Explore the latest news and trends  

Keep yourself up to date with one of the following options:

  • Explore more news around Spam/Phishing, Malware/Cyber-attacks and Antivirus
  • Receive news and special offers from SPAMfighter directly in your inbox.
  • Get free tips and tricks from our blog and improve your security when surfing the net.
Go

Zemra Launches DDoS Assaults; Holds Organizations at Ransom

Symantec the security company has found one fresh toolkit for building crime-ware, which helps initiate DDoS (Distributed Denial-of-Service) assaults on organization networks and then hold them at ransom. The toolkit called Zemra has been spreading during the month of May 2012, say Symantec's researchers.

Interestingly, Zemra bears resemblance with other crime-ware kits like SpyEye or ZeuS for, it too maintains a command-and-control (C&C) system that certain server hosts from the remote. As a result, Zemra is able to send instructions to hijacked PCs while it behaves like a gateway for determining as to how many bots and infections have occurred for the benefit of the attacker.

Alongside executing DDoS assaults, Backdoor.Zemra performs more tasks such as monitoring computers, running files, gathering information about systems, as well as unloading alternatively making itself up-to-date whenever required.

While the malware proliferates through USB devices, it utilizes DES encryption of 256-bit to exchange messages with its C&C server.

Describing the malicious program further, Reverse Engineer Alan Neville at Symantec stated that to start when any PC got infected, Zemra would use Hypertext Transfer Protocol (HTTP) port 80 for dialing home as also make one 'Power-on self-test' (POST) request transmitting privilege indication i.e. whether it was administrator or otherwise; existing user agent; hardware ID; and the operating system edition. Softpedia.com published this in news on June 28, 2012.

Neville wrote that the POST query got parsed with the help of gate.php that segregated information followed with saving it within a Structured Query Language (SQL) database. Subsequently it tracked the hijacked PCs that were online so it could communicate conveniently, he blogged. Symantec.com published this on June 27, 2012.

Symantec, which examined the leaked malware, detected 2 different DDoS assaults it launched. These were SYN flood and HTTP flood DDoS assaults.

While the former dispatched several requests to an affected PC through SYN packs, the latter kick-started as also shut untreated socket connections. If requests were too many, those created with 'trusted computing base' (TCB) became excessive thus overwhelming the server into overlooking genuine requests.

The toolkit was up for trade at EUR100 on underground forums, Symantec concluded.

ยป SPAMfighter News - 07-07-2012

3 simple steps to update drivers on your Windows PCSlow PC? Optimize your Slow PC with SLOW-PCfighter!Email Cluttered with Spam? Free Spam Filter!

Exchange Anti Spam Filter
Go back to previous page
Next