7.7_DDoS__Unknown_Secrets__Botnet_Counter_Attack.pdf (2 MB)

IssuemakersLab's 7.7 DDoS presentation describes a hierarchical botnet used in the July 2009 attacks against South Korean and U.S. government, media, and financial websites. The malware family included file-information stealers, DDoS components, spam components, and an HDD/MBR destroyer, with samples such as msiexec?/ntdll.exe, wmiconf.dll, wmcfg.exe, mstimer.dll, and wversion.exe using custom XOR-based protocols and configuration files. The deck lists C&C IP relay servers and distributed support servers, including flash.gif download locations used by mstimer.dll before wversion.exe executed after midnight on July 10 to overwrite the MBR and damage documents by compressing them with random passwords. The report is useful because it documents both the botnet's command hierarchy and the destructive payload chain behind the 7.7 DDoS incident.