According to TrendMicro, they received a sample of the bot client that was used by hacker group Lulzsec Brazil in conducting DDoS attacks against Brazilian websites. Those affected included the websites of both the Brazilian government and President. The said attack is not the first of its kind from the group – as the main LulzSec hacking group reportedly attacked other sites including the UK Serious Organized Crime Agency, the US Senate, and Sony.
The bot client, which we now detect as BKDR_ZOMBIE.SM, connects to a certain IRC server and joins a specific IRC channel to receive commands.
The following are the types of commands that the bot client is capable of executing, as well as its effects:
- attack – Performs Denial of Service (DoS) attacks to target sites/IPs
- stop – Stops the DoS attack
- stopall – Stops the DoS attack and terminates itself
- status – Displays the status of current attack being performed by the bot
- update – Updates the bot’s status information
The command info displays the following information about the affected system
- IP Address
- Machine Name
- User name
- Operating System
- Working Set
- Common Language Runtime (CLR) Version
It is not yet certain if the same malware was used for the other attacks conducted by Lulzsec. Nonetheless, this malware poses a significant threat, as it affects not only those actually infected by the malware, but also those victims of the DDoS attacks that the affected systems are used for.