DDOS attack files.
Known as Mutated Mydoom+Downloader.
filename: msiexec2.exe
size:33,841 bytes
When msiexec2.exe being excuted, it creates ‘uregvs.nis’ file.
There are many target addresses inside of msiexec2.exe code.
Following files attack those web sites.
filename:perfvwr.dll
size: 65,536 bytes
filename: wmiconf.dll
size: 67,072 bytes
some evidences about this attack.
attacker’s IPs came from China.
Using Botnet.
Using Zombie PC.
spreaded by internet.
it changes it’s code automatically.
addresses can be changed by attackers.
It has following Target Addresses.
Following addresses are related with South Korea gov and USA gov.
The attacker’s IPs came from China.
But the origin of attacker’s IPs came from North Korea.
[Target addresses]
Some of websites still can’t be connected or slow.
banking.nonghyup.com - bank
blog.naver.com -portal
ebank.keb.co.kr - bank
ezbank.shinhan.com -bank
mail.naver.com -mail service
www.assembly.go.kr -gov
www.auction.co.kr
www.chosun.com -journal
www.hannara.or.kr -a political party
www.mnd.go.kr -gov
www.mofat.go.kr -gov
www.president.go.kr -gov
www.usfk.mil -US military website in korea
finance.yahoo.com -portal
travel.state.gov -gov
www.amazon.com
www.dhs.gov -gov
www.dot.gov -gov
www.faa.gov -gov
www.ftc.gov -gov
www.nasdaq.com -stocks
www.nsa.gov -gov
www.nyse.com -gov
www.state.gov -gov
www.usbank.com -bank
www.usps.gov -US postal service
www.ustreas.gov -gov
www.voa.gov -voice of america
www.voanews.com
www.whitehouse.gov -gov
www.yahoo.com -portal
www.washingtonpost.com -journal
www.usauctionslive.com
www.defenselink.mil -military
www.marketwatch.com -stocks
www.site-by-site.com
I know South Korea Websites are under Attack, they dont know who is attacking, but i hear this on the BBC once today. Had no idea US Gov was being DDOS also, they probably dont even feel it. LOL
And yesterday a website that host Malware for IT’s was DDOS also. (Most of there attacking IP’s where form Russia and Ukrain) I Get the feeling that it was a test drive for a upcomming DDOS attack.
They know where this attack came from. It’s from China.
Also US gov knows where this attack came from. It’s from China.
Some of attack informations have been identified.
But I think crazy North Korea is doing this attack.
Or China.
HACKERS ATTACK SOUTH KOREAN GOVT, PRIVATE WEB SITES:
SEOUL, Jul 08, 2009 (AsiaPulse via COMTEX) -- A series of cyber attacks disrupted the Web sites of South Korea's [b]presidential office[/b], [b]government agencies and private firms[/b], but no serious damage was reported, officials said Wednesday.
The so-called distributed denial-of-service (DDoS) attacks against 11 domestic Internet sites started at around 6:00 p.m.
on Tuesday, shutting them down for hours, said the government-run Korea Information Security Agency (KISA).
Hackers disrupted the Web sites of the presidential office Cheong Wa Dae, the National Assembly and the Ministry of Defense, it said.
Among private sites infiltrated were major lenders Shinhan Bank and Korea Exchange Bank.
The cyber attacks also affected the country’s No. 1 portal Naver’s e-mail service and online auctioneer eBay’s South Korean site Auction.com, the agency said.
A DDoS attack involves sending large amounts of data that renders Web servers unusable by obstructing communication between the intended server and the target. The attacks generally use multiple personal computers infected by a hacker, allowing the individual to drive more traffic to the target.
KISA officials said most sites returned to normal as of 10:00 p.m. on Tuesday, though some sites remained unable to get access.
A botnet comprised of about [b]50,000 infected[/b] computers has been waging a war against U.S. government Web sites and causing headaches for businesses in the U.S. and South Korea.
The attack started Saturday, and security experts have credited it with knocking the U.S. Federal TradeCommission’s (FTC’s) Web site offline for parts of Monday and Tuesday. Several other government Web sites have also been targeted, including the U.S. Department of Transportation (DOT).
Any change you could upload those files to VT and post links?
and also PM them to Melih or Umesh (head of AV)
An updated version of the MyDoom virus is responsible for a large DDOS (distributed denial of service) attack that took down major U.S. Web sites over the weekend and South Korean Web sites on Wednesday, according to Korean computer security company AhnLab.
When it was discovered in January 2004, MyDoom quickly became the fastest-spreading e-mail worm in Internet history. Once a PC was infected with MyDoom, it would harvest e-mail addresses and e-mails itself out repeatedly. Early variants MyDoom were coded to conduct DDOS attacks against other Web sites within certain time periods.
White House, Pentagon websites targeted by cyberattack
Cyberattacks Hit U.S. and South Korean Web Sites
SEOUL, South Korea — Cyberattacks that have crippled the Web sites of several major American and South Korean government agencies since the July 4th holiday weekend appear to have been launched by a hostile group or government, South Korea’s main government spy agency said on Wednesday.