[nsp-sec] UDP based DDoS Attack

[Nicholas Ianelli]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Saweet!

> Taking a closer look at SHA1 062d014d07a1bc1c6368210504340c1b16954894,
> MD5 6523dfd1b1fcd8d448b32c90f60af679, I see a lot of AV signature with
> the string "virut" in them.
> 
> It generates a lot of UDP 53 traffic.  It also has an IRC component:
> 
>    Server:  irz.zief.pl  121.12.125.198
>    Port:    TCP 80
>    Channel: #.130
> 
> That server is slow, but active.
> 
> The bots may be running a HTTP GET of the following URL:
> 
>    h x x p : / / goasi.cn / ex / a.php

a.php is actually an executable file:

File: load.exe
Size: 11776
MD5:  73A5DE7137D746C42501F19584415657

This thing downloads/installs a number of files.

7.tmp: ASCII text,
A.tmp: MS-DOS executable
abb[1].txt: MS-DOS executable
em[1].htm: MS-DOS executable
ge[1].txt: MS-DOS executable
lgate[1].htm: ASCII text,
load.exe: MS-DOS executable
protect.sys: MS-DOS executable
reader_s.exe: MS-DOS executable
services.exe: MS-DOS executable

fbaf14e99507107b7c5c7b0caa539752 *7.tmp
254b04a0284200e1493128288d7549cb *A.tmp
90214b367e443fac405b92bb33d6490f *abb[1].txt
254b04a0284200e1493128288d7549cb *em[1].htm
1ef05389f52c363df2841655b87fd3b2 *ge[1].txt
fbaf14e99507107b7c5c7b0caa539752 *lgate[1].htm
73a5de7137d746c42501f19584415657 *load.exe
13a366eef1bf920ffcf754716fda7ade *protect.sys
90214b367e443fac405b92bb33d6490f *reader_s.exe <- set to run at startup
1ef05389f52c363df2841655b87fd3b2 *services.exe  <- set to run at startup

Oh snap - my host went nuts! A number of MX lookups followed up by a TCP
SYN attack on port 25/TCP to a number of hosts.

I'll analyze, summarize and send out more info once I have it.

Nick

- --
Nicholas Ianelli: NeuStar, Inc.
Security Operations

46000 Center Oak Plaza Sterling, VA 20166
+1 571.434.4691 - http://www.neustar.biz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iEYEARECAAYFAkoJ7QQACgkQi10dJIBjZICYMACgxvvBaOoFdB4cZTlJSFpmRp85
S8sAoJmzvnru2BIQbxvG7E1VEwMbIiTe
=VijF
-----END PGP SIGNATURE-----