DDoS Attack Pack

Posted: November 4, 2012 in Uncategorized

The Zemra Bot – New DDoS Attack
A new Distributed Denial of
Service (DDoS) crimeware bot
known as Zemra“” and detected by
Symantec as Backdoor.Zemra.
Lately, this threat has been
observed performing denial-of-
service attacks against
organizations with the purpose of
extortion. Zemra first appeared on
underground forums in May 2012
at a cost of €100.
This crimeware pack is similar to
other crime packs, such as Zeus
and SpyEye, in that is has a
command-and-control panel hosted
on a remote server. This allows it
to issue commands to compromised
computers and act as the gateway
to record the number of infections
and bots at the sattacker’ disposal.
Similar to other crimeware kits,
the functionality of Zemra is
256-bit DES encryption/decryption
for communication between server
and client
DDoS attacks
Device monitoring
Download and execution of binary
Installation and persistence in
checking to ensure infection
Propagation through USB
Self update
Self uninstall
System information collection
However, the main functionality is
the ability to perform a DDoS
attack on a remote target computer
of the suser’ choosing.
Initially, when a computer
becomes infected, Backdoor.Zemra
dials home through HTTP (port
80) and performs a POST request
sending hardware ID, current user
agent, privilege indication
(administrator or not), and the
version of the OS. This POST
request gets parsed by gate.php,
which splits out the information
and stores it in an SQL database.
It then keeps track of which
compromised computers are online
and ready to receive commands.
Inspection of the leaked code
allowed us to identify two types of
DDoS attacks that have been
implemented into this bot:
HTTP flood
SYN flood
Symantec added detection for this
threat under the name
Backdoor.Zemra, which became
active on June 25, 2012. To
reduce the possibility of being
infected by this Trojan, Symantec
advises users to ensure that they
are using the latest Symantec
protection technologies with the
latest antivirus definitions


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s