Forty websites under the .KR domain, including those managed by the South Korean government and major institutions, suffered from a major distributed denial-of-service (DDoS) attack late last week. The attack was limited to Korea and is very similar to the DDoS attacks in July 2009.
The targeted attack, which caused the temporary shutdown of affected websites, was conducted through the use of a malicious file. According to reports, the attackers hacked at least four local peer-to-peer (P2P) file-sharing networks and planted the malicious file into certain shared files, causing users to unknowingly download and to install the malicious file.
TROJ_QDDOS.A Conducts DDoS with Minor Impact
Trend Micro was able to obtain a sample of the said malicious file (detected as TROJ_QDDOS.A) and to analyze its routines. Systems infected with TROJ_QDDOS.A become part of a botnet. TROJ_QDDOS.A first retrieves the following information about the infected system:
- User name of logged-in user
- Computer name
- Malware path and file name
- Path and file name of parent process
TROJ_QDDOS.A then communicates with certain IPs to send the information about the infected system. In return, the remote servers download a certain .DLL file onto the infected system. The .DLL file then drops additional DLL components that are responsible for conducting DDoS attacks, overwriting the master boot record (MBR), and deleting files under certain conditions.
DDoS attack: Upon execution, TROJ_QDDOS.A also drops several .DAT files, which include one that consists of an encrypted list of its target websites. TROJ_QDDOS.A attacks targeted websites by sending random data at UDP port 80 to the target sites. A sufficiently large volume of data sent will be enough to render target sites inaccessible.
Fortunately, the Korean government is ready to combat this kind of threat. Overall, the damage was very minimal because of the huge investments that the Korean government has made to prevent DDoS and botnet attacks.
However, TROJ_QDDOS.A has been made capable of two more highly destructive behaviors.
Zombie Cleanup Becomes Critical
TROJ_QDDOS.A can overwrite the MBR. It can thus prevent the infected machine from loading the OS, therefore rendering it virtually unusable.
TROJ_QDDOS.A deletes files. The files it deletes include those with extensions like .DOC, .DOCX, .EML, and .PPT, among others. Before the original files are deleted, however, it first modifies and renders them unusable.
The last two behaviors are triggered when the date on the infected system is earlier than the date specified in its component file %System%noise03.dat or when the said file is not present in the system.
The file’s highly destructive payloads should remind users of the importance of backing up their files and of keeping their security software updated.
TROJ_QDDOS.A also prevents users from accessing antivirus-related websites by modifying the infected system’s HOSTS file. Furthermore, it deletes URLs related to itself from the system cache, a routine likely done to prevent being traced back to its origin.
Solution and Call to Action
Trend Micro already blocks the malicious IPs and detects the malicious files involved in this attack. TROJ_QDDOS.A can be detected and removed by OfficeScan using pattern 7.877.00. We also protect enterprises via Total Discovery Appliance using patterns NCCP 1.10487.00 and NCIP 1.10527.00.
As the general public becomes ever more dependent on reliable information networks for several user activities, may it be personal, for work, or for duty, Trend Micro advocates that countries seriously consider cybersecurity a mandatory part of their national defense plans. Large enterprises, ISPs, and countries must work together to conduct antibotnet and early detection of botnet activities.
Additional analysis provided by Roland Dela Paz and Julius Dizon