Win32 / DoS.OutFlare.A aims to circumvent the anti-DDOS service CloudFlare
CloudFlare is a popular CDN- support service for websites and includes various types of services, such as, accelerating the loading of web pages for the end user, security features, for example, anti-DDoS. We detected a malicious program, Win32 / DoS.OutFlare.A, which aims to bypass this service in order to launch DoS attacks on sites that are under the control of CloudFlare. Our analysis is dedicated to Win32 / DoS.OutFlare.A.
The behavior of malicious code is not particularly remarkable. At the start, he tries to create the Global \ sad_day mutex as evidence of his stay in the system. If successful, it copies itself to the% APPDATA% directory, adds itself to autorun and restarts. After this, OutFlare launches a copy of the Internet Explorer browser process - iexplore.exe in a suspended state (suspend) and implements its payload into it.
')
Fig. CloudFlare performs important tasks in separate streams.
Before connecting to its C & C managing server, the malicious code performs three tests to measure the speed of outgoing downloads using public services www.speakeasy.net and stores these results in memory. After that, the bot connects to the IRC server using TCP port 9835 and the channel #main. At this stage, the bot will be in the Idle state, waiting for commands from the server. Most of these commands are DoS attacks. One of them - “cf”, is especially interesting. This team is responsible for implementing client-side CloudFlare anti-DDoS bypass.
Fig. List of commands supported by the bot.
The CloudFlare service uses a special method aimed at preventing DDoS attacks. In such a system, the client must fulfill certain conditions when accessing a site controlled by CloudFlare, which in turn must be sure that the request is legitimate and comes from the user's browser. The service asks the browser to execute a special Java script that is a mathematical expression, while visually, the test from CloudFlare looks like for the user as in the figure below:
The page contains a special form of a POST request, which will be used to send a response to the server. Immediately below this form is a Javascript code snippet that counts a mathematical expression and executes a POST request from the previous form.
Fig. POST HTTP request form.
Fig. Counting math expression.
The user's web browser will execute this Javascript and execute an HTTP POST request, which will look like in the screenshot below. This response sent to the server will contain the calculated value of the mathematical expression.
If the expression was calculated correctly, the CloudFlare service will respond by setting a special cookie confirming the connection to the server. References to this cookie in further requests, during this open session with the server, will cause CloudFlare to send the request to the server directly, bypassing the special check.
Win32 / DoS.OutFlare.A contains functionality that aims to bypass this protection mechanism. It analyzes a part of the code of a web page and searches for matches by the necessary part of the JS CloudFlare functionality. After the necessary parameters have been identified, the malicious code calculates the mathematical expression and sends it to the server to obtain the necessary cookie, which is necessary for conducting a DDoS attack on a real web server.
Fig. Extracting an expression that needs to be evaluated.
Fig. Calculation of expression.
The behavior of malicious code is not particularly remarkable. At the start, he tries to create the Global \ sad_day mutex as evidence of his stay in the system. If successful, it copies itself to the% APPDATA% directory, adds itself to autorun and restarts. After this, OutFlare launches a copy of the Internet Explorer browser process - iexplore.exe in a suspended state (suspend) and implements its payload into it.
')
Fig. CloudFlare performs important tasks in separate streams.
Before connecting to its C & C managing server, the malicious code performs three tests to measure the speed of outgoing downloads using public services www.speakeasy.net and stores these results in memory. After that, the bot connects to the IRC server using TCP port 9835 and the channel #main. At this stage, the bot will be in the Idle state, waiting for commands from the server. Most of these commands are DoS attacks. One of them - “cf”, is especially interesting. This team is responsible for implementing client-side CloudFlare anti-DDoS bypass.
Fig. List of commands supported by the bot.
The CloudFlare service uses a special method aimed at preventing DDoS attacks. In such a system, the client must fulfill certain conditions when accessing a site controlled by CloudFlare, which in turn must be sure that the request is legitimate and comes from the user's browser. The service asks the browser to execute a special Java script that is a mathematical expression, while visually, the test from CloudFlare looks like for the user as in the figure below:
The page contains a special form of a POST request, which will be used to send a response to the server. Immediately below this form is a Javascript code snippet that counts a mathematical expression and executes a POST request from the previous form.
Fig. POST HTTP request form.
Fig. Counting math expression.
The user's web browser will execute this Javascript and execute an HTTP POST request, which will look like in the screenshot below. This response sent to the server will contain the calculated value of the mathematical expression.
If the expression was calculated correctly, the CloudFlare service will respond by setting a special cookie confirming the connection to the server. References to this cookie in further requests, during this open session with the server, will cause CloudFlare to send the request to the server directly, bypassing the special check.
Win32 / DoS.OutFlare.A contains functionality that aims to bypass this protection mechanism. It analyzes a part of the code of a web page and searches for matches by the necessary part of the JS CloudFlare functionality. After the necessary parameters have been identified, the malicious code calculates the mathematical expression and sends it to the server to obtain the necessary cookie, which is necessary for conducting a DDoS attack on a real web server.
Fig. Extracting an expression that needs to be evaluated.
Fig. Calculation of expression.
Source: https://habr.com/ru/post/170227/
All Articles