Security News

New Russian DDoS botnet discovered (May 1, 2013)

By

The Dell SonicWALL Threats Research team has discovered a new DDoS Trojan originating from Russia. The sole purpose of this Trojan is to provide its operators with an army of bots that can be used to take websites and services off-line at will.

Infection Cycle:

The Trojan makes the following DNS queries:

  • truth-about-bakhmatuk.com
  • drnona.rv.ua

The Trojan adds the following files to the filesystem:

  • %USERPROFILE%Local SettingsApplication DatasLT.exf
  • %TEMP%ifd.exe [Detected as GAV: Delf.QMH_10 (Trojan)]
  • %TEMP%kdg.exe [Detected as GAV: Delf.QMH_10 (Trojan)]
  • %TEMP%48df.exe [Detected as GAV: Delf.QMH_10 (Trojan)]
  • %TEMP%9f7g.exe [Detected as GAV: Polip.gen (Virus)]
  • %TEMP%mdf8.exe [Detected as GAV: Delf.QMH_10 (Trojan)]
  • %TEMP%mfg9.exe [Detected as GAV: Delf.QMH_10 (Trojan)]
  • %WINDOWS%abtse.exe [Detected as GAV: Delf.QMH_10 (Trojan)]
  • %WINDOWS%botze.exe [Detected as GAV: Delf.QMH_10 (Trojan)]
  • %SYSTEM32%antivar.exe [Detected as GAV: Delf.QMH_10 (Trojan)]
  • %SYSTEM32%antogoi.exe [Detected as GAV: Delf.QMH_10 (Trojan)]
  • %SYSTEM32%dasdt.exe [Detected as GAV: Polip.gen (Virus)]
  • %SYSTEM32%driverssvchost.exe [Detected as GAV: Delf.QMH_10 (Trojan)]

In order to start after reboot it registers itself as a service by adding the following key to the Windows registry:

  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSytaytytd “%SYSTEM32%dasdt.exe”

The file sLT.exf contains the following data:

      7r3e6u9v68q9f8ajh49k2dxyem6083ie

The Trojan spawns 6 processes upon execution, 5 of which remain idle:

dasdt.exe reports infection to a remote C&C server and receives a hostname and port:

The string (7r3e6u9v68q9f8ajh49k2dxyem6083ie) that is sent in the POST request appears to be random each time it is sent. It is read from sLT.exf. The Trojan then commences its DoS attack by sending UDP packets of varying lengths to the specified hostname and port. The packets contain mostly null bytes. It uses the following loop with a 1ms sleep between packets:

SonicWALL Gateway AntiVirus provides protection against this threat with the following signatures:

  • GAV: Delf.QMH_10 (Trojan)
  • GAV: Polip.gen (Virus)
  • GAV: Neshta.A_16 (Trojan)

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.
Recommended Cyber Security Stories
Android malware steals your Google Authenticator codes
Old Microsoft Office vulnerability CVE-2017-11882 actively being exploited in the wild
Microsoft Windows Privilege escalation vulnerability (CVE-2013-5065) attacks (Dec 4, 2013)
New Cridex variant from drive-by blackhole exploit (Aug 17, 2012)
Covid-19 scams continue
SolarWinds Orion Vulnerability
Adobe Flash Player Integer Overflow Vulnerability (July 26, 2013)
New campaign spreading Android Remote Access Trojan