MYDOOM Code Re-Used in DDoS on U.S. and South Korean Sites

11Jul2009 Filed under: trendmicro Author: admin

A worm designed to propagate through email is the main proponent used in the DDoS attacks against high-profile websites in the United States and South Korea.

Detected as WORM_MYDOOM.EA by Trend Micro, it is suspected to have arrived in victims’ inboxes as an attachment to email messages. Upon execution, it registers itself as a system service (like as WMI Performance Configuration or WmiConfig) to ensure execution upon startup. It then drops component files distributed on several infected machines with lists of targets for DDoS.

It then gathers email addresses from all files located in the affected system’s Temporary Internet Files folder. It also gathers domain names, and uses them to add more email addresses by prepending the user names such as andrew, brenda, david, and george to the gathered domain names (detailed list can be read here). Additionally the threat attempts to obtain email server addresses by prepending certain strings to the obtained domain names. Emails with a copy of itself as attachment are sent to the composed addresses through its own SMTP engine. It should be noted, however, that though the code suggests that WORM_MYDOOM.EA propagates through email, we have yet to receive a sample that successfully propagates via email.

Our threat researchers are still analyzing some aspects of this malware, and it’s components, so we will update this post as necessary as more information becomes available.

Files related to network analysis tools are also deleted in order to prevent the affected user from noticing the heightened network activity caused by the DDoS attack (see Figure 1 for the threat diagram).

The DDoS attack left a number of its target websites inaccessible, which included several of South Korea’s government websites. South Korea is one of the top countries in Asia in terms of Internet usage, with an estimated 36.8 million users.

Users are strongly advised to ignore unsolicited emails to avoid unwillingly partaking in this massive attack.

Post from: TrendLabs | Malware Blog – by Trend Micro

MYDOOM Code Re-Used in DDoS on U.S. and South Korean Sites

Malware Gets Smart with Vodafone Smartphone (March 13th, 2010)
More Adobe Exploits in the Wild (March 13th, 2010)
New IE Zero-Day Exploit (CVE-2010-0806) (March 11th, 2010)
Multiple Vendors Affected by New Vulnerabilities (March 11th, 2010)
Multiple Vendors Affected By New Vulnerabilities (March 10th, 2010)

Tags: Brenda David, Component Files, Countries In Asia, Ddos Attack, Ddos Attacks, Domain Names, Ema, Email Addresses, Files Folder, Government Websites, Internet Usage, Mydoom, Network Analysis Tools, Performance Configuration, Profile Websites, Server Addresses, South Korea, Target Websites, Temporary Internet Files, Trend Micro

You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.

Entries (RSS)
Comments (RSS)

About this blog

Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Quisque sed felis. Aliquam sit amet felis. Mauris semper, velit semper laoreet dictum, quam diam dictum urna, nec placerat elit nisl in quam. Etiam augue pede, molestie eget, rhoncus at, convallis ut, eros. Aliquam pharetra. Nulla in tellus eget odio sagittis blandit. Maecenas at nisl. Nullam lorem mi, eleifend a, fringilla vel, semper at, ligula. Mauris eu wisi.

Recent Comments
Recent Articles

VirusDB.INFO

MYDOOM Code Re-Used in DDoS on U.S. and South Korean Sites

Related Posts

Leave a reply

About this blog

Partner links

Categories

Archives

Links

Meta