Indian network security researchers have noticed an increase in DDoS attacks from a Windows OS and Windows Explorer vulnerability. The attack allows hackers to deliver a malware payload which spreads across the network to infect other machines, and can be controlled by a Command and Control (CnC) server.
In this case, the malware installs via user access to a malicious website. After checking for compatibility, the malware, as part of its penetration into the system, disables restricted VBScript functionality within the browser. This process; which involves changing the safemode flag within the browser, is also known as the “GodMode” exploit. Once “GodMode” is exploited, the virus is downloaded, then the virus payload connects to a remote CnC server, downloads additional malware executable files, copies itself into C:WINDOWS, and deletes itself to avoid detection. Once installed, the malware spreads throughout the network, and executes DDoS attacks specified by the CnC server. To avoid this infection, researchers suggest immediately installing the latest system and browser updates.
Would you be able to tell if your network was infected with this attack? Updating your browser and operating system might stop future infection, but what about if the infection has already happened, and the malware is lying in wait? GREYCORTEX MENDEL identifies threats like the one described here because its advanced artificial intelligence and machine learning identify communication between the malware and its CnC server. MENDEL is unique in the industry because it can distinguish malware communication with a CnC server from human communication. MENDEL can also identify the threat through flow analysis. Because it analyzes all network flow data (rather than just a specific profiled flow – like Netflow or IPFIX), its IDS engine can identify the malware’s signature, even though it is encrypted.
To learn more about how GREYCORTEX can help you identify attacks of this nature, contact your IT Security professional, or GREYCORTEX directly.
The original research on the attack can be found here: http://blogs.quickheal.com/ddos-attacks-spreading-godmode-exploit-cve-2014-6332/
About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
GREYCORTEX uses advanced artificial intelligence, machine learning, and data mining methods to help organizations make their IT operations secure and reliable.
MENDEL, GREYCORTEX’s network traffic analysis solution, helps corporations, governments, and the critical infrastructure sector protect their futures by detecting cyber threats to sensitive data, networks, trade secrets, and reputations, which other network security products miss.
MENDEL is based on 10 years of extensive academic research and is designed using the same technology which was successful in four US-based NIST Challenges.