Symantec has become aware of a new Distributed Denial of Service (DDoS) crimeware bot known as “Zemra” and detected by Symantec as Backdoor.Zemra. Lately, this threat has been observed performing denial-of-service attacks against organizations with the purpose of extortion. Zemra first appeared on underground forums in May 2012 at a cost of €100. This crimeware pack is similar to other crime packs, such as Zeus and SpyEye, in that is has a command-and-control panel hosted on a remote server. This allows it to issue commands to compromised computers and act as the gateway to record the number of infections and bots at the attacker’s disposal. Similar to other crimeware kits, the functionality of Zemra is extensive: 256-bit DES encryption/decryption for communication between server and client DDoS attacks Device monitoring Download and execution of binary files Installation and persistence in checking to ensure infection Propagation through USB Self update Self uninstall System information collection However, the main functionality is the ability to perform a DDoS attack on a remote target computer of the user’s choosing. Initially, when a computer becomes infected, Backdoor.Zemra dials home through HTTP (port 80) and performs a POST request sending hardware ID, current user agent, privilege indication (administrator or not), and the version of the OS. This POST request gets parsed by gate.php, which splits out the information and stores it in an SQL database. It then keeps track of which compromised computers are online and ready to receive commands. Inspection of the leaked code allowed us to identify two types of DDoS attacks that have been implemented into this bot: HTTP flood SYN flood The first type, HTTP flood, opens a raw socket connection, but has special options to close the socket gracefully without waiting for a response (e.g. SocketOptionName.DontLinger). It then closes the socket on the client side and launches a new connection with a sleep interval. This is similar to a SYN flood, whereby a number of connection requests are made by sending multiple SYNs. No ACK is sent back upon receiving the SYN-ACK as the socket has been closed. This leaves the server-side Transmission Control Blocks (TCBs) in a SYN-RECEIVED state. The second type, SYN flood, is a simple SYN flood attack whereby multiple connects() are called, causing multiple SYN packets to be sent to the target computer. This is done in an effort to create a backlog of TCB creation requests, thereby exhausting the server and denying access to real requests. Symantec added detection for this threat under the name Backdoor.Zemra, which became active on June 25, 2012. To reduce the possibility of being infected by this Trojan, Symantec advises users to ensure that they are using the latest Symantec protection technologies with the latest antivirus definitions installed. Source: http://www.symantec.com/connect/blogs/ddos-attacks-zemra-bot
Read More:
Distributed Denial of Service ‘DDoS’ Attacks: The Zemra Bot
Last night hacktivist group Anonymous sent out an open letter to the government of India criticizing the government and ISP companies for blocking torrent and video sharing websites. While doing so, the group clarified the definition of a DDoS attack, a type of online attack the group has been ravaging against government websites. Less of a threatening letter and more of a Hacking 101 course book for the government and mainstream media alike, Anonymous clarified that a DDoS attack is not a hack, which is legally defined as unauthorized access to a network. In fact, a DDoS attack is overflowing the server capacity by an excess of user traffic, or in simpler terms a traffic jam of sorts occurs at website server due to the enormous traffic attracted, in this case the large influx of anonymous group members. Anonymous believes this is a peaceful way to protest the government blocks and also states how websites were blocked when there was no court order asking for specific sites to be blocked like the Air India employee Facebook protest pages. The group has made its intentions clear to go after the government and its supporters, the ISPs that are blocking access to torrents and some other sites like Vimeo. It is also urging Indians to participate in peaceful demonstrations across the country on June 9. In meantime read the whole letter below. Source: http://www.bgr.in/news/anonymous-open-letter-to-indian-govt-claims-ddos-attack-on-sites-are-legal/