Attackers are targeting Unix and Windows devices to set up malware made for launching distributed denial-of-service (DDoS) attacks, as outlined by experts from the Polish Computer Emergency Response Team (CERT Polska).
The malware was discovered by the Polish CERT at the start of December and the Linux version has been implemented following successful bruteforce attacks against the SSH (Secure Shell) services. Therefore systems that permit remote SSH access from the web and have accounts with vulnerable passwords have a chance of being affected by attackers disbursing this malware.
”We were able to obtain a 32-bit, statically linked, ELF file,” the Polish CERT experts wrote Monday in a blog post. The application works in daemon mode and joins a command-and-control (C&C) server utilizing a hard-coded IP address and port, they stated.
On first execution, the malware delivers system data back to the C&C server and stays connected until further instructions, the usual characteristics of a botnet.
”From the analysis we were able to determine that there are four types of attack possible, each of them a DDoS attack on the defined target,” the experts stated. “One of the possibilities is the DNS Amplification attack, in which a request, containing 256 random or previously defined queries, is sent to a DNS server. There are also other, unimplemented functions, which probably are meant to utilize the HTTP protocol in order to perform a DDoS attack.”
The malware provides system data back to the C&C host about the running proccesses, the CPU speed, system load and network speed.
A variation of the DDoS malware also is available for Windows systems where it’s installed as “C:\Program Files\DbProtectSupport\svchost.exe” and is also designed to run as a service on system startup.
Because this malware was created mainly for DDoS attacks, the attackers behind it are most likely wanting to compromise hosts with sizeable network bandwidths, like servers. “This also probably is the reason why there are two versions of the bot-Linux operating systems are a popular choice for server machines,” the researchers added.
”Most servers that are injected with these various scripts are then used for a variety of tasks, including DDoS, vulnerability scanning, and exploiting,” DiMino said Tuesday in post that delivers an in depth analysis of the attack. “The mining of virtual currency is now often seen running in the background during the attacker’s ‘downtime’.”
