Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    June 2013
    S M T W T F S
    « May    
     1
    2345678
    9101112131415
    16171819202122
    23242526272829
    30  
    • About Us
    Trendlabs Security Intelligence > Lulzsec’s Brazil DDoS Attack Code

    We recently received a sample of the bot client that was used by hacker group Lulzsec Brazil in conducting distributed denial-of-service (DDoS) attacks against Brazilian websites. Those affected included the websites of both the Brazilian government and the president. The said attack is not the first of its kind from the group, as the main LulzSec hacking group reportedly attacked other sites, including those of the U.K. Serious Organized Crime Agency, the U.S. Senate, and Sony.

    The Lulzsec hacking group is one of the two hacking groups that have been recently making the news, along with Anonymous. The two groups recently declared war against governments, banks, and corporations all over the world and accused the said organizations of corruption. They also called other hackers to join their cause, which they dubbed “Operation Anti-Security.”

    The bot client, which we now detect as BKDR_ZOMBIE.SM, connects to a certain Internet Relay Chat (IRC) server and joins a specific IRC channel to receive commands.

    The following are the types of command that the bot client is capable of executing as well as their effects:

    • attack: Performs denial-of-service (DoS) attacks to target sites/IP addresses
    • stop: Stops the DoS attack against a specific target
    • stopall: Stops the DoS attack to all targets
    • status: Displays the status of the attack the bot is currently performing
    • update: Download and install an updated copy of itself
    • info: Displays the following information about the infected system
      • IP address
      • Machine name
      • Domain
      • User name
      • OS
      • Working set
      • Common Language Runtime (CLR) version

    It is not yet certain if Lulzsec used the same malware for the other attacks it conducted. Nonetheless, this malware poses a significant threat, as it affects not only those whose systems have actually been infected but also those who were victimized by the DDoS attacks that the infected systems were used for.

    We will surely keep an eye on this and make sure that users are protected.

    Update as of June 27, 2011, 10:51 PM, PST

    Text updated to clarify routines executed by commands stop, stopall, and update.

    Update as of June 28, 2011, 8:01 PM, PST

    Trend Micro customers using Threat Discovery Appliance (TDA) are already protected from this threat through patterns NCIP 1.11441.00 and NCCP 1.11433.00, thus preventing systems in their networks from becoming unwilling participants to DDoS attacks.





    Share this article
    		 Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon



    This entry was posted on Thursday, June 23rd, 2011 at 2:41 pm and is filed under Botnets, Malware . Both comments and pings are currently closed.





     

    Other Trend Micro blogs
    CTO Insights
    CounterMeasures Blog
    Cloud Security Blog
    Consumerization Blog
    Fearless Web
    Internet Safety for Kids & Families
    Simply Security News
    Trend Micro Blog [German]
    TrendLabs Security Blog [Japan]
    Cloud Security APAC
    Trend Micro Free Tools Threat Encyclopedia Trend Micro Videos
    Do you have a product-related question? Visit our eSupport website.

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice