7.7_DDoS_악성코드_분석.pdf (312 KB)

The 7.7 DDoS malware analysis documents how `msiexec2.exe` and `perfvwr.dll` supported the July 2009 denial-of-service attacks against South Korean and U.S. websites. `msiexec2.exe` set its working directory to the Windows system directory, created `uregvs.nls`, extracted an embedded target list from its own binary, wrote that list to the file, and adjusted timestamps. The extracted targets included South Korean government, military, banking, portal, media, and commerce sites plus U.S. government, military, media, stock-exchange, finance, and auction sites. `perfvwr.dll` registered as a service, read `uregvs.nls` records in 0x148-byte target entries, parsed target data separated by semicolons, checked configured start and end times, and launched GET or POST flooding threads using socket APIs such as `WSASocket`, `WSAConnect`, and `send`.