Join Us for Zenith Live 2019 Learn More
Join Us for Zenith Live 2019 Learn More

Sieren: A new DoS bot

By: Rajdeepsinh Dodia

Sieren: A new DoS bot

Zscaler ThreatLabZ recently discovered a new DoS family bot named Sieren. A denial-of-service (DoS) attack is a cyber-attack in which cybercriminals disrupt the service of a host connected to the internet, either temporarily or indefinitely, to its intended users. In this analysis, we'll describe Sieren's functionality and communication, its 10 DoS methods, its bot commands, and its IoCs.

Functionality

Sieren is capable of performing HTTP, HTTPS, and UDP flooding on any web server location as instructed by the command-and-control (C&C) server.

  • HTTP flood
  • HTTPS flood
  • UDP flood

Network communication

Sieren starts communication with the server by sending system information.

Data is separated by the “&” symbol.

  1. ping
  2. User Name
  3. Machine Name
  4. OS version
  5. Processor architecture (If 32 bit then 0 else 1)
  6. MD5 of the above data

In response, the C&C server sends a target URL for performing a DoS attack. Data is separated by the “&” symbol.

  1. pong
  2. 60: used for sleep (60 * 1000 millisecond)
  3. Task_ID = 260
  4. Method = 2
  5. Target = https://deti-online.com/
  6. Type = GET
  7. Threads = 100
  8. Sleep = 100
  9. Port = 0
  10. Sockets = 0 (number of sockets)
  11. Size = 0 (size of data sent through packet during Dos)
  12. CreatedAT = Timestamp
  13. Data = Empty (data sent through packet during DoS)

The malware is capable of performing a DoS attack against the target URL using different methods. The variant we analyzed has 10 methods supported for flooding, and it chooses the method based on data received from the C&C server.

In the above instance, we saw that a Russian education material website (https://deti-online[.]com) was the intended target for this bot. We also identified other locations, such as forum.exlpoit[.]in and x3p0[.]xyz, as the DoS targets from the C&C server during our analysis.

The Sieren bot selects the DoS method based on data received from the C&C server. Below are the parameters used in these methods:

 

Method

Task_ID

Target

Type(GET/POST)

No. of threads

Sleep

Data

No. of Sockets

Port

Size of data

1

Yes

Yes

Yes

Yes

Yes

       

2

Yes

Yes

Yes

 

Yes

       

3

Yes

Yes

Yes

           

4

Yes

Yes

   

Yes

Yes

     

5

Yes

Yes

   

Yes

       

6

Yes

Yes

       

Yes

Yes

 

7

Yes

Yes

       

Yes

Yes

 

8

Yes

Yes

       

Yes

Yes

Yes

9

Yes

Yes

         

Yes

Yes

10

Yes

Yes

         

Yes

Yes

 

The C&C server can specify the port, data, sleep time, sockets, and size of packets that will be used during flooding.

During flooding, a user agent is selected randomly from a predefined list, as shown below.

DoS methods supported by Sieren

Method 1:

In this method, the malware first gets the cookies for the target URL using InternetGetCookieEx and uses them in the HTTP header when generating flood requests. Based on the protocol (HTTP/HTTPS) and method (POST/GET), it starts sending multiple requests to the target URL.

The below screenshot contains code for generating the header part.

The below screenshot contains the HTTP flooding code:

The below screenshot contains the HTTPS flooding code:

Method 2:

The malware creates 50 sockets and sends 50 HTTP requests before executing a sleep command with the value supplied by the C&C server. It will repeat this process until taskID is active.

Method 3:

This method is similar to method 2, but the bot won’t sleep after every 50 requests.

Method 4:

In this method, the bot will use data supplied by the C&C server in the flood requests to the target URL.

Method 5:

In this method, the bot will also accept a response during the flooding of the target URL, after which it will sleep for 100 seconds. Then it again starts sending flood requests to the target URL.

Method 6:

This method is called when the number of sockets and port is specified by the C&C server. In this method, the bot will not send HTTP or HTTPS flood requests; instead, it opens multiple sockets for the target URL in an attempt to exhaust web server-side resources. It repeatedly closes and opens additional sockets to the target URL until taskID remains active.

Method 7:

This method is identical to Method 6 and appears to be a placeholder for a future update.

Method 8:

In this method, the bot will receive arguments such as the size of random data, number of sockets, and port information from the C&C server. The bot will generate random data based on specified size, open multiple sockets, and flood the target URL with the randomly generated data.

Method 9:

In this method, the C&C server will supply the size of random data and port information. The bot will generate random data and flood the target URL on the specified port.

Method 10:

This method is used for UDP-based flooding. The bot will send random data using the UDP protocol, and it sets the TTL (time to live) value between 220 and 225 for these packets.

The bot will stop performing flood requests once the C&C server stops sending additional commands.

Sieren bot commands:

Other than the DoS feature-related methods, the malware has three additional commands.

  • “dlexec”: Download payload from the URL given by the C&C server and execute it.
  • “update”: Download the updated version and execute it. It also deletes itself using the cmd process.
  • “Uninstall”: Deletes itself using the cmd process.

Indicators of Compromise:

MD5

320A600147693B3D135ED453FAC42E82

URL

cx93835[.]tmweb.ru/rrljw91zqd.exe

burgerkingfanbase[.]net/great.php

 




Suggested Blogs