Related
Recommended

New DDOS Botnet Affecting Windows

vinod.mohan
2 minute read time

It was recently found by CERT that there’s a new type of DDOS botnet that is infecting both WindowsRegistered and LinuxRegistered platforms. This is a highly sophisticated cross-platform malware which impacts computers by causing DNS amplification.

 

WHAT IS DNS AMPLIFICATION?

A DNS Amplification Attack is a Distributed Denial of Service (DDOS) tactic that belongs to the class of reflection attacks in which an attacker delivers traffic to the victim of their attack by reflecting it off of a third party so that the origin of the attack is concealed from the victim. Additionally, it combines reflection with amplification: that is, the byte count of traffic received by the victim is substantially greater than the byte count of traffic sent by the attacker, in practice amplifying or multiplying the sending power of the attacker.[1]

 

HOW DOES THIS MALWARE WORK?

In Linux systems, this botnet takes advantage of the systems that allow remote SSH access from the Internet and have accounts with weak passwords. The attacker uses dictionary-base password guessing to infiltrate into the system protected by SSH. While executing an attack, the malware provides information back to the command and control server about the running task, the CPU speed, system load and network connection speed.

Malware Attack.png

The Windows variant of the botnet installs a new service in the target systems in order to gain persistence.  First, the C:\Program Files\DbProtectSupport\svchost.exe file is installed and run. This file registers a new Windows service – DPProtectSupport, which starts automatically at the system startup. Then, a DNS query is sent to the 8.8.8.8 server, requesting the IP address of the .com domain. This domain is the C&C server and the bot connects to it using a high TCP port, different than the one used in Linux version. And, in the Windows version of the malware, OS information is sent to the C&C server in a text format.

This botnet was discovered in December 2013, and after many tests, the anti-virus software used was able to detect it more in Windows compared to Linux – putting Linux at higher risk of security compromise.

 

Its best to always gain real-time actionable intelligence from your system and network logs so that you will be able to detect any suspicious and unwarranted activity – which might be indicators of a security breach!

Thwack - Symbolize TM, R, and C

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.