New Russian DDoS botnet discovered

May 1, 2013

The Dell SonicWALL Threats Research team has discovered a new DDoS Trojan originating from Russia. The sole purpose of this Trojan is to provide its operators with an army of bots that can be used to take websites and services off-line at will.

Infection Cycle:

The Trojan makes the following DNS queries:

  • truth-about-bakhmatuk.com
  • drnona.rv.ua

The Trojan adds the following files to the filesystem:

  • %USERPROFILE%Local SettingsApplication DatasLT.exf
  • %TEMP%ifd.exe [Detected as GAV: Delf.QMH_10 (Trojan)]
  • %TEMP%kdg.exe [Detected as GAV: Delf.QMH_10 (Trojan)]
  • %TEMP%48df.exe [Detected as GAV: Delf.QMH_10 (Trojan)]
  • %TEMP%9f7g.exe [Detected as GAV: Polip.gen (Virus)]
  • %TEMP%mdf8.exe [Detected as GAV: Delf.QMH_10 (Trojan)]
  • %TEMP%mfg9.exe [Detected as GAV: Delf.QMH_10 (Trojan)]
  • %WINDOWS%abtse.exe [Detected as GAV: Delf.QMH_10 (Trojan)]
  • %WINDOWS%botze.exe [Detected as GAV: Delf.QMH_10 (Trojan)]
  • %SYSTEM32%antivar.exe [Detected as GAV: Delf.QMH_10 (Trojan)]
  • %SYSTEM32%antogoi.exe [Detected as GAV: Delf.QMH_10 (Trojan)]
  • %SYSTEM32%dasdt.exe [Detected as GAV: Polip.gen (Virus)]
  • %SYSTEM32%driverssvchost.exe [Detected as GAV: Delf.QMH_10 (Trojan)]

In order to start after reboot it registers itself as a service by adding the following key to the Windows registry:

  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSytaytytd "%SYSTEM32%dasdt.exe"

The file sLT.exf contains the following data:

      7r3e6u9v68q9f8ajh49k2dxyem6083ie

The Trojan spawns 6 processes upon execution, 5 of which remain idle:

dasdt.exe reports infection to a remote C&C server and receives a hostname and port:

The string (7r3e6u9v68q9f8ajh49k2dxyem6083ie) that is sent in the POST request appears to be random each time it is sent. It is read from sLT.exf. The Trojan then commences its DoS attack by sending UDP packets of varying lengths to the specified hostname and port. The packets contain mostly null bytes. It uses the following loop with a 1ms sleep between packets:

SonicWALL Gateway AntiVirus provides protection against this threat with the following signatures:

  • GAV: Delf.QMH_10 (Trojan)
  • GAV: Polip.gen (Virus)
  • GAV: Neshta.A_16 (Trojan)