Zemra botnet used for DDoS version of the protection racket

By | July 03, 2012

Posted in: Network Security Trends

If you are looking for a bot capable of launching a distributed-denial-of-service (DDoS) attack to shake down a website owner who would rather pay ransom than lose hours of lucrative business, Zemra crime ware can be had for €100 ($126.20 on last check of the exchange rate), according to Symantec.

Zemra, like most crime ware, hijacks a victim computer and reports back to a command and control server, which issues instructions, performs updates, etc. The computer has been enlisted in a botnet. Typically a botnet can be used for any number of purposes, from automated attacks to spam to DDoS. Symantec reports that Zemra, in particular, has been active executing DDoS attacks for purposes of extorting money from victim companies.

While hacktivism draws the headlines, extortion is the hardcore criminal side of DDoS. It’s the digital version of the old protect racket: “You’ve got a very nice website here. Must make a pretty penny. Be a shame if something bad was to happen to it.” A company gets an email or a call threatening a DDoS attack unless a ransom is transferred to a designated account by a certain deadline. The ransom is generally high enough to make it worth the crooks’ while, but not so high it drives the victims to say no and go to the authorities.

Often, criminals will choose the profitable periods to extort victim companies: an online betting site before a big sports event, a retailer on Black Friday or before Christmas. The beauty of having a botnet at your disposal to threaten extortion is that you won’t have to unleash it unless the victim balks. Or you may give them a quick dose of DDoS to prove you mean business.

This particular nasty bit of work uses two DDoS techniques. HTTP flood and SYN flood. HTTP flood opens a socket connection, then closes it before it gets a response. Then it launches a new connection with a sleep interval. HTTP floods are nasty in that they are very difficult to distinguish from legitimate connection requests. The venerable SYN flood is a classic, among the network-layer flooding attacks that were popular in the earlier years of DDoS. SYN floods initiate multiple transactions but fail to send ACK messages when the target server responds. This and other “traditional” flooding attacks have fallen somewhat out of favor, accounting for less than 20% of DDoS attacks in the second half of 2011, according to Kaspersky Labs.

You May Also Be Interested In: