{"id":15608,"date":"2012-04-19T13:30:10","date_gmt":"2012-04-19T20:30:10","guid":{"rendered":"http:\/\/blogs.mcafee.com\/?p=15608"},"modified":"2025-05-29T03:37:56","modified_gmt":"2025-05-29T10:37:56","slug":"digging-into-the-nitol-ddos-botnet","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/digging-into-the-nitol-ddos-botnet\/","title":{"rendered":"Digging Into the Nitol DDoS Botnet"},"content":{"rendered":"

Nitol is a distributed denial of service (DDoS) botnet that seems to be small and not widely known. It mostly operates in China. McAfee Labs recently analyzed a few samples; we offer here the communications protocol and the Trojan\u2019s capabilities.<\/p>\n

Most of the samples we encountered were not packed and were very easy to reverse engineer. The Trojan was written in Visual C++ either in a hurry or by an untrained programmer. We found a lot of bugs in the code.<\/p>\n

Nitol copies itself to a random filename ******.exe (where every * is a randomized alphabet character) in the Program Files directory. The new file is registered as a service, “MSUpdqteeee,” with the display name \u201cMicrosoft Windows Uqdatehwh Service.\u201d<\/p>\n

Bot Activities<\/strong><\/h2>\n

After installation, the malware connects to its command server (we found between one and three hardcoded addresses per sample) using a TCP socket and sends a digest of the victim\u2019s computer information.<\/p>\n

Both incoming and outgoing packets are 1082 bytes long (including TCP\/IP headers, 1028 bytes of raw data) without regard to the actual size of the data.<\/p>\n

\"\"<\/a><\/p>\n

The transmission to the server can be described by the following structure:<\/p>\n

typedef struct _ComputerInfo{<\/p>\n

DWORD Command; \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \/\/ Always “1” Computer Info.<\/p>\n

char LocaleLanguage[0x40];<\/p>\n

char ComputerName[0x80];<\/p>\n

char WindowsVersion[0x40];<\/p>\n

char PhysicalMemorySize[0x20];<\/p>\n

char CPU_Speed[0x20];<\/p>\n

char Ndis_Version[0x20];<\/p>\n

}ComputerInfo;<\/p>\n

It appears this information is used mainly to get an\u00a0estimation\u00a0of the botnet’s power and diversity. The data can be used to decide what type of DDoS tasks to give this specific bot. However, this is not enough information for the server to decide whether\u00a0the bot is running on a virtual machine or is\u00a0being debugged.<\/p>\n

After receiving the information, the command server usually returns a command and parameters.<\/p>\n

Possible commands:<\/p>\n

enum commands{<\/p>\n

GenericFlood = 2,<\/p>\n

HTTPFlood = 3,<\/p>\n

RawDataFlood = 4,<\/p>\n

StopRunning = 5,<\/p>\n

UninstallAndDie = 6,<\/p>\n

DownloadFileFromUrlExecUrl = 16, \u00a0\/\/ ?!?!?!?<\/p>\n

DownloadFileFromUrlExecFile = 17,<\/p>\n

UpdateBot = 18,<\/p>\n

ExecuteIE_NoWindow = 19,<\/p>\n

ExecuteIE_ShowWindow = 20<\/p>\n

}<\/p>\n

 <\/p>\n

DDos Attacks<\/strong><\/h2>\n

In the preceding group of commands, the DDoS functionality is represented by GenericFlood, HTTPFlood, and RawDataFlood.<\/p>\n

Each of the flood commands implements several other commands:<\/p>\n

\"\"<\/a><\/p>\n

Here we have command number 2\u2013GenericFlood\u2013followed by the GenericFloodData structure:<\/p>\n

typedef struct _GenericFloodData{<\/p>\n

char Address[0x80]; \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0\/\/ 0x00<\/p>\n

DWORD NumberOfMinutesToRun;\u00a0 \/\/ 0x84<\/p>\n

DWORD NumberOfThreads; \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \/\/ 0x88<\/p>\n

DWORD Command; \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0\/\/ 0x8C<\/p>\n

}GenericFloodData;<\/p>\n

enum GenericFloodCommands<\/p>\n

{<\/p>\n

send_Random_TCP_Data_Every_10_MS = 1,<\/p>\n

Send_UDP_Packets_Every_20_MS = 2,<\/p>\n

Send_ICMP_Packet_Sleep_Missing = 3,<\/p>\n

Open_Socket_Every_500_MS = 4,<\/p>\n

Send_UDP_Packets_Every_20_MS_Random_Source_Address_On_Server = 9,<\/p>\n

Send_UDP_Packets_Every_20_MS_Random_Source_Address_On_Server_number_of_threads_plus_20 = 16,<\/p>\n

Send_UDP_Packets_Every_20_MS_Random_Source_Address_On_Server_number_of_threads_plus_20_no_Passthru = 17,<\/p>\n

Send_TCP_Packets_Random_Source_Address_On_Server_number_of_threads_plus_20\u00a0 = 18,<\/p>\n

Send_TCP_Packets_HardCoded_Source_Address_On_Server_number_of_threads_plus_20\u00a0 = 19,<\/p>\n

Same_As_1_20_More_Threads_If_Client_64_If_Server = 20,<\/p>\n

Send_UDP_Packets_Every_20_MS_Source_Address_On_Server_number_of_threads_plus_20\u00a0 = 23,<\/p>\n

Send_TCP_Packets_Every_10_MS_Source_Address_On_Server_number_of_threads_plus_20\u00a0 = 24,<\/p>\n

Open_Socket_Send_1000_TCP_Packets = 25,<\/p>\n

Connect_Disconnect_loop = 32,<\/p>\n

}<\/p>\n

\"\"<\/a><\/p>\n

Next we have command number 3\u2013HTTPFlood\u2013followed by the HTTPFloodData structure:<\/p>\n

typedef struct _HTTPFloodData{<\/p>\n

char Address[0x80]; \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \/\/ 0x000<\/p>\n

char Path[0x80]; \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \/\/ 0x080 \/\/ BUG!!! The second DWORD is also NumberOfMinutesToRun<\/p>\n

unsigned short Port; \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \/\/ 0x100<\/p>\n

unsigned short dummy; \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \/\/ 0x102<\/p>\n

DWORD dummy1; \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0\/\/ 0x104<\/p>\n

DWORD NumberOfThreads; \u00a0 \u00a0 \u00a0 \u00a0 \u00a0\/\/ 0x108<\/p>\n

DWORD IsDummyGetRequest;\u00a0\u00a0\u00a0\u00a0 \/\/ 0x10c<\/p>\n

DWORD dummy2; \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0\/\/ 0x110<\/p>\n

DWORD Command; \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0\/\/ 0x114<\/p>\n

}HTTPFloodData;<\/p>\n

enum HTTPFloodCommands<\/p>\n

{<\/p>\n

Get_Image_Every_50_MS = 5,<\/p>\n

Get_HTML_Every_50_MS_OR_GET_WITH_IE = 6, \u00a0\/\/BUG<\/p>\n

Get_HTML_Every_10_MS = 7,<\/p>\n

Get_Image_Every_5_MS = 8<\/p>\n

}<\/p>\n

None of the samples we ran returned the RawDataFloodData, so we don\u2019t have a recording.<\/p>\n

Command number 4\u2013RawDataFlood\u2013should be followed by the RawDataFloodData structure:<\/p>\n

typedef struct _RawDataFloodData{<\/p>\n

char Address[0x80]; \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \/\/ 0x000<\/p>\n

char Buf[0x208]; \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \/\/ 0x080\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \/\/ BUG!!! The second DWORD is also NumberOfMinutesToRun<\/p>\n

DWORD NumberOfThreads;\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \/\/ 0x288<\/p>\n

DWORD Command; \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0\/\/ 0x28C<\/p>\n

}RawDataFloodData;<\/p>\n

RawDataFlood takes two\u00a0possible commands: SendUDPData and SendTCPData. To use\u00a0SendUDPData you need to set the command parameter to 21, else\u00a0SentTCPData will be used. Both commands\u00a0interpret the Buf parameter as a null-terminated string.<\/p>\n

We encountered two important bugs:<\/p>\n