DirtJumper Malware Version Dubbed “Drive” Sports Powerful DDOS Engine
Arbor Networks researchers have analyzed the new variant
Over the past years, cybercriminals have made several improvements to the DirtJumper malware family. A new variant identified by experts from Arbor Networks, dubbed “Drive,” contains some interesting features.Written in Delphi, Drive has a much more powerful distributed denial-of-service (DDOS) engine compared to earlier variants.
Besides the improved DDOS engine, researchers have also discovered a few command and control (C&C) servers that serve Gzip-compressed data. At least one of these servers has been observed blocking connections based on geographic location.
“Drive sports 2 POST floods, a GET flood, 2 connection + data floods and a UDP flood – although the UDP flood was not seen in all instances. It also has the ability to specify a post query string of random data to add additional stress to a server in the cases where login pages, search pages, etc. are targeted,” Jason Jones of Arbor Networks explained in a blog post.
The new DDOS engine also features a new string encryption algorithm that’s similar to the Khan algorithm.
According to Arbor, the new variant is not present on “mainstream” underground forums yet and only 15 unique C&C hostnames have been found so far.
However, the attacks in which Drive has been utilized are more powerful. For instance, experts have identified instances in which the C&Cs named over 60 targets at once for extended time intervals.
Drive has been spotted targeting a popular online retailer, a popular security news site, a search engine, and a number of foreign financial institutions.
By utilizing Umbrella’s Security Graph, Arbor was able to determine a “rough low-end estimate” on the number of hosts infected by Drive. During one successful attack, the number of queries peaked at around 1,000.
A completed technical analysis of the new DirtJumper variant is available on Arbor Networks’ blog.