The May edition of the Microsoft Malicious Software Removal Tool saw the inclusion of two new malware families: Win32/Unruy and Win32/Dishigy. Let’s dig a bit deeper into Dishigy and the nature of Denial of Service.
So, bear with me while I take you back to security 101…
A Denial of Service (DoS) attack is a pretty straightforward concept – an attacker floods or otherwise sends malicious traffic to a targeted system in such a way that the targeted system is not able to respond to legitimate requests. Sometimes, particularly for flood attacks, a single system may not be able to generate enough traffic to flood a target by itself, and so multiple machines are used in order to more effectively ‘flood’ the target and make the attack more difficult to block. This is where we get the term Distributed Denial of Service (DDoS) attack – where the attack is distributed across multiple machines, and those machines are ordered to attack a single target and overwhelm it with their concerted requests.
So, why would an attacker want to stop a system from being able to respond to requests from legitimate users? It’s a fairly common behavior amongst malware, and, like the vast majority of malware created and distributed these days, you just have to ask yourself how criminals could use such nefarious practices to make a buck. In the case of Denial of Service conditions, they could be used, for example, for extortion (i.e. “Do what we want or the website gets it, see?“) or possibly for taking out the competition.
Where does Dishigy fit in? Dishigy traditionally targeted web servers. It uses HTTP requests to perform its denial of service payload against websites. While other types of network traffic might be subject to additional restrictions due to the threat it might pose, port 80 is often left mostly unchecked, enabling easy egress of web traffic. Dishigy is a distributed denial of service attack for hire and can be purchased from the seedier side of the internets to target websites of the purchaser’s choice. Now for the grim, technical details…
Win32/Dishigy is written in Delphi, and can be remotely instructed by an attacker to perform denial of service attacks on targets. The malware connects to a hard-coded remote host and sends an HTTP POST to obtain configuration data. The configuration data contains a set of three parameters separated by a token (delimiter) and is followed by a target URL, as shown in the image below:
Image 1 – Dishigy configuration data with target URL obscured
The first parameter defines the type of attack it uses; these can vary depending on what types are supported by each variant (for example, HTTP GET requests or HTTP POST requests).
The second parameter denotes the maximum number of threads (channels of execution) the malware should use in an attack; each thread sends several requests in a loop.
The third parameter is the frequency with which the malware should connect to the remote host to obtain updated configuration information. If, however, there is no target host available in the configuration data, the malware will connect back at the specified frequency but not perform any attacks.
The malware can be instructed to perform one of several types of attacks. The malware uses an open source TCP/IP Winsock library for Delphi called Synapse to construct the packets.
Early variants of Dishigy generated only HTTP GET requests against a target:
Image 2 – Use of HTTP GET request by Dishigy
The User-Agent field is randomly chosen from a large list contained in the malware, this makes it appear that the HTTP requests originate from a variety of sources. Later variants added more functionality, including the ability to generate HTTP POST requests against a target:
The POST request includes a Referer field which is also randomly chosen from a list contained in the malware. Worth noting is that the POST data contains the URL for the targeted host only as opposed to a typical POST which could include form data and other bits.
Dishigy’s addition to the Microsoft Windows Malicious Software Removal Tool this month makes the web a slightly better place. Dishigy’s success against a target relies on numbers, so taking out as many infections as possible that could contribute to a flood is key to making it ineffective. It is also highly resource intensive for the unfortunate victims who find their computers compromised by this menace, so removing it from victim computers should ease some pain for individuals whose computing experience has been affected by this threat. And maybe, most importantly, targeting Dishigy may help to stop criminals from deciding which websites you can and can’t visit.
– Ray Roberts