Born on the 4th of July

Fireworks weren't the only thing going off on the 4th of July. Several U.S. and South Korean government, financial, and media websites were attacked and at different times, were offline. There's been a lot of speculation about the source of the attacks, but here is what we know so far.

We've observed a number of malware components that are responsible for the attacks. W32.Dozer, Trojan.Dozer, W32.Mydoom.A@mm, and W32.Mytob!gen work in tandem to both spread and attack. W32.Dozer, a dropper that contains all the other components within it, is sent by W32.Mytob!gen to email addresses it gathers from the compromised computer. If a user executes the attachment, W32.Dozer drops Trojan.Dozer and W32.Mydoom.A@mm on the compromised computer. W32.Mydoom.A@mm in turn drops W32.Mytob!gen and a removal tool built by the threat authors, allowing them to uninstall W32.Mytob!gen if they so prefer. W32.Mytob!gen gathers email addresses, sends the W32.Dozer dropper to them, and the cycle continues.

Trojan.Dozer acts as a backdoor and connects to IPs through certain ports. We have activity on the following IP addresses and ports:

213.33.116.41 through TCP port 53
216.199.83.203 through TCP port 80
213.23.243.210 through TCP port 443

These commands allow the Trojan to update itself and show the status of the DDoS. Performing DDoS attacks on predetermined sites from a component file is also one of the commands the Trojan receives. The Trojan may start an HTTP protocol session with GET or POST, UDP, ICMP, TCP ACK, or TCP SYN flood to perform the DDoS attacks.

While these attacks are ongoing, you can do your part by keeping your security software updated as often as possible. Worthy to note: filtering email attachments and blocking the IP addresses noted above in your firewall can help take the boom out of Mydoom and the bull out of Dozer.