[nsp-sec] Multiple DDoS attacks
YoungBaek Kim
ybkim at krcert.or.kr
Tue Jul 7 11:21:16 EDT 2009
Hello.
We, KrCERT, analysis the DDoS attacks now.
We found the malware "perfvwr.dll" in a infected PC.
I attached the sample.(password : infected)
But we could not found the C&C server yet.
It create a "uregvs.nls" file that contain target server lists like below.
www.usfk.mil
www.usfk.mil;80;get;/;;
www.whitehouse.gov
www.whitehouse.gov;80;get;/;;
www.faa.gov
www.faa.gov;80;get;/;;
www.dhs.gov
www.dhs.gov;80;get;/;;
www.state.gov
www.state.gov;80;get;/;;
www.defenselink.mil
www.defenselink.mil;80;get;/;;
www.nyse.com
www.nyse.com;80;get;/;;
www.nasdaq.com
www.nasdaq.com;80;get;/;;
finance.yahoo.com
www.usauctionslive.com
www.usauctionslive.com;80;get;/;;
www.usbank.com
www.usbank.com;80;get;/;;
www.washingtonpost.com
www.washingtonpost.com;80;get;/;;
www.ustreas.gov
www.ustreas.gov;80;get;/;; `
If you have any other information about this attack, please contact me.
Thank you.
Regards.
----- Original Message -----
From: "Dave Mitchell" <davem at yahoo-inc.com>
To: "Scott A. McIntyre" <scott at xs4all.net>
Cc: "NSP nsp-security" <nsp-security at puck.nether.net>
Sent: Tuesday, July 07, 2009 10:02 PM
Subject: Re: [nsp-sec] Multiple DDoS attacks
> ----------- nsp-security Confidential --------
>
>
--------------------------------------------------------------------------------
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
The attachment named perfvwr.dll/perfvwr.zip could not be scanned for viruses because it is a password protected file.
More information about the nsp-security
mailing list