Neglemir performs DDOS attacks on selected targets

October 12, 2012

Dell SonicWALL Threats Research team discovered a new Trojan spreading through drive-by downloads from malicious links. This Trojan called Neglemir was found reporting to a Botnet infrastructure and performing DDOS (Distributed Denial of Service) attacks on selected targets in China. During our analysis we found it targeting various servers belonging to China Telecom as well as websites selling tools for an online game called "The Legend of Mir". The Trojan cloaks itself as Windows help service to prevent suspicion and it was also found disabling a number of Antivirus softwares.

Infection Cycle

The Trojan when executed creates a copy of itself in

%windir%Helpwinhelp.exe [Detected as GAV: Neglemir.A_4 (Trojan)]

It starts itself as a service and ensures that it automatically starts on system reboot

It checks for the following processes associated with various Antivirus softwares and disables them:

  • avp.exe
  • ccenter.exe
  • kvsrvxp.exe
  • sndsrvc.exe
  • ekrn.exe
  • kavsvc.exe
  • 360sd.exe
  • 360tray.exe
  • avgaurd.exe
  • pccmain.exe
  • rtvscan.exe
  • mcsysmon.exe

It reports infection to a remote C&C (Command and Control) server over port 8080. It uses the MAC address of the system to uniquely identify the infected node and it is sent as a part of the request. It also reports its version as 'v13' to the remote server.

It receives commands over Port 82. Port 82 is commonly used by XFER utility for DNS zone transfers but in this case, it is abused by Neglemir to receive commands from the C&C server. The commands use '#' and '!' markers to indicate the beginning and the end of commands. We observed the following commands being received from the C&C server:

  • #102/{Target IP}/{Target Port}/{Count}/{Threads}/! : Floods on specified IP and Port
  • #109/! : Sleep
  • #113/{HTTP target}/{IP Address of HTTP target}/{Count}/! : Floods on HTTP Port
  • #114/all! Stops all flooding activities
  • #147/{HTTP Server}/{IP Address of HTTP server}/{Count}/{Threads}//{File containing targets}! : Floods targets specified in a file
  • #149/{Public IP}! : Return public IP address of infected machine
  • #1105/nowVer: V13! : Returns current version of the Trojan

It sends the following string repeatedly when it successfully connects to a remote target in order to overwhelm it:

It mimics the User Agent string of Baidu search engine when reporting to its C&C server and also when performing DDOS attacks over HTTP ports

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV:Neglemir.A_4 (Trojan)