Arbor Networks Identified a New DDoS Bot “Trojan.Ferret”

Security experts of security company Arbor Networks have examined a new distributed denial-of-service (DDOS) bot which they dubbed Trojan.Ferret.

Dennis Schwarz, Network Researcher with Arbor, found the malware (referring to Trojan.Ferret) after receiving a tip-off from a twitter user.

Interestingly, Trojan.Ferret is jotted in Delphi and incorporates numerous self-preservation potentialities including UPX packing, anti-virtual machine, anti-debugging measures, string obfuscation, process hollowing and self-modifying code.

Threatpost.com published a report on 18th December, 2013 quoting Schwarz as saying "The fact that the samples are in Delphi indicates a likely Russian origin."

Trojan.Ferret employs two obfuscation techniques, both mixing base64 and XOR encryption to camouflage what's occuring under the wraps. He (Schwarz) said that dissimilar encryption keys are employed for different components of the malware code base and one method is used mostly to encrypt strings in the malware code while the other hides communication back and forth with the command and control server.

Communication of command and control is done over HTTP and the bot comes equipped with a phone-home capability as well as numerous of commands. This fastidious server is based in Ukraine and infiltrated by Arbor.

Scmagazine.com.au published news statement on 20th December, 2013 quoting Schwarz as saying that the Trojan is targeting UK, the US, Germany, Russia and the Netherlands as well as Kazakhstan and hit property companies, an electronic store, a marriage outfits shop and even a politician in Panama.

Commenting on the latest Trojan, Adam Kujawa, malware Intelligence Analyst at Malwarebytes said the information security industry is still coming to grips with the threat posed by the new DDoS bot, according to a statement published by scmagazine.com.au on December 20, 2013.

Kujawa said that it is likely of Russian origin and uses a range of focused malware actions to conceal from finding and certainly is employed as a DDoS bot. Ferret will taint as many machines as it can to employ them into the botnet and then exploit each of those systems to attack a single server at the same time. A single system cannot perform a successful DDOS attack but a botnet of thousands can."

» SPAMfighter News - 12/28/2013