Zemra Launches DDoS Assaults; Holds Organizations at Ransom
Symantec the security company has found one fresh toolkit for building crime-ware, which helps initiate DDoS (Distributed Denial-of-Service) assaults on organization networks and then hold them at ransom. The toolkit called Zemra has been spreading during the month of May 2012, say Symantec's researchers.
Interestingly, Zemra bears resemblance with other crime-ware kits like SpyEye or ZeuS for, it too maintains a command-and-control (C&C) system that certain server hosts from the remote. As a result, Zemra is able to send instructions to hijacked PCs while it behaves like a gateway for determining as to how many bots and infections have occurred for the benefit of the attacker.
Alongside executing DDoS assaults, Backdoor.Zemra performs more tasks such as monitoring computers, running files, gathering information about systems, as well as unloading alternatively making itself up-to-date whenever required.
While the malware proliferates through USB devices, it utilizes DES encryption of 256-bit to exchange messages with its C&C server.
Describing the malicious program further, Reverse Engineer Alan Neville at Symantec stated that to start when any PC got infected, Zemra would use Hypertext Transfer Protocol (HTTP) port 80 for dialing home as also make one 'Power-on self-test' (POST) request transmitting privilege indication i.e. whether it was administrator or otherwise; existing user agent; hardware ID; and the operating system edition. Softpedia.com published this in news on June 28, 2012.
Neville wrote that the POST query got parsed with the help of gate.php that segregated information followed with saving it within a Structured Query Language (SQL) database. Subsequently it tracked the hijacked PCs that were online so it could communicate conveniently, he blogged. Symantec.com published this on June 27, 2012.
Symantec, which examined the leaked malware, detected 2 different DDoS assaults it launched. These were SYN flood and HTTP flood DDoS assaults.
While the former dispatched several requests to an affected PC through SYN packs, the latter kick-started as also shut untreated socket connections. If requests were too many, those created with 'trusted computing base' (TCB) became excessive thus overwhelming the server into overlooking genuine requests.
The toolkit was up for trade at EUR100 on underground forums, Symantec concluded.
» SPAMfighter News - 07-07-2012