6.25 DNS DDoS 공격 분석 리포트

2013-06-25 • Fortinet • 6.25 DNS DDoS attack analysis report •

https://www.dailysecu.com/bbs/download.php?table=bbs_10&savefilename=bbs_10_931_2724.pdf&filename=%ED%8F%AC%ED%8B%B0%EB%84%B7_6.25%20DNS%20DDoS%20%EA%B3%B5%EA%B2%A9%20%EA%B3%B5%EC%8B%9D%20%EB%B6%84%EC%84%9D%20%EB%A6%AC%ED%8F%AC%ED%8A%B8.pdf

#6.25CyberTerror #DDoS

Attachments

포티넷_6.25_DNS_DDoS_공격_공식_분석_리포트.pdf (583 KB)

Fortinet Korea's 6.25 DNS DDoS report attributes the June 25 disruption of South Korean government sites to malware that abused infected hosts to attack the government DNS servers ns.gcc.go.kr and ns2.gcc.go.kr. The initial sample was downloaded from simdisk.co.kr as SimDisk_setup.exe, a self-extracting RAR that included SimDiskup.exe and downloaded c.jpg, which was saved as ~simdisk.exe. The payload used Tor 0.2.3.25 components and Themida-packed files, checked file-mapping objects and OS architecture, then triggered after 25 June 10:00 to launch randomized DNS queries toward the hardcoded targets 152.99.1.10 and 152.99.200.6. Fortinet notes similarities with the 3.20 attacks and says relevant signatures were updated for customers.