A Chinese drive-by attack was recently observed dropping an updated version of the Avzhan DDoS bot, according to Malwarebytes researchers.
The malware was first spotted in 2010, and was noted for its similarities to IMDDOS in terms of its installation procedures, bot-to-CnC communications protocols, location of CnC servers, and (possibly) actual attack traffic, Arbor Networks researchers said in a September 2010 blog post. The similarities suggested the two malware families shared a great deal of code and that the MDDOS family might have obtained the Avzhan source code and added the modifications necessary to evolve it into a more easily commercial DDoS service.
Malwarebytes researchers said the most recent version of the bot is still pretty simple and hasn't changed much over the years but has been upgraded to include additional layers to obfuscate the malware and give it the ability to add the configuration by the outer layer.
Researchers considered it a candidate for a function that actually unpacks and installs the payload in the following process
The malware first looks to connect to the CnC and sends a beacon containing information gathered about the victim system.
“The information gathered is detailed, containing processor features as well as the Internet speed. We saw this data being sent during the behavioral analysis,” Malwarebytes researchers said in the post. “After the successful beaconing, it deploys the main loop, where is listens for the commands from the CnC, parses them, and executes.”
Researchers went on to say the most important capabilities lie in the different DDoS attacks that can be deployed remotely on any given target.
The malware first takes some hardcoded buffer and processes it, searches a function “StartupService” in the export table of the unpacked payload, and finally calls the found function with the payload. The process appears to be the deobfuscation of the payload followed by the unpacking of its contents before calling the payload.
Researchers also noted anti-dumper tricks such as not aligning the payload to the beginning of the page.
“The relocation table and resources have been removed after use by the loader. This is why it is usually more reliable to dump the payload before it is mapped,” Malwarebytes researchers said. “However, some of the data inside the payload may be also filled on load. So if we don't dump both versions, we may possibly miss some information.”