Posts Tagged ‘drive’
Tuesday, June 25, 2013 @ 03:06 PM gHale
New and improved has a new meaning when it comes to the DirtJumper malware family as a new variant called “Drive” contains some interesting features.
Written in Delphi, Drive has a much more powerful distributed denial-of-service (DDoS) engine compared to earlier variants, said researchers at Arbor Networks.
Other than the improved DDoS engine, researchers also found command and control (C&C) servers that serve Gzip-compressed data. At least one of these servers has been blocking connections based on geographic location.
“Drive sports 2 POST floods, a GET flood, 2 connection + data floods and a UDP flood – although the UDP flood was not seen in all instances. It also has the ability to specify a post query string of random data to add additional stress to a server in the cases where login pages, search pages, etc. are targeted,” said Jason Jones of Arbor Networks.
The new DDoS engine also features a new string encryption algorithm that’s similar to the Khan algorithm.
The new variant is not present on “mainstream” underground forums yet and so far only 15 unique C&C hostnames are available, Arbor Networks said.
However, the attacks where Drive takes part are more powerful. For instance, experts found cases where the C&Cs named over 60 targets at once for extended time intervals.
Drive appears to be targeting a popular online retailer, a popular security news site, a search engine, and a number of foreign financial institutions, the researchers said.
By utilizing Umbrella’s Security Graph, Arbor Networks was able to determine a “rough low-end estimate” on the number of hosts infected by Drive. During one successful attack, the number of queries peaked at around 1,000.