Menacing Botnet Attacks Major U.S. and Korean Websites

Just under two weeks ago we heard the news of a botnet attacking several major U.S. and Korean websites. The DDoS attacks began on the weekend of July 4, and were targeted at both  government and commercial websites, managing to cause quite a bit of chaos. The last denial of service attack that took place was on July 10, but researchers soon found that that was not all the botnet had to offer its victims.

Made up of more than 60,000 computers, the bots in this malicious network were found to be infected with self-destructing malware. Unfortunately, besides destroying themselves the destruction of the malware also lead to the destruction of a victims master boot record (MBR) and partition table. Tragically, with these essential parts of the hard drive damaged, a computer becomes unbootable and almost impossible to recover for the average user.

Further research revealed that the malware behind the attacks goes by the name of Mydoom. Once one of the fastest spreading e-mail worms around, Mydoom was especially upgraded for this attack. According to researchers from FireEye, Mydoom was bundled with a specially crafted data destroying malware called wversion.exe, as well as a less harmful but significant piece of malware called mstimer.dll.

Mydoom is equipped with the ability to surreptitiously infiltrate victims systems, without any required authorization. Successful infiltration of the system will lead to the worm making copies and placing itself in specific locations within the machine. A victims Outlook address book then becomes the next target, where the worm proceeds to e-mail copies of itself to all the unsuspecting users listed there. Below are a list of alias names for Mydoom:

Table 1.  Alias names of the Worm

Going into more detail, below is a list of some files and MD5 hashes related to this sneaky worm:

Table 2.  Related files and MD5 hashes

So how is this malware connected to the DDoS attacks that took place? Well, besides spreading infections the worm also opens a Transmission Control Protocol (TCP)  connection. This gives an attacker remote access and control of a victims computer, making it easy for him/her to turn it into a bot/zombie.

Nobody plans to become part of a botnet or get infected by malicious malware, but somehow someway somebody always gets infected. The best a user can do to stay protected is practice safe browsing and purchase the latest computer security software, ensuring that it's always updated.