The Latest in IT Security

6.25 DNS DDOS Attack In Korea


Shortly after 10:00am Jun 25th 2013, many government websites from South Korea were not accessible. It was actually caused by the malware performing ddos attack on 2 major DNS servers ( and

Original Attack Vector

During the investigation, we managed to find the original attack sample which was served by a compromised website at that time (

The downloaded file named SimDisk_setup.exe turned out to be a self-extracting RAR file. 6 25 DNS DDOS Attack In Korea 1

In this SFX RAR file were sitting 2 files: 6 25 DNS DDOS Attack In Korea 2

Simdiskup.exe file

SimDiskup.exe (created on 2013-06-24) is the malicious file. It downloads other malicious files from a remote website. 6 25 DNS DDOS Attack In Korea 3

For instance it tried to download c.jpg from the website above. 6 25 DNS DDOS Attack In Korea 4

Actually c.jpg is obviously an executable, saved as ~simdisk.exe and run after successfully downloaded.

~simdisk.exe (c.jpg)

Upon execution, it will drop 3 files, 2 of them (explorer.exe and config.ini) turning out to be the TOR system version The third file, alg.exe, is yet another downloader. 6 25 DNS DDOS Attack In Korea 5

alg.exe will then use the tor network to download yet another file, which is the final DDoS payload. It will try to connect to the following tor onions (onions are hidden, untraceable websites available only via Tor nodes):

The interesting thing here is, the files mentioned above are all packed with the infamous run-time packer called Themida. But the final payload, downloaded by alg.exe, is not.

Final Step

First, it will check for a FileMapping Object 6 25 DNS DDOS Attack In Korea 6

Does this remind us of the 3.20 disk wipe-out attack?

After that, it will check for the OS architecture, 32bit or 64bit. In the case of a 32bit OS, it will drop ~DRrandom number.tmp file from the resource section. After loading the ~DR tmp file, it will load another DLL file as a service. (It will do the same in 64bit OS).

After the service starts, it will check for the FileMapping Object: 6 25 DNS DDOS Attack In Korea 7

After resolving the API address, it will create a thread to start the communication. 6 25 DNS DDOS Attack In Korea 8

The response data is split in 2 parts:

1.) BM6W -> The only command which is hardcoded in the binary 6 25 DNS DDOS Attack In Korea 9

If the response data is anything other than BM6W, it will sleep, then try again.


  • 06 19 0a 00
  • 0x06 – Month
  • 0x19 – Day
  • 0x0a – hour
  • 0x00 – minute

Looks like a time-bomb. Does this also remind us the 3.20 disk wipe-out attack?

If the system time has passed 6-25 10:00, it will drop another file which is packed by Themida as well. The filename is seen below: 6 25 DNS DDOS Attack In Korea 10

DDoS Payload

It will start 2 threads to perform the Ddos attack by querying random 6 25 DNS DDOS Attack In Korea 11

The 2 Ddos targets are hardcoded in the binary. 6 25 DNS DDOS Attack In Korea 12

6 25 DNS DDOS Attack In Korea 13

  • –
  • –

In a nutshell the attack scenario flow can be represented as follows: → serves SimDisk_setup.exe → extracts to SimDiskup.exe → downloads c.jpg → saved as ~simdisk.exe → drops alg.exe (plus Tor) → gets time of attack from hidden websites and drops wuauieop.exe → queries DNS for random

Leave a reply



Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments

Social Networks