Welcome!

If everyone is thinking the same, someone isn't thinking

Lori MacVittie

Subscribe to Lori MacVittie: eMailAlertsEmail Alerts
Get Lori MacVittie via: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


Related Topics: Married to Chocolate

Blog Feed Post

F5 Threat Analysis: It's a mad, mad, mad, mad ... bot

Madness. It's an aptly named bot, as it's likely to evoke just that reaction in those who find it lurking in their systems or at whom its sets it sights.

confidence-app-layer-attack

A disturbing trend illustrated by the focus of our latest threat analysis is the increase in attention being paid to application layer attacks. Not just directly, but also as part of larger volumetric attacks. Increasingly application layer attacks are seen as part of a larger attack that takes advantage of volumetric network DDoS techniques as a "smokescreen" to hide their real intent. A 2014 Neustar report found that 55% of DDoS attack victims experienced application layer attacks at the same time that successfully deposited malware (over 50%) or exfiltrated customer data (26% of victims). While the focus of our analysis today, Madness, appears to be solely concerned with Denial of Service and not intended or capable of perpetrating attacks designed to exfiltrate or corrupt customer or corporate data, its increasing capabilities at layer 7 are indicative of a general trend toward attacks on applications rather than the network. 

That's the  bad news.

The good news is that organizations overwhelming feel confident in their ability to withstand such attacks; our State of Application Delivery 2015 survey found that 92% of customers were confident to very confident they were ready and able to handle such attacks. Given that a majority protect all three attack surfaces "all the time", this confidence is likely warranted.

But as complacency is as dangerous to security as complexity, it's always a good idea to know thine enemy - particularly with respect to what weapons their arsenals contain.

With that proverbial advice in mind, let's get a quick look at Madness, shall we?

 

threat-analysis-madnessMadness is, according to its authors, a superior successor to notorious DDoS malware families “BlackEnergy”, “gbot”, “DirtJumper”, “Darkness Optima”, “iBot” and “w3Bot”. 

Though the bot employs standard persistency techniques its attacks show an increasing level of sophistication. In terms of the former it employs a fairly traditional Marco Polo technique of constantly polling for the existence of specific registry keys that, if found to be missing, will be added again. 

On the attack front, however, Madness displays a growing awareness of the richer attack surfaces at layer 7 (application). While supporting traditional network-based DoS capabilities, Madness also offers a number of application layer attacks with growing detection evasion options. Madness' HTTP flood options can be categorized into low-level and high-level attacks. Low-level attacks allow the attacker to control all aspects of the HTTP request. By enabling complete control over the request, attackers can better construct requests that can bypass many DDoS protection mechanisms. Higher-level attacks provide automatic handling of all protocol level concerns such as request construction, TCP connection management, caching, cookies and even redirections. 

Madness adds an interest twist to traditional HTTP GET flood attack by adding a slight delay in between the initial GET request and the completion of the request as indicated by the standard carriage return-line feed combination ("\r\n").  As this version of the attack does not include many of the traditional HTTP request headers - it comprises only the Host header - attacks from Madness using this attack should be fairly easy to detect.

 

Our Security Research Team, which is dedicated to performing research of DDoS, web, mobile and malware threats, has put together a comprehensive analysis of Madness. You can get the full report here, which includes details on:

  1. Persistency techniques
  2. C&C methods
  3. Attack types and capabilities
  4. Mitigation guidance

They've also penned a technical blog detailing their analysis.

Stay safe out there!

Read the original blog entry...

More Stories By Lori MacVittie

Lori MacVittie is responsible for education and evangelism of application services available across F5’s entire product suite. Her role includes authorship of technical materials and participation in a number of community-based forums and industry standards organizations, among other efforts. MacVittie has extensive programming experience as an application architect, as well as network and systems development and administration expertise. Prior to joining F5, MacVittie was an award-winning Senior Technology Editor at Network Computing Magazine, where she conducted product research and evaluation focused on integration with application and network architectures, and authored articles on a variety of topics aimed at IT professionals. Her most recent area of focus included SOA-related products and architectures. She holds a B.S. in Information and Computing Science from the University of Wisconsin at Green Bay, and an M.S. in Computer Science from Nova Southeastern University.