There is a new distributed denial-of-service (DDoS) botnet coming out of Poland that caught the eye of researchers from CERT Poland.
What’s interesting about it is the attackers developed malware to infect Windows and Linux machines.
The botnet is only for DDoS attacks, particularly DNS Amplification attacks, the researchers said. When CERT Poland published its report three days ago, most antiviruses detected the Windows version of the malware.
However, a shorter list of antivirus was able to catch the Linux variant.
When it finds itself on a device, the Linux malware connects to a command and control (C&C) server through a high TCP port. First, the bot starts gathering information on the infected hosts, after which it waits for commands.
The infected machine can get the call to launch one of four types of DDoS attacks against a specified target. Researchers have found there are some unimplemented functions, one of which might be for DDoS attacks via the HTTP protocol.
In the case of the Windows version of the malware, the infection happens in two stages. In the first phase, a malicious scvhost.exe file drops and executes. This component is responsible for registering a new Windows service which ensures the threat remains persistent.
In the next phase, the bot connects to a C&C server using a different high TCP port than the Linux variant.
A significant difference between the Windows and Linux versions is the former requests the IP of the C&C domain via a DNS query to 126.96.36.199, while the latter has the IP address hardcoded in the bot.
Experts believe the attackers are targeting Linux machines because they often end up used for servers, which means they have a considerable network bandwidth. Since the threat’s sole purpose is to launch DDoS attacks, bandwidth is very important.