Home / malware DDoS:Win32/Nitol.A
First posted on 10 October 2012.
Source: MicrosoftAliases :
DDoS:Win32/Nitol.A is also known as Trojan horse DDoS.AC (AVG), Trojan.Nitol!434E (Rising AV), Backdoor.Nitol (Symantec), WORM_NITOL.SMB (Trend Micro).
Explanation :
DDoS:Win32/Nitol.A is a malware that performs DDOS (Distributed Denial of Service) attacks against a target system, which is usually a website. It performs this attack by sending random data to the site. This malware malware is usually installed as a bundle from other software taken from peer-to-peer shares.
Installation
Upon execution, it drops itself as a DLL or EXE file with a random name. It installs itself as a service so that it automatically runs every time Windows starts:
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost
Sets value: "netsvcs"
With data: "6to4"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\6to4
Sets value: "Type"
With data: ""
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\6to4\Parameters
Sets value: "ServiceDll"
With data: "<malware file name>"
In subkey: HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Epoch
Sets value: "Epoch"
With data: "©"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\National<random characters>
Sets value: "Description"
With data: "provides<random characters> a domain ser<random characters>ver for ni security."
Sets value: "ImagePath"
With data: "<malware file name>"
in subkey: HKLM\SYSTEM\CurrentControlSet\Services\DSLserverkmr
Sets value: "Description"
With data: "dcom serverxpi process launcher.."
Payload
Performs DDoS attacks on websites
DDoS:Win32/Nitol.A performs the following commands, which sends the following data to target websites:
GET %s HTTP/1.1\r\nReferer: http://%s:80/http://%s\r\nHost: %s\r\nConnection: Close\r\nCache-Control: no-cache\r\n\r\n
GET %s HTTP/1.1\r\nContent-Type: text/html\r\nHost: %s:%d\r\nAccept: text/html, */*\r\nUser-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)\r\n\r\n
GET %s HTTP/1.1\r\nContent-Type: text/html\r\nHost: %s\r\nAccept: text/html, */*\r\nUser-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)\r\n\r\n
GET %s HTTP/1.1\r\nHost: %s:%d\r\n\r\n
GET %s HTTP/1.1\r\nAccept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*\r\nAccept-Language: zh-cn\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\nHost: %s\r\nConnection: Keep-Alive\r\n\r\n
where %s is the target website to be attacked and %d is a random decimal number.
Connects to certain websites:
DDoS:Win32/Nitol.A sends DNS requests to the following websites:
- 351611.gnway.net
- daihao007.3322.org
- fghziyi.chibizx.com
- mild443164.3322.org
- xiaoconghanadmin.3322.org
Analysis by Ferdinand Plazo
Last update 10 October 2012
