March 4, 2013 at 12:48Win32 / DoS.OutFlare.A aims to bypass CloudFlare's anti-DDOS service
CloudFlare is a popular CDN website support service and includes various types of services, such as speeding up the loading of web pages for the end user, security features, for example, anti-DDoS. We discovered a malicious program - Win32 / DoS.OutFlare.A, which is aimed at bypassing this service in order to carry out DoS attacks on sites that are under CloudFlare control. Our analysis focuses on Win32 / DoS.OutFlare.A.
The behavior of the malicious code is not particularly noticeable. At the start, he tries to create a mutex Global \ sad_dayas evidence of your stay in the system. If successful, it copies itself to the% APPDATA% directory, adds itself to autorun, and restarts. After that OutFlare starts a copy of the Internet Explorer browser process - iexplore.exe in suspend state and implements its payload into it.
Fig. CloudFlare performs important tasks in separate threads.
Before connecting to its control C&C server, the malicious code performs three tests to measure the speed of outgoing download using the public services www.speakeasy.netand saves these results in memory. After that, the bot connects to the IRC server using TCP port 9835 and channel #main. At this point, the bot will be in the Idle state, waiting for commands from the server. Most of these commands relate to DoS attacks. One of them - “cf”, is especially interesting. This team is responsible for implementing client-side anti-DDoS workarounds for CloudFlare.
Fig. List of commands supported by the bot.
CloudFlare service uses a special method aimed at preventing DDoS attacks. In such a system, the client must fulfill certain conditions when accessing a site controlled by CloudFlare, which in turn must be sure that the request is legitimate and comes from the user's browser. The service asks the browser to execute a special Java script, which is a mathematical expression, and visually, the check by CloudFlare for the user looks like the figure below: The
page contains a special form of the POST request that will be used to send a response to the server. Immediately below this form is a piece of Javascript code that calculates a mathematical expression and performs a POST request from the previous form.
Fig. POST form of the HTTP request.
Fig. Counting a mathematical expression.
The user's web browser will execute this Javascript and execute an HTTP POST request, which will look like the screenshot below. This response sent to the server will contain the calculated value of the mathematical expression.
If the expression was calculated correctly, the CloudFlare service will respond by setting special cookies confirming the connection to the server. Links to this cookie in further requests during this open session with the server will cause CloudFlare to send a request to the server directly, bypassing a special check.
Win32 / DoS.OutFlare.A contains functionality that aims to bypass this protective mechanism. It analyzes part of the code of the web page and looks for matches on the necessary part of the JS CloudFlare functionality. After the necessary parameters have been identified, the malicious code calculates the mathematical expression and sends it to the server to obtain the necessary cookie, which is necessary to conduct a DDoS attack on a real web server.
Fig. Retrieving the expression to be evaluated.
Fig. Calculation of expression.
The behavior of the malicious code is not particularly noticeable. At the start, he tries to create a mutex Global \ sad_dayas evidence of your stay in the system. If successful, it copies itself to the% APPDATA% directory, adds itself to autorun, and restarts. After that OutFlare starts a copy of the Internet Explorer browser process - iexplore.exe in suspend state and implements its payload into it.
Fig. CloudFlare performs important tasks in separate threads.
Before connecting to its control C&C server, the malicious code performs three tests to measure the speed of outgoing download using the public services www.speakeasy.netand saves these results in memory. After that, the bot connects to the IRC server using TCP port 9835 and channel #main. At this point, the bot will be in the Idle state, waiting for commands from the server. Most of these commands relate to DoS attacks. One of them - “cf”, is especially interesting. This team is responsible for implementing client-side anti-DDoS workarounds for CloudFlare.
Fig. List of commands supported by the bot.
CloudFlare service uses a special method aimed at preventing DDoS attacks. In such a system, the client must fulfill certain conditions when accessing a site controlled by CloudFlare, which in turn must be sure that the request is legitimate and comes from the user's browser. The service asks the browser to execute a special Java script, which is a mathematical expression, and visually, the check by CloudFlare for the user looks like the figure below: The
page contains a special form of the POST request that will be used to send a response to the server. Immediately below this form is a piece of Javascript code that calculates a mathematical expression and performs a POST request from the previous form.
Fig. POST form of the HTTP request.
Fig. Counting a mathematical expression.
The user's web browser will execute this Javascript and execute an HTTP POST request, which will look like the screenshot below. This response sent to the server will contain the calculated value of the mathematical expression.
If the expression was calculated correctly, the CloudFlare service will respond by setting special cookies confirming the connection to the server. Links to this cookie in further requests during this open session with the server will cause CloudFlare to send a request to the server directly, bypassing a special check.
Win32 / DoS.OutFlare.A contains functionality that aims to bypass this protective mechanism. It analyzes part of the code of the web page and looks for matches on the necessary part of the JS CloudFlare functionality. After the necessary parameters have been identified, the malicious code calculates the mathematical expression and sends it to the server to obtain the necessary cookie, which is necessary to conduct a DDoS attack on a real web server.
Fig. Retrieving the expression to be evaluated.
Fig. Calculation of expression.