Symantec has become aware of a new Distributed Denial of Service (DDoS) crimeware bot known as "Zemra" and detected by Symantec as Backdoor.Zemra. Lately, this threat has been observed performing denial-of-service attacks against organizations with the purpose of extortion. Zemra first appeared on underground forums in May 2012 at a cost of €100.
Figure 1. Zemra offered for sale on an underground forum
This crimeware pack is similar to other crime packs, such as Zeus and SpyEye, in that is has a command-and-control panel hosted on a remote server. This allows it to issue commands to compromised computers and act as the gateway to record the number of infections and bots at the attacker's disposal.
Figure 2. Scheduling a DDoS HTTP attack
Similar to other crimeware kits, the functionality of Zemra is extensive:
- 256-bit DES encryption/decryption for communication between server and client
- DDoS attacks
- Device monitoring
- Download and execution of binary files
- Installation and persistence in checking to ensure infection
- Propagation through USB
- Self update
- Self uninstall
- System information collection
However, the main functionality is the ability to perform a DDoS attack on a remote target computer of the user's choosing.
Initially, when a computer becomes infected, Backdoor.Zemra dials home through HTTP (port 80) and performs a POST request sending hardware ID, current user agent, privilege indication (administrator or not), and the version of the OS. This POST request gets parsed by gate.php, which splits out the information and stores it in an SQL database. It then keeps track of which compromised computers are online and ready to receive commands.
Inspection of the leaked code allowed us to identify two types of DDoS attacks that have been implemented into this bot:
- HTTP flood
- SYN flood
The first type, HTTP flood, opens a raw socket connection, but has special options to close the socket gracefully without waiting for a response (e.g. SocketOptionName.DontLinger). It then closes the socket on the client side and launches a new connection with a sleep interval.
This is similar to a SYN flood, whereby a number of connection requests are made by sending multiple SYNs. No ACK is sent back upon receiving the SYN-ACK as the socket has been closed. This leaves the server-side Transmission Control Blocks (TCBs) in a SYN-RECEIVED state.
The second type, SYN flood, is a simple SYN flood attack whereby multiple connects() are called, causing multiple SYN packets to be sent to the target computer. This is done in an effort to create a backlog of TCB creation requests, thereby exhausting the server and denying access to real requests.
Symantec added detection for this threat under the name Backdoor.Zemra, which became active on June 25, 2012. To reduce the possibility of being infected by this Trojan, Symantec advises users to ensure that they are using the latest Symantec protection technologies with the latest antivirus definitions installed.