It was recently found by CERT that there’s a new type of DDOS botnet that is infecting both Windows® and Linux® platforms. This is a highly sophisticated cross-platform malware which impacts computers by causing DNS amplification.

 

WHAT IS DNS AMPLIFICATION?

A DNS Amplification Attack is a Distributed Denial of Service (DDOS) tactic that belongs to the class of reflection attacks in which an attacker delivers traffic to the victim of their attack by reflecting it off of a third party so that the origin of the attack is concealed from the victim. Additionally, it combines reflection with amplification: that is, the byte count of traffic received by the victim is substantially greater than the byte count of traffic sent by the attacker, in practice amplifying or multiplying the sending power of the attacker.[1]

 

HOW DOES THIS MALWARE WORK?

In Linux systems, this botnet takes advantage of the systems that allow remote SSH access from the Internet and have accounts with weak passwords. The attacker uses dictionary-base password guessing to infiltrate into the system protected by SSH. While executing an attack, the malware provides information back to the command and control server about the running task, the CPU speed, system load and network connection speed.

Malware Attack.png

 

The Windows variant of the botnet installs a new service in the target systems in order to gain persistence.  First, the C:\Program Files\DbProtectSupport\svchost.exe file is installed and run. This file registers a new Windows service – DPProtectSupport, which starts automatically at the system startup. Then, a DNS query is sent to the 8.8.8.8 server, requesting the IP address of the .com domain. This domain is the C&C server and the bot connects to it using a high TCP port, different than the one used in Linux version. And, in the Windows version of the malware, OS information is sent to the C&C server in a text format.

 

This botnet was discovered in December 2013, and after many tests, the anti-virus software used was able to detect it more in Windows compared to Linux – putting Linux at higher risk of security compromise.

 

Its best to always gain real-time actionable intelligence from your system and network logs so that you will be able to detect any suspicious and unwarranted activity – which might be indicators of a security breach!