DDoS botnet spreading on Linux and Windows machines
Posted on 18.12.2013
A blended DDoS botnet consisting of both Windows and Linux machines has been detected by researchers working with the Polish CERT.

The botnet is exclusively dedicated to mounting DDoS attacks, mainly DNS amplification attacks.

"This means that the attackers were interested only in infecting machines which have a significant network bandwidth, e.g. servers," they noted. "This is also probably the reason why there are two versions of the bot Linux operating systems are a popular choice for server machines."

As far as they can tell, attackers breached the affected Linux machines by way of a successful SSH dictionary attack, then logged into it and downloaded, installed and executed the bot.

The Linux version of the bot tries to connect to the C&C server via a high TCP port.

"Both the C&Cs IP and port are encrypted," they explained in a blog post. "Upon running, the bot sends operating system information (using uname function), unencrypted and waits for commands."

After analysing the malware they concluded that it can launch four type of DDoS attacks. Also, that it has functions that haven't yet been implemented.

The bot targeting the Windows OS works a bit differently. Once on the computer, it drops an executable and runs it, which results in a persistent Windows service dubbed DBProtectSupport to be registered and started.

The bot also contacts the C&C server also a high TCP port, but it first needs to send a DNS query to the 8.8.8.8 server to be informed of its IP address. It then "informs" the server of the target system's details by compiling and sending a text file.

"This text file, along with the fact that the same C&C IP was used in both malware samples make us believe that it was created by the same group," the researchers concluded.

But while Linux users can secure their machines from this attack by choosing a better SSH password, they haven't mentioned how Windows system get compromised in the first place.









Spotlight

The synergy of hackers and tools at the Black Hat Arsenal

Posted on 27 August 2014.  |  Tucked away from the glamour of the vendor booths and the large presentation rooms filled with rockstar sessions, was the Arsenal - a place where developers were able to present their security tools and grow their community.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Aug 29th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //