DDoS Attacks Launched by Malware

Researchers at Symantec have recently found out that their company has seen a rise in DDoS attacks. The attackers have been using the malware known as Chikdos to stop the high-bandwidth MySQL servers around the world. Other experts say that the rise in these attacks are due to the increase in the number of Linux servers that are being infected with DDoS malware. The attacks have also been lasting longer than past attacks. The security firm Kaspersky Labs reported that the longest a DDoS attack of this year lasted around 13 days.

Chikdos is a Trojan that allows a user to remotely connect to the infected PC and launch Distributed Denial of Service (DDoS) attacks. Symantec does not know which group or attackers have been using Chikdos to launch these attacks and they did not include what organization’s servers were infected in their report. They did say that most of the servers that got infected with the malware are in India, China, Brazil, and the Netherlands. Two of theses servers Symantec found out were launching DDoS attacks at a United States hosting provider and an IP address based in China.

To prevent these attacks the administrators of the MySQL servers would have lock down the servers meaning:

  • Not be run with administrator level privileges
  • keeping them patched
  • testing for and eliminating all SQL injection vulnerabilities

Also the to prevent the attacks the administrators would have to check for new user accounts and make sure that remote access services are secure.

Chikdos was first found randomly by infecting Linux and Windows systems in December of 2013. It was infecting CERT Polska, Poland’s computer emergency response team. Recently the malware has been targeting MySQL servers, which is the second most popular database management system right after Oracle. Gavin O Gorman, a researcher at Symantec said, “Given that Chikdos is used to perform DDoS attacks from the infected system, we believe that the attackers compromised MySQL servers to take advantage of their large bandwidth.” Gorman also said, “With these resources, the attackers could launch bigger DDoS campaigns than if they used traditional consumer targets.”

Researchers at Imperva Incapsula reported that over 900 internet connected CCTVs or closed circuit television devices have been used to launch HTTP flooding attacks against their clients. HTTP flooding attacks work by using HTTP browser requests to overload the targeted server. Researchers found that the attacks were sending 20,000 requests per second and the devices that were infected were CCTV cameras. All the cameras were accessed by entering their default credentials.

The rise in DDoS attacks have dramatically increased according to researchers at Verisign. They have reported that the number of DDoS attacks have increased by 53 percent. Kaspersky says that the percentage of DDoS attacks coming from Linux systems increased from 38 to 46 percent.

DDoS is one of the favorite tools used by hackers and hacking groups. It is an easy to use program and are very effective. DDoS applications are used a lot by hacking groups such as DD4BC (DDoS for Bitcoin)  because just the threat of sending out these attacks is proven to be a great extortion technique.

link to article:   http://www.databreachtoday.com/malware-used-to-launch-ddos-attacks-a-8656

Author: Matthew J. Schwartz

– Niccolo Dechicchio