McAfee Uncovers Nitol the Botnet Executing DDoS’ in China

McAfee Labs reports one DDoS (Distributed Denial-of-Service) network-of-bots it discovered active solely in China, while nicknamed Nitol.

Describing this botnet, security researcher Itai Liba at McAfee states that the Nitol malware to infect PCs is coded using the Visual C++ computer language and contains plentiful bugs. The malware apparently is the creation of a programmer who's short of skill, the researcher analyzes. Infosecurity-magazine.com published this dated April 20, 2012.

Studying the bot's samples, Liba along with more researchers at McAfee found that these weren't packaged while amenable to reverse engineering. Botnet Nitol actually isn't big, comparatively as also is little known widely.

Elaborating on it further, Liba states that Nitol makes its own replica onto an arbitrary ******.exe file, where the * sign every time represents one arbitrary alphabet character. The executable gets placed within the Program Files. Feigned like a service known as "MSUpdqteeee," it exhibits its name as "Microsoft Windows Uqdatehwh Service," the researcher says.

Additionally, Liba elaborates that once planted the supposed 'service' file links up with the C&C system of the botnet utilizing a Transmission Control Protocol (TCP) vector for dispatching data from the infected PC. Blogs.mcafee.com published this dated April 19, 2012.

The said data is primarily utilized for knowing about the strength and variety of Nitol. It also enables in deciding the kind of DDoS condition(s) desired from the particular bot-infected PC. Nevertheless, initially it isn't sufficient so the C&C system may determine if the bot is getting mended alternatively has infected any virtual system.

Meanwhile, once the information reaches the C&C system, the latter typically issues command in return.

The inbound content, having TCP/IP headers, and the outbound content, having raw data of 1028 bytes, both are sized 1082 bytes, irrespective of the original data's size.

Nitol notably, plays the role in executing DDoS attacks such as RawDataFlood, HTTPFlood and GenericFlood, according to Liba. Softpedia.com reports this dated April 20, 2012.

Importantly, McAfee's researchers discovered that the operation for blocking the RawDataFlood DDoS assault once it ran awhile apparently was made for performing the GenericFlood task, while used only later for the RawDataFlood and HTTPFlood assaults.

Related article: McAfee Alerts Windows about Accessibility Hole in Vista

» SPAMfighter News - 4/28/2012