-------------------------------------------
From: Jovi Umawing (AV-PH)
Sent: Tuesday, August 24, 2010 7:38:31 PM
To: Newsbank
Subject: [NEWSBANK] YoyoDDos: A new family of DDos bots
Auto forwarded by a Rule
YoyoDDos: A new family of DDos bots
by Jeff Edwards
A new family of DDos bots started showing up in our sandboxes in May. The first sample was analyzed on May 7, and since then our sandboxes have processed over 70 specimens from this family. Upon further analysis, it turns out that we had actually started receiving specimens as early as March, 2010. We have been using the moniker “YoyoDdos” to refer to this family (derived from the hostname of one of the initially observed C&C servers.)
Malcode Properties
The malcode does not use a packer. It is most frequently encountered in the form of a 37,888-byte executable with various MD5 hash values. Some of the MD5 hash values that we have observed to date include:
1f7dd0f7ba97823f1e74324b2171774be4a6e9911fe07f6df12c485001df8b2ca5c29b7b0c77521d961e47c4fdad90b81cbe4f8242f906a0b41fb4ed261df20f5233ce366910191b52d977b3b37d30efc9bfbd9e4297c992bf0b5b54aaf6dda740096faa7b065de36d48e581779030a5ae6c6f2a7c6d23153b0fa8d7a5e2573fe71ba1af792c3449383a11f24e21de3b2bac9d7c6e60884388870e829acc0d89620c1569eaae9b755d40b68285a22a01d669736eefffdceeaa24bd557c6b3bb2150fff5f199760b77477d9ed4a86a36779bcbe08b297dddfe1b8c1d125ce7fde It is quite common for differences between individual samples to be quite small. For example, three different YoyoDDos executables were identical except for the byte values at approximately 30 offset locations:
More here: http://asert.arbornetworks.com/2010/08/yoyoddos-a-new-family-of-ddos-bots/
All the best,
|
沒有留言:
張貼留言