RSA Admin

Detecting Webflood DDoS Kazy Variant

Blog Post created by RSA Admin Employee on Feb 13, 2014

As a followup to this previous post about detecting Distributed Denial of Service Malware, FirstWatch wanted to share a way to reliably detect a Kazy Variant that engages in DDoS attacks against webservers. 

 

Malware that uses an internal host to launch Denial of Service attacks outbound could have a big impact on an Enterprise.  First, it floods the Enterprise’s own infrastructure with connection attempts, and while an infected host is DDoSing an internet site, it is also degrading the Enterprise’s network performance.  Secondly, if the attack is successful at getting outbound past the Enterprise firewalls, proxies, and other control systems, such an attack could expose an Enterprise to legal liabilities, and public relations problems. There are many network monitoring services that would alert to such an infection, but this is how it looks in Security Analytics and how to detect it.

 

This first screenshot shows that we have an alert rule to detect this specific web flooding attack. Note that there are several internal infected IP addresses that have engaged in this behavior.  Most of these hosts have been infected with different variants of malware, but the outbound webfloods follow a specific pattern.


78564

The pattern is easier to spot by looking at the filenames.  Each filename lacks an extension, and is dynamically generated by the malware. Each attack also targets the root directory of the victim webservers.  Additionally, the malware uses forged User-Agent strings, however, each user-agent string makes it appear to be originating from a FireFox 3 browser. Finally, the malware targets the destination IP address directly, choosing not to use its DNS or Alias.Host name.


78565

Given these specific characteristics, a good rule to detect these outbound webfloods would be:

 

risk.suspicious='direct to ip http request' && directory='/' && filename length 6 && filename !='<none>'

 

You could also modify this rule to be firefox 3 specific, but should the malware adopt a new UA-String generator, the rule wouldn’t fire. 


One variant of an infector piece of malware is located here at VirusTotal.  It is four months old and is largely identified as Kazy. The infected host in our sandbox also engaged in a Penny Stock Spam campaign.  The HTTP connections are all WebFlood DDoS, but the outbound Spam sessions outnumbered the WebFlood.  See the screenshot below.

 

78566

A sample spam email is shown below:

 

78567

 

The FirstWatch Malicious UA Strings feed was updated with the top UA strings that engaged in this attack.  That feed is available here, and will soon be available via Live Subscription.

 

Good luck in hunting for DDoS malware.  As always, feedback is appreciated!

Outcomes