10 Days of Rain Mistakes: McAfee Whitepaper

McAfee Labs has released an interesting analysis of recent DoS attacks that targeted South Korea. They criticize the code for numerous mistakes; and they speculate the mistakes were caused by multiple teams working together and unsuccessful at developing a cohesive product. Here are a few examples of the criticisms.

Short-term objectives

While highly destructive code like this was common with early malware, it has long since given way to bots that allow for long-term command and control. Cybercriminals realized that compromised computers under their full control are much more valuable to them for sending spam, proliferating malware, and for harvesting valuable data from the compromised device.

Lack of flexibility

Unlike many other botnets, the malware installed as these C&C clients lacked command interpreter functionality. This results in very limited flexibility in how the bots are used.

Inconsistent use of encryption

While the C&C application also decrypts the configuration’s filename with 128-bit AES, the initial dropper contains this filename in plain text. This design hints at multiple authors that were not all aware of this filename being encrypted in other parts of this attack.

Typos from cut/paste in the code

The code to check file extensions suffers from some mistakes due to copy and paste; for example, not only .java but .javanything files will be deleted.

Inconsistent execution

…the code then utilizes a huge C++ CAB file implementation to create a new CAB file per overwritten file and adds the already zeroed-out file to the CAB. This is another indicator of multiple engineers working on this codebase without everyone understanding the entirety of the code.

Despite all the criticism, McAfee analysis still rates this as “sophisticated”.

The level of technical sophistication behind Ten Days of Rain, being used for the relatively simplistic act of a DDoS attack, doesn’t track.

What are those levels of sophistication? They don’t say but they give us this simile.

DDoS, malware-leveraging encryption, and multitier botnet architectures are not new. Nor are attacks against South Korea that suspiciously align with North Korea’s agenda. However, the combination of technical sophistication juxtaposed with relatively limited execution and myopic outcome is analogous to bringing a Lamborghini to a go-cart race.

On the one hand their analysis pushes us to consider the engineering flaws and disconnected “myopic” work, while on the other hand it concludes with the imagery of a Lamborghini.

I suspect they do not mean bringing a Lamborghini hat to a go-cart race. They must mean the car, and a modern one at that.

Lambo Hat

Ooops, I meant the other imagery of a Lamborghini.

Lambo Shoes

Ah, well, maybe they are making a more subtle point. If you see someone show up to a go-cart race wearing a pair of shiny red suede Lamborghini slippers…

It also is worth noting that although almost 20% of the command and control servers they tracked were in the US, far more than the next country, McAfee steps away completely from any mention of motives tied to national interests.

Beyond the threat mitigation, the questions of how, who, and why still remain.

They did a very nice job in this whitepaper on the how, and they admit to speculation (based on an odd assumption about collaboration instead of plagiarism) about the why, but they basically don’t touch the question of who.

Too bad they did not go for the who too; I had fun writing Operation Sloppy Night Dragon.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.