido is indeed the driving botnet behind the 0x-booter DDoS-for-hire service. We spotted this particular botnet last September 17, 2018, and our initial findings were that it was just a modification of the Mirai botnet. And after only a month in operation, it now being used as a DDoS-for-hire service and being monetized through 0x-booter.

Fig 8. First discovery of bushido botnet

With the help of our honeypot, we were able to collect new download URLs with new samples, but subsequent analysis showed they were only re-hashed samples without drastic changes from the original. From the download URLs we collected, three are from Russia and one is a compromised website by ZullSec.

Fig 9. Bushido botnet download URLs

Aside from offering DDoS-for-hire service, the entity behind ZullSec has also compromised a website and currently uses it to host malware. 

Fig 10. Compromised website by Zull

Some of the key differences between the original Mirai and Bushido code include:

1) The Bushido botnet uses a different set of username and password combinations. This enables it to target other vulnerable devices that aren’t impacted by Mirai.

Fig 11. List of username and password

2) Adding of exploits had been commonly used by Mirai variants to target more devices. Bushido does the same way by including the following:

Vulnerability

Affected Device

CVE-2018-10561

 

Dasan GPON routers

CVE-2017-17215

 

Huawei HG532

CVE-2014-8361

 

Devices using the Realtek SDK with the miniigd daemon

Eir WAN Side Remote Command Injection

D1000 Wireless Router

      Table 1. List of vulnerabilities

 

3) The Xor Key seed used to decrypt the configuration table is different. Mirai’s is 0xDEADBEEF and Bushido’s is 0xBAADF00D.

4) The function killer_kill_by_port from Mirai’s source code checks which PIDs are behind the services by listening to specific ports and then terminating them. Mirai only checks on ports 22, 23, and 80, while Bushido checks 29 different ports.

Fig 12. List of ports

 

5) Mirai has 10 defined attack options and Bushido has 13. Listed below are the new DDoS methods implemented in Bushido.

    attack_app_cfnull – An undefined function of this attack can be seen in Mirai. Similar to a GET/POST flood, it is designed to send a large payload     of junk, resulting in its consuming the target’s server resources.

    attack_method_std – This function consists of sending packets to a target with a randomized payload of 1024 bytes.

    attack_method_tcpxmas – This function is also referred to as All TCP Flags Flood and Christmas tree packet. As the name implies, it sends TCP     packets with every single flag set, which causes the target to consume more computing power and thereby saturating bandwidth.

Further investigation shows that the Owari botnet—also considered to be a Mirai variant—had it source code leaked, and it also contained these new DDoS methods.

*number of attacks coincides with the attacks mentioned in the 0x-booter website in Fig 04

Fig 13. Mirai and bushido attack options

 

6) Bushido kills the following process names of known bots to make sure it’s the only one running in the infected device:

pkill -9 X19I239124UIU; pkill -9 BA8Ca; pkill -9 NiGGeR69xd; pkill -9 1337SoraLOADER; pkill -9 dvrHelper; pkill -9 NiGGeRd0nks1337; pkill -9 X19I239124UIU; pkill -9 IuYgujeIqn; pkill -9 14Fa; pkill -9 ccAD; pkill -9 BOGOMIPS; pkill -9 g1abc4dmo35hnp2lie0kjf; pkill -9 PRIVMSG; pkill -9 GETLOCALIP; pkill -9 KILLATTK; pkill -9 Eats8; pkill -9 v[0v; pkill -9 93OfjHZ2z; pkill -9 WsGA4@F6F; pkill -9 ACDB; pkill -9 AbAd; pkill -9 iaGv; pkill -9 BzSxLxBxeY;

Copy-paste botnet, copy-paste website

After analysing both the website and the botnet, we discovered that the codes used have been copy-pasted from an open source and modified for their own purposes. In fact, the 0x-booter website was based on another booter/ stresser called Ninjaboot, the source code of which was leaked in hacking forums last year. Even though the Bushido botnet has its own name, it still borrows a lot of its code from Mirai and is still considered a fork of Mirai.

Conclusion

The Bushido botnet proves that simple modifications made to the Mirai code can sustain a marketable DDoS-for-Hire service structure. With just a few clicks, a few dollars, and a little knowledge about botnets, would-be cyber criminals can get their hands on massive botnets and cause great damage.

Solution

Fortinet detects the sample as Linux/Mirai.B!tr and Linux/Mirai.BR!tr

Fortinet Web Filter service blocks all of the malicious URLs of the Bushido botnet.

Attacks mentioned are covered by the following IPS signatures:

Dasan.GPON.Remote.Code.Execution

Huawei.HG532.Remote.Code.Execution

D-Link.Realtek.SDK.Miniigd.UPnP.SOAP.Command.Execution

Eir.D1000.Modem.CWMP.Command.Injection

-=FortiGuard Lion Team=-

IOC

1e16db506c1b8376f8998907d75a4353c798530889224e5cfa8b21a36561a21f - Linux/Mirai.B!tr

cd9d823b0f1ce2cf7b89d3a705d1b28f7c7874dbf0409a9111220cf42e94bcb4 - Linux/Mirai.BR!tr

Download URLs:

176.32.33.123/vi/<architecture>.bushido  

46.29.163.168/vi/<architecture>.bushido

46.17.43.229/vi/<architecture>.bushido

194.36.173.4/vi/<architecture>.bushido

194.36.173.4/exploit/<architecture>.exploit

 

Download our latest Fortinet Global Threat Landscape Report to find out more detail about recent threat landscape trends.

Sign up for our weekly FortiGuard Threat Brief.

Know your vulnerabilities – get the facts about your network security. A Fortinet Cyber Threat Assessment can help you better understand: Security and Threat Prevention, User Productivity, and Network Utilization and Performance.