We recently received a sample of the bot client that was used by hacker group Lulzsec Brazil in conducting distributed denial-of-service (DDoS) attacks against Brazilian websites. Those affected included the websites of both the Brazilian government and the president. The said attack is not the first of its kind from the group, as the main LulzSec hacking group reportedly attacked other sites, including those of the U.K. Serious Organized Crime Agency, the U.S. Senate, and Sony.
The Lulzsec hacking group is one of the two hacking groups that have been recently making the news, along with Anonymous. The two groups recently declared war against governments, banks, and corporations all over the world and accused the said organizations of corruption. They also called other hackers to join their cause, which they dubbed “Operation Anti-Security.”
The bot client, which we now detect as BKDR_ZOMBIE.SM, connects to a certain Internet Relay Chat (IRC) server and joins a specific IRC channel to receive commands.
The following are the types of command that the bot client is capable of executing as well as their effects:
- attack: Performs denial-of-service (DoS) attacks to target sites/IP addresses
- stop: Stops the DoS attack against a specific target
- stopall: Stops the DoS attack to all targets
- status: Displays the status of the attack the bot is currently performing
- update: Download and install an updated copy of itself
- info: Displays the following information about the infected system
- IP address
- Machine name
- User name
- Working set
- Common Language Runtime (CLR) version
It is not yet certain if Lulzsec used the same malware for the other attacks it conducted. Nonetheless, this malware poses a significant threat, as it affects not only those whose systems have actually been infected but also those who were victimized by the DDoS attacks that the infected systems were used for.
We will surely keep an eye on this and make sure that users are protected.
Update as of June 27, 2011, 10:51 PM, PST
Text updated to clarify routines executed by commands stop, stopall, and update.
Update as of June 28, 2011, 8:01 PM, PST
Trend Micro customers using Threat Discovery Appliance (TDA) are already protected from this threat through patterns NCIP 1.11441.00 and NCCP 1.11433.00, thus preventing systems in their networks from becoming unwilling participants to DDoS attacks.