Arbor Networks researchers have analyzed the new variant

Jun 22, 2013 10:21 GMT  ·  By

Over the past years, cybercriminals have made several improvements to the DirtJumper malware family. A new variant identified by experts from Arbor Networks, dubbed “Drive,” contains some interesting features.

Written in Delphi, Drive has a much more powerful distributed denial-of-service (DDOS) engine compared to earlier variants.

Besides the improved DDOS engine, researchers have also discovered a few command and control (C&C) servers that serve Gzip-compressed data. At least one of these servers has been observed blocking connections based on geographic location.

“Drive sports 2 POST floods, a GET flood, 2 connection + data floods and a UDP flood – although the UDP flood was not seen in all instances. It also has the ability to specify a post query string of random data to add additional stress to a server in the cases where login pages, search pages, etc. are targeted,” Jason Jones of Arbor Networks explained in a blog post.

The new DDOS engine also features a new string encryption algorithm that’s similar to the Khan algorithm.

According to Arbor, the new variant is not present on “mainstream” underground forums yet and only 15 unique C&C hostnames have been found so far.

However, the attacks in which Drive has been utilized are more powerful. For instance, experts have identified instances in which the C&Cs named over 60 targets at once for extended time intervals.

Drive has been spotted targeting a popular online retailer, a popular security news site, a search engine, and a number of foreign financial institutions.

By utilizing Umbrella’s Security Graph, Arbor was able to determine a “rough low-end estimate” on the number of hosts infected by Drive. During one successful attack, the number of queries peaked at around 1,000.

A completed technical analysis of the new DirtJumper variant is available on Arbor Networks’ blog.