Digging into the Nitol DDoS botnet
Jump to navigation
Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
(Publication) Google search: [1]
| Digging into the Nitol DDoS botnet | |
|---|---|
| |
| Botnet | Nitol |
| Malware | |
| Botnet/malware group | |
| Exploit kits | |
| Services | |
| Feature | |
| Distribution vector | |
| Target | |
| Origin | |
| Campaign | |
| Operation/Working group | |
| Vulnerability | |
| CCProtocol | |
| Date | 2012 / Thursday, April 19, 2012 |
| Editor/Conference | McAfee |
| Link | http://blogs.mcafee.com/mcafee-labs/digging-into-the-nitol-ddos-botnet (Archive copy) |
| Author | Itai Liba |
| Type | |
Abstract
“ Nitol is a distributed denial of service (DDoS) botnet that seems to be small and not widely known. It mostly operates in China. McAfee Labs recently analyzed a few samples; we offer here the communications protocol and the Trojan’s capabilities.
Most of the samples we encountered were not packed and were very easy to reverse engineer. The Trojan was written in Visual C++ either in a hurry or by an untrained programmer. We found a lot of bugs in the code. Nitol copies itself to a random filename ******.exe (where every * is a randomized alphabet character) in the Program Files directory. The new file is registered as a service, “MSUpdqteeee,” with the display name “Microsoft Windows Uqdatehwh Service.”
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR992,
editor = {McAfee},
author = {Itai Liba},
title = {Digging into the Nitol DDoS botnet},
date = {19},
month = Apr,
year = {2012},
howpublished = {\url{http://blogs.mcafee.com/mcafee-labs/digging-into-the-nitol-ddos-botnet}},
}