DDoS botnet spreading on Linux and Windows machines
Posted on 18.12.2013
A blended DDoS botnet consisting of both Windows and Linux machines has been detected by researchers working with the Polish CERT.

The botnet is exclusively dedicated to mounting DDoS attacks, mainly DNS amplification attacks.

"This means that the attackers were interested only in infecting machines which have a significant network bandwidth, e.g. servers," they noted. "This is also probably the reason why there are two versions of the bot Ė Linux operating systems are a popular choice for server machines."

As far as they can tell, attackers breached the affected Linux machines by way of a successful SSH dictionary attack, then logged into it and downloaded, installed and executed the bot.

The Linux version of the bot tries to connect to the C&C server via a high TCP port.

"Both the C&Cís IP and port are encrypted," they explained in a blog post. "Upon running, the bot sends operating system information (using uname function), unencrypted and waits for commands."

After analysing the malware they concluded that it can launch four type of DDoS attacks. Also, that it has functions that haven't yet been implemented.

The bot targeting the Windows OS works a bit differently. Once on the computer, it drops an executable and runs it, which results in a persistent Windows service dubbed DBProtectSupport to be registered and started.

The bot also contacts the C&C server also a high TCP port, but it first needs to send a DNS query to the 8.8.8.8 server to be informed of its IP address. It then "informs" the server of the target system's details by compiling and sending a text file.

"This text file, along with the fact that the same C&C IP was used in both malware samples make us believe that it was created by the same group," the researchers concluded.

But while Linux users can secure their machines from this attack by choosing a better SSH password, they haven't mentioned how Windows system get compromised in the first place.









Spotlight

Patching: The least understood line of defense

Posted on 29 August 2014.  |  How many end users, indeed how many IT pros, truly get patching? Sure, many of us see Windows install updates when we shut down our PC and think all is well. Itís not.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Tue, Sep 2nd
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //