A new IRC bot used to carry out distributed denial of service (DDoS) attacks against the websites of a couple of Russian websites has emerged recently, researchers with the Russian security firm Doctor Web reveal.
Dubbed Trojan BackDoor.IRC.Medusa.1, the new piece of malware was used in DDoS attacks targeting the Rosbank and Eximbank banks, the security researchers say. The Trojan’s main purpose is the launch of DDoS attacks, and Doctor Web says that this specific malware might have been used against the recent attack on Sberbank.
Belonging to the IRC bot category, the Trojan can unite with other similar malware to create botnets. These Trojans receive commands over the IRC (Internet Relay Chat) protocol by connecting to specific channels and awaiting directives.
The analyzed Medusa Trojan sample was heavily obfuscated in an attempt to hinder analysis, the researchers explain. Once installed on a compromised system, the malware checks if specific applications are present, to ensure it isn’t running in a sandboxed environment. It also changes the Windows registry branch to autorun itself.
Doctor Web researchers have discovered that Medusa is being actively promoted on the underground, where its creators claim that a botnet consisting of 100 infected computers can generate up to 20,000-25,000 requests per second and that they could peak at 30,000. A diagram of an alleged test attack on the NGNIX http server is shown as proof.
The Medusa IRC bot was designed with support for several types of DDoS attacks, but it also has the ability to download and run executable files on the infected computers. The virus makers even published a botnet operator manual to provide details on the entire list of commands that the Trojan comes with.
Some of these commands include httpstrong, httppost, httpseebix, smartflood GET (along with stop for each of them, and a stop-all command to kill all of these operations at the same time), silent on/off, download join channel, update, and resetnick. Login and logout commands are also available.
The security researchers have identified 314 active connections on one of the IRC channels controlling the Medusa botnet. While inspecting the command log, the researchers discovered that the botnet’s operators attacked a series of sites multiple times between November 11 and November 14, 2016, including rosbank.ru (Rosbank), eximbank.ru (Eximbank), fr.livraison.lu and en.livraison.lu (the Livraison restaurant chain) and korytov-photographer.ru (a private website).
Related: Battling the Botnet Armies