Neglemir performs DDOS attacks on selected targets (Oct 12, 2012)

Dell SonicWALL Threats Research team discovered a new Trojan spreading through drive-by downloads from malicious links. This Trojan called Neglemir was found reporting to a Botnet infrastructure and performing DDOS (Distributed Denial of Service) attacks on selected targets in China. During our analysis we found it targeting various servers belonging to China Telecom as well as websites selling tools for an online game called “The Legend of Mir”. The Trojan cloaks itself as Windows help service to prevent suspicion and it was also found disabling a number of Antivirus softwares.

Infection Cycle

The Trojan when executed creates a copy of itself in

%windir%Helpwinhelp.exe [Detected as GAV: Neglemir.A_4 (Trojan)]

It starts itself as a service and ensures that it automatically starts on system reboot

It checks for the following processes associated with various Antivirus softwares and disables them:

• avp.exe
• ccenter.exe
• kvsrvxp.exe
• sndsrvc.exe
• ekrn.exe
• kavsvc.exe
• 360sd.exe
• 360tray.exe
• avgaurd.exe
• pccmain.exe
• rtvscan.exe
• mcsysmon.exe

It reports infection to a remote C&C (Command and Control) server over port 8080. It uses the MAC address of the system to uniquely identify the infected node and it is sent as a part of the request. It also reports its version as ‘v13’ to the remote server.

It receives commands over Port 82. Port 82 is commonly used by XFER utility for DNS zone transfers but in this case, it is abused by Neglemir to receive commands from the C&C server. The commands use ‘#’ and ‘!’ markers to indicate the beginning and the end of commands. We observed the following commands being received from the C&C server:

• #102/{Target IP}/{Target Port}/{Count}/{Threads}/! : Floods on specified IP and Port
• #109/! : Sleep
• #113/{HTTP target}/{IP Address of HTTP target}/{Count}/! : Floods on HTTP Port
• #114/all! Stops all flooding activities
• #147/{HTTP Server}/{IP Address of HTTP server}/{Count}/{Threads}//{File containing targets}! : Floods targets specified in a file
• #149/{Public IP}! : Return public IP address of infected machine
• #1105/nowVer: V13! : Returns current version of the Trojan

It sends the following string repeatedly when it successfully connects to a remote target in order to overwhelm it:

It mimics the User Agent string of Baidu search engine when reporting to its C&C server and also when performing DDOS attacks over HTTP ports

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

• GAV:Neglemir.A_4 (Trojan)

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.