A blended DDoS botnet consisting of both Windows and Linux machines has been detected by researchers working with the Polish CERT.
The botnet is exclusively dedicated to mounting DDoS attacks, mainly DNS amplification attacks.
“This means that the attackers were interested only in infecting machines which have a significant network bandwidth, e.g. servers,” they noted. “This is also probably the reason why there are two versions of the bot – Linux operating systems are a popular choice for server machines.”
As far as they can tell, attackers breached the affected Linux machines by way of a successful SSH dictionary attack, then logged into it and downloaded, installed and executed the bot.
The Linux version of the bot tries to connect to the C&C server via a high TCP port.
“Both the C&C’s IP and port are encrypted,” they explained in a blog post. “Upon running, the bot sends operating system information (using uname function), unencrypted and waits for commands.”
After analysing the malware they concluded that it can launch four type of DDoS attacks. Also, that it has functions that haven’t yet been implemented.
The bot targeting the Windows OS works a bit differently. Once on the computer, it drops an executable and runs it, which results in a persistent Windows service dubbed DBProtectSupport to be registered and started.
The bot also contacts the C&C server also a high TCP port, but it first needs to send a DNS query to the 126.96.36.199 server to be informed of its IP address. It then “informs” the server of the target system’s details by compiling and sending a text file.
“This text file, along with the fact that the same C&C IP was used in both malware samples make us believe that it was created by the same group,” the researchers concluded.
But while Linux users can secure their machines from this attack by choosing a better SSH password, they haven’t mentioned how Windows system get compromised in the first place.