Zombie Cleanup Becomes Crucial in Recent KR Cyber-Attack
Forty websites under the .KR domain, including those managed by the South Korean government and major institutions, suffered a major Distributed Denial of Service (DDoS) attack late last week. The attack was limited to Korea and is very similar to the DDoS attacks in July 2009.
The targeted attack, which caused the temporary shut down of the affected websites, was conducted through the use of a malicious file. According to reports, the attackers hacked at least four local peer-to-peer file sharing networks and planted the malicious file into certain shared files, causing users to unknowingly download and install the malicious file.
TROJ_QDDOS.A Conducts DDoS, with Minor Impact
Trend Micro was able to obtain a sample of the said malicious file (detected as TROJ_QDDOS.A) and analyze its routines. Systems infected with TROJ_QDDOS.A become part of a botnet. TROJ_QDDOS.A first retrieves the following information about the affected system:
- User name of logged on user
- Computer name
- Malware path and file name
- Path and file name of parent process
TROJ_QDDOS.A then communicates with certain IPs to send these information about the infected system. In return, the remote servers download a certain .DLL file onto the infected system. The .DLL file then drops additional DLL components that are responsible for conducting DDoS, overwriting the master boot record (MBR), and deleting files under certain conditions.
DDoS Attack: Upon execution, TROJ_QDDOS.A also drops several DAT files, which include one that consists of an encrypted list of its target websites. TROJ_QDDOS.A attacks its targeted websites by sending random data at UDP port 80 to the target sites. A sufficiently large volume of data sent will be enough to render target sites inaccessible.
Fortunately, the Korean government has been ready to combat these kinds of threats. Overall, the damage was very minimal because of the huge investments the Korean government has made to prevent DDoS attacks and botnets.
However, TROJ_QDDOS.A has been made capable of two more, highly destructive behavior.
Zombie Cleanup Becomes Critical
TROJ_QDDOS.A can overwrite MBR. It can thus prevent the infected machine from loading the operating system, and therefore rendering it virtually unusable.
TROJ_QDDOS.A deletes files. The files it deletes include files with the file extensions .doc, .docx, .eml, .ppt, among several others. Before the original files are deleted, however, it first modifies the file and renders it unusable.
The last two behaviors are triggered when the system date of the affected system is earlier than the date specified in its component file, %System%\noise03.dat, or when the said file is not present in the system.
The file’s highly destructive payloads should remind users of the importance of backing up their files and keeping their security software updated.
TROJ_QDDOS.A also prevents users from accessing AV-related websites by modifying the affected system’s HOSTS file. Furthermore, it deletes URLs related to itself from the system cache, a routine likely to be done to prevent being traced back to its origin.
Solutions and Call to Action
Trend Micro already blocks the malicious IPs and detects the malicious files involved in this attack. TROJ_QDDOS.A can be detected and removed by OfficeScan using pattern 7.877.00. We also protect enterprises via Total Discovery Appliance using patterns NCCP 1.10487.00 and NCIP 1.10527.00.
As the general public becomes ever more dependent on a reliable information network for several user activities, may it be personal, for work or duty, Trend Micro advocates that countries seriously consider cybersecurity as a mandatory part of their national defense plan. Large enterprises, ISPs and countries must work together to conduct anti-botnet and early detection of botnet activities.
Additional analysis provided by Roland Dela Paz and Julius Dizon.
Post from: TrendLabs | Malware Blog – by Trend Micro
Zombie Cleanup Becomes Crucial in Recent KR Cyber-Attack
Spotlight
Cloud Computing
- Security in backups means more than just encryption
- Employees must buy into the company policy for better cloud security
- Desktop virtualization can enhance security performance
- Cybersecurity cooperation becoming military necessity
Virtualization
- Virtualization-specific challenges could threaten data security
- Evolving threats put security skills in high demand
- Virtualization security requires education, access control management
- Tips for launching effective virtual security tools
Internet Safety
- Virtualization-specific challenges could threaten data security
- Evolving threats put security skills in high demand
- Virtualization security requires education, access control management
- Tips for launching effective virtual security tools
Vulnerabilities & Exploits
CTO Insights
First Line of Defense
Newsletter
Stay up to date with the latest news and information on online threats.
Recent News
- FBI trying to train financial execs on cyber threats
- Wall Street has data security concerns over Bloomberg reporting
- Security in backups means more than just encryption
- Employees must buy into the company policy for better cloud security
Tag Cloud
cloud cloud computing cloud computing security Cloud Security Compliance & Regulations Consumerization Current News cybercrime Data Privacy data security Encryption Government Policy Internet Protection Internet Safety Internet Safety - DO NOT USE Internet Security Malware Mobile Security Mobility Policy Policy - DO NOT USE Privacy Privacy & Policy Private Cloud Public Cloud Reports Research Spotlight threat intelligence threat research Trend Labs Underground Economy virtualization Vulnerabilities Vulnerabilities - DO NOT USE web security web threats
Comments
No comments yet