Eclipse Bot emerges with DDOS capabilities

May 8, 2014

Dell SonicWALL Threats Research Team received reports of a new Distributed Denial of Service (DDOS) Bot in the wild. It is being called Eclipse based on a mutex named eclipseddos created by this bot. Eclipse Bot spreads via drive-by downloads and comes with a host of commands that can be executed from the server, a number of these commands have DDOS capabilities.

Infection Cycle

Eclipse Bot drops 20 copies of itself in %AppData% folder, these executables are named msup1.exe – msup20.exe. It adds each of these exe’s to the following Registry key to ensure execution after reboot:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun

It adds a mutex named eclipseddos to the system marking its presence

It drops a text file named Register.txt in the %AppData% folder, this file has the content ‘true’ written in it. During our analysis we did not witness this file being used but it might be used to mark infection on the system.

It modifies Access Control List for files on the system by passing the original malicious file to CALCS.exe with the parameters /E /G System:R thereby giving the file Read access over the System.

The trojan has a hardcoded Command and Control (C&C) server milfsdeasing.com with which it then starts communication. It gathers system information such as OS, Ram, username and sends the collected data to this domain as shown below:

Some key details in this GET request:

  • bot – 15 character random bot-id
  • botkey – 42 character hardcoded key possibly identifying this bot as part of eclipseddos
  • Cookie includes the value bot=Eclipse

Eclipse Bot receives commands from the server in Base64 encoded form, following shows an instance where it decrypted the command:

This command started a Slow-Post attack where the attacker sends a Post Request with large Content-Length header value. The server keeps the connection open believing that it will receive a large chunk of data but the client sends one byte at a time thereby consuming server resources.

Consider a large number of threads doing the same to a server and we have a means to slow down the server like a DOS attack. Figure below shows a number of threads being opened, each initiating a slow-post attack:

Additionally we observed a number of commands present in Eclipse Bot:

  • tcpint
  • browser
  • dirtjumper
  • sincore
  • http-data
  • slowloris
  • tcp-oneconnect
  • icmp

The C&C server for Eclipse Bot, milfsdeasing.com, has been associated in the past with Paradise Bot indicating that it is not a new actor in this area and there may be more updated attack vectors similar to Eclipse Bot from this malicious source in the future.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Bot.Eclipse (Trojan)
  • IPS: 3788: Eclipse Malware Activity 1