A new distributed-denial-of-service (DDoS) bot called ‘Trojan Ferret' has been discovered, and is already targeting real estate companies and other small and medium-sized (SMB) businesses.
Arbor Networks researcher Dennis Schwarz stumbled across the malware recently, after receiving a tip-off from a Twitter user, but said via a blog post that a relatively small number of unique samples and command and control servers have been uncovered, making it difficult to judge just how dangerous the new threat could be.
These samples are written in the Delphi programming language but most likely originate from Russia, said Schwarz, who added that the bot's self-preservation tools include UPX packing, string obfuscation, anti-virtual machine, anti-bugging measures, self-modifying code and process hollowing. Command and control is done over HTTP.
When speaking to SCMagazineUK.com, the analyst said that his firm has a ‘fairly complete picture' of what the bot represents, but admitted concerns on how Trojan.Ferret is being distributed.
“Trojan.Ferret is a new Russian DDoS bot. It stood out to me due to the silly ferret theme and that we have a fairly complete picture of it,” said Schwarz, adding that the company had tracked a sample of bot, the C&C panel view and live C&C traffic.
“It is a traditional DDoS bot focusing on the ‘core' set of DDoS attacks, such as HTTP, UDP and TCP. It lacks the common application layer attacks such as Slowloris, Apache Killer, and RUDY.
“A major missing component that we're unsure of is how this particular Trojan is being distributed--whether by exploit kit, malware-laced spam, or via one of the many ‘dropper/downloader' networks.”
Schwarz said that the Trojan is targeting the UK, the US, Germany, Russia and the Netherlands, as well as Kazakhstan, and said that attacks have hit property companies, an electronics shop, a wedding dress shop and even a politician in Panama.
Malwarebytes malware intelligence analyst Adam Kujawa told SCMagazineUK.com that the information security industry is still coming to grips with the threat posed by the new DDoS bot.
“It is likely of Russian origin, uses an array of specialised malware tricks to hide it from detection and of course is used as a DDOS bot,” said Kujawa.
“Ferret will infect as many systems as it can to recruit them into the Botnet and then use each of those systems to attack a single server at the same time,” he added, commenting, "A single system cannot perform a successful DDOS attack but a botnet of thousands can.”