Dirt Jumper (previously known as RussKill) is a very popular Distributed Denial of Service Bot being heavily used in the DDOS-for-hire business online.
By visiting underground forums, one can find many variants and versions of Dirt Jumper offered for sale.
Since the source code for different versions of Dirt Jumper can now be found for free in some underground forums, Dirt Jumper continues to evolve and over time many versions and variants have come into play.
Version 5 is currently the latest version of Dirt Jumper; it was leaked in mid 2011.
Many promises about Bot competition killing, HTTP 2.0 support, anti-debug and anti-virtualization were published in the underground forums, though none proved to be right.
The Bot is doing an HTTP POST request on a preconfigured interval in order to communicate with its C&C server, the Bot is sending its unique identifier as a POST parameter and expecting instructions from the C&C in return.
The traffic between the Bot and its C&C is not encrypted.
If an attack is underway, the C&C will answer the Bot with the target URLs and with attack parameters like number of flows and attack vector.
Dirt Jumper 5 is armed with the following attack vectors:
- POST Flood -The Post Flood attack is simply a POST request containing the target URL as a payload, the content-length header is calculated accordingly, the referrer and the User-Agent as described earlier are randomized.
- HTTP Flood – The HTTP Flood attack is a simple GET request with no special attributes, the GET request is rotating over the URLs in the list.
- Synchronous Flood – Same as HTTP Flood but it appears like the attack is using more connections than regular HTTP Flood, some kind of aggressive mode.
- Downloading Flood – Simple HTTP GET request, although the name implies an intensive resource download attack, unless directly specified by the attacker URLs in this attack are not different from HTTP Flood attack.
- Anti-DDoS Flood – This attack doesn’t seem to work out of the box, the Bot remained idle for a long time and without any attack launched.
In its current version, Dirt Jumper is implementing some Anti-DDoS techniques by adding some level of randomization to the HTTP request headers, techniques like User-Agent rotation and referrer randomization.