The botnet driven distributed denial of service attack that started over the weekend has been attacking American agency web sites like the White House web site, the FTC site, NYSE site, FAA, NSA, Dept of Homeland Security, the Treasury, and many more agency web sites is a pretty bold thing to do. The botnet also has many South Korean web sites in its crosshairs as well, including the president’s and various news and commerce sites.
We are examining the binaries involved, and ThreatFire could have protected those systems from the bot, stopping its dropper, and in turn, prevented at least some of the DoS flood on these U.S. and the many South Korean web sites. The underlying code itself appears to be fairly unsophisticated.
One of the malicious DoS components is delivered unpacked, sets itself up as a service, and contains a handful of commonly used user agent strings to camoflage its GET and POST traffic. Interestingly, we find “Accept-Language: ko, UA-CPU: x86″ in the http headers. We are further looking into an unusual dependency on pcap for network traffic requests: pcap_open, pcap_sendpacket, and other functions are abused by this malware, but it uses common winsock calls to perform its network activity too.
Here it uses an extremely common registry editing technique to disable the compromised host’s Windows firewall:
In the meantime, government, network operators and web masters in both countries are working to tame this thing.