Recently guys from Arbor networks and Trend micro published very good analysis about a new DDOS botnet being dubbed as Avzhan. This name was taken from one of the callback domain, avzhan1.332.org, being used by this botnet. Surprisingly callback domains like avzhan1.332.org and avzhan.332.org are not something new. These domains are being used by another DDOS malware since 2008 and 2009. In FireEye these malware are recognized as DDOS.DATCK and DDOS.BYCC. Is Avzhan DATCK'S new variant? My curiosity sets in.
DATCK/BYCC binaries comparison with known Avzhan samples revealed many interesting facts. Although on many places code patterns for older DATCK/BYCC looked quite different from Avzhan but there were some definite code and design similarities showing a possible connection between these two malware. But this was not the end, as during this process, I found out that AVzhan also looks alike another known DDOS botnet Storm.DDOS.
Note: Storm.DDOS name was chosen due to interesting user agent strings being used by different variants of this malware like STORMDDOS, YTDDOS, kav, IMDDOS, "i am ddos" etc.
In order to do an in depth analysis, I loaded all of these malware in my lab's VMs. As expected none of them tried to detect VM environment or even debugger presence.
Here are some of the similarities found during my analysis:
AVZhan vs DATCK/BYCC
Self delete routine in both AVZhan and BTTCK/BYCC looks almost identical.
AVZhan vs Storm.DDOS
There are lots of code similarity between AVzhan and Storm.DDOs. One such example is HTTP headers being used by both malware for HTTP flooding.
Some of the fake HTTP headers being used by both malware are so unique that this similarity can't be a fluke.
like as shown above:
"GET %s HTTP/1.1\r\nContent-Type: text/html\r\nHost: %s\r\nAccept: text/html, */*\r\nUser-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)\r\n\r\n"
I am pretty sure that these DDOS malware DATCK/BYCC, AVzhan and Storm.DDos are being maintained and developed by the same group of people. It's the same code base which evolved into different malware flavors but all of them are following the same design principals. No doubt, this all resulted into different looking malware from outside but similar from inside. Similarities between callback domains also shows that DDOS services being offered by bot herders behind is not something very new, they are into this business since 2008 at least.
How widespread are these malware? Based on data from FireEye's MAX cloud, I can confirm that these malware are still growing in popularity and their prevalence in the wild is much less than other famous DDOS botnets. Moreover from the code and design analysis its quite evident that these malware are not very sophisticated in nature when compared to other DDOS malware like ones created out of BlackEnergy toolkit.
In my next article, I would dig more into similarities between these malware, their CnC protocols, Command sets and DDOS architecture etc.
Atif Mushtaq @ FireEye Malware Intelligence Lab
Detailed Questions/Comments : research SHIFT-2 fireeye DOT COM
Excellent article, as always Atif. I really appreciate all the hard work and excellent analysis you and your team at FireEye provide for us all on a consistent basis. Small typo on the callback domain “avzhan1.332.org” I think, did you mean “avzhan1.3322.org”?