The Latest in IT Security

Kaspersky Lab… also in my list of DDoS attacks! [by SpyEye]

21
Sep
2011

The title of this post suggests that I’ve been thinking of one of the cyber-criminals that uses SpyEye, maybe in admiration! But actually his cyber-criminal actions overshadow anything else.

The truth is that, following my post highlighting the tactic of using as C&C one of the Cloud Computing services offered by Amazon, I found a sample of SpyEye that is somewhat interesting: among its goals is an attack DDoS directed against the Kaspersky Lab website.

The SpyEye configuration file, which is basically a compressed file and password protected (usually MD5), stores the resources involved in the planned attack. The surprise came when I looked at the configuration file of the plugin (ddos.dll.cfg). The following image shows the parameters set in this file:

As we can see, our website is listed as a target. The syntax for setting parameters in the DDoS SpyEye plugin is type-target-port-time:

  • Type: DDoS SYN attacks against Kaspersky Lab and SpyEye Tracker websites, plus a UDP attack only against Kaspersky Lab. Also SpyEye accepts the Slowloris DDoS attack.
  • Target: web site attacked (Kaspersky Lab and SpyEye Tracker).
  • Port: the destination ports through which attack (443 and 80).
  • Time: the time period in which the attacks are to be made. By default, these values are in seconds for attacks using SYN and UDP protocols. For the Slowloris attack the value is expressed in minutes.
  • But this was not the only surprise! Looking in the other configuration files, specifically in the Custom Connector plugin (customconnector.dll.cfg), I see a domain that looks familiar: http://[DELETE]/~ishigo/sp/main/gate.php

    Custom Connection is a plugin that allows for communication between the zombies and C&C server through gate.php. Looking back at information from previous research, I found a domain (same IP range) with a similar structure, but this was involved in the case Ice IX. The following image is a fragment of the report obtained from an analysis of Ice IX:

    Ishigo is the name of a botmaster who is very active in the cyber-criminal landscape, operating mainly through the crimeware ZeuS, SpyEye and now also experimenting with Ice IX.

    Whether or not this is just a casual attempt to DDoS attack our portal, we will continue to investigate the activities of this and other botmasters. So I’ll keep you posted!

    Leave a reply


    Categories

    THURSDAY, MARCH 28, 2024
    WHITE PAPERS

    Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
    Many governments embrace mobile network operator (MNO) networks as ...

    ARA at Scale: How to Choose a Solution That Grows With Your Needs:
    Application release automation (ARA) tools enable best practices in...

    The Multi-Model Database:
    Part of the “new normal” where data and cloud applications are ...

    Featured

    Archives

    Latest Comments