DDoS botnet spreading on Linux and Windows machines
Posted on 18.12.2013
A blended DDoS botnet consisting of both Windows and Linux machines has been detected by researchers working with the Polish CERT.

The botnet is exclusively dedicated to mounting DDoS attacks, mainly DNS amplification attacks.

"This means that the attackers were interested only in infecting machines which have a significant network bandwidth, e.g. servers," they noted. "This is also probably the reason why there are two versions of the bot – Linux operating systems are a popular choice for server machines."

As far as they can tell, attackers breached the affected Linux machines by way of a successful SSH dictionary attack, then logged into it and downloaded, installed and executed the bot.

The Linux version of the bot tries to connect to the C&C server via a high TCP port.

"Both the C&C’s IP and port are encrypted," they explained in a blog post. "Upon running, the bot sends operating system information (using uname function), unencrypted and waits for commands."

After analysing the malware they concluded that it can launch four type of DDoS attacks. Also, that it has functions that haven't yet been implemented.

The bot targeting the Windows OS works a bit differently. Once on the computer, it drops an executable and runs it, which results in a persistent Windows service dubbed DBProtectSupport to be registered and started.

The bot also contacts the C&C server also a high TCP port, but it first needs to send a DNS query to the 8.8.8.8 server to be informed of its IP address. It then "informs" the server of the target system's details by compiling and sending a text file.

"This text file, along with the fact that the same C&C IP was used in both malware samples make us believe that it was created by the same group," the researchers concluded.

But while Linux users can secure their machines from this attack by choosing a better SSH password, they haven't mentioned how Windows system get compromised in the first place.









Spotlight

Intentional backdoors in iOS devices uncovered

Posted on 22 July 2014.  |  A researcher has revealed that Apple has equipped its mobile iOS with several undocumented features that can be used by attackers and law enforcement to access the sensitive data contained on the devices running it.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Tue, Jul 22nd
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //