Hubungi Kami

Zyklon HTTP Botnet – Radware

Abstract

Zyklon HTTP is a botnet that is currently being sold on the Darknet (see Figure 1), HackForums and available on a number of member only communities. This botnet supports Tor for anonymization and comes loaded with a number of additional features. It allows its users to execute various types of DDoS attacks, data theft and fraud. It also features secure operation mechanisms to detect other malware and assure its availability. Zyklon targets PCs and spreads itself via a number of different methods including phishing attacks.

Attack Methods

Distributed Denial of Service

  • HTTP Flood
    It consists of seemingly legitimate session-based sets of HTTP GET or POST requests that are designed to consume a significant amount of server's resources, and can result in a denial-of-service condition – without necessarily requiring a high rate of network traffic.
  • TCP flood
    Sending numerous SYN packets to the victim. In many cases, attackers will spoof the SRC IP so the reply (SYN+ACK packet) will not return, thus overwhelming the session/connection tables of the targeted server or firewall. Servers need to open a state for each SYN packet that arrives and store this state in tables that have limited size and are easily filled. Once this happens, the server drop new requests, including legitimate ones.
  • UDP Flood
    The attacker sends large UDP packets to a single destination or to random ports. Since the UDP protocol is “connectionless” and does not have any type of handshake mechanism, the main intention of a UDP flood is to saturate the Internet pipe. Usually, the attackers spoof the SRC IP.
  • SYN Flood
    Overwhelming a target machine by sending thousands of connection requests to it using spoofed IP addresses. The target machine attempts to open a connection for each malicious request and subsequently wait for an ACK packet that never arrives. Since a SYN-ACK packet never arrives, the massive number of half-open connections quickly fills up the server’s TCB table before it can time any connections out.
  • SlowLoris
    By sending HTTP headers in tiny chunks as slow as possible (just before the server would time out the request), the target server is forced to continue to wait for the headers to arrive. If enough connections are opened to the server in this fashion, it is unable to handle legitimate requests.

Malware Contamination

  • Cloud-based malware inspection Zyklon H.T.T.P will enumerate all startup files and upload them to the VirusTotal online malware scanner. This will lead to analyzing of samples of malicious software that resides on the system. If the file is found to be malicious, Zyklon H.T.T.P will terminate all processes associated with that file and remove the file along with the registry keys from the system. This is a great option for perpetrators to ensure that their enslaved client systems are running without disruption. The botnet user can specify files to exclude from VirusTotal, and by calculating the MD5 hash of the file Zyklon H.T.T.P will skip it while scanning.
  • Botkiller 
    While the Cloud-based malware inspection relies on VirusTotal, Botkiller uses its own algorithm to determine if a file is malicious or not. This method tends to have more false-positive detections. When using this feature, Zyklon H.T.T.P will scan all processes and will check common locations that malwares reside in. It will attempt to detect injected processes and it will try to identify malware by behavioral analysis. If a file is detected as malicious the program will follow the settings specified in the botkiller feature, leading to the process termination and deletion of all associated files and registry keys. Like the Cloud-based malware inspection, this feature is keeps an enslaved client machine secure and available.
  • Keylogger 
    Keylogger is a great feature when it comes to client surveillance. It will record all keystrokes and log them to a database. The logs are sorted by dates and can be accessed from almost anywhere in the C&C panel. The control panel also lets one specify the window titles to record keystrokes for, as opposed to bloated logs with all kind of entries. Keylogger supports most if not all languages and keyboard layouts. The user can specify the maximum amount of characters that will client hold in a buffer before they are sent to the panel, or set an interval at which the logs are being uploaded to the panel.
  • Automatic updater 
    Zyklon features automatic update function that ensures that all enslaved clients are running up to date software. When executed, it compares the update file hash and installed file hash and if found different – an updated file will be downloaded and installed. This comes very handy when controlling many clients.

Data Theft

  • Browser password recovery 
    Zyklon botnet is able to recover passwords from popular web browsers. Most noticeable ones are Google Chrome, Mozilla Firefox, Internet Explorer, Opera Browser, Chrome Canary/SXS, CoolNovo Browser, Apple Safari, Flock Browser, SeaMonkey Browser, SRWare Iron Browser and Comodo Dragon Browser.
  • FTP password recovery 
    Currently supports FTP password recovery from following FTP applications: FileZilla, SmartFTP, FlashFXP, FTPCommander, Dreamweaver, WS_FTP
  • Gaming software key recovery 
    Currently supports around 50 PC gaming software’s including Battlefield, Call of Duty, FIFA, NFS, Age of Empires, Quake, The Sims, Half-Life, IGI, Star Wars and many more.
  • License key recovery 
    Automatically detects and decrypts the license/serial keys of over 200+ popular software’s including Office, SQL Server, Adobe, Nero and many more.
  • Socket Secure 5 proxy 
    Turn your bots into proxy servers – It automatically checks and updates a list of active proxy servers, and features reverse socket secure proxy servers, facilitating the creation of a proxy server on any client.
  • Email password recovery 
    Currently it can recover your lost email passwords from following applications: Microsoft Outlook Express, Microsoft Outlook 2002/XP/2003/2007/2010/2013, Mozilla Thunderbird, Windows Live Mail 2012, IncrediMail, Foxmail v6.x – v7.x, Windows Live Messenger, MSN Messenger, Google Talk, GMail Notifier, PaltalkScene IM, Pidgin (Formerly Gaim) Messenger, Miranda Messenger, Windows Credential Manager.
  • Encrypted communication 
    Connection between client and server is encrypted using RSA asymmetric encryption algorithm (Valid key sizes are 512-bit, 1024-bit, 2048-bit, 4096-bit) that is paired with AES-256. AES-256 keys are dynamically generated on the client and are encrypted before being stored in a session variable in the panel. After the initial key exchange, the whole communication is encrypted with AES-256.

In its previous version, Zyklon was able to perform crypto mining services but this feature has been removed in the latest update. It is likely to return more mature and sophisticated in a future version, as it used to turn the infected computers into Bitcoin miners for profit – a very popular competence.

Pricing

  • $75 for a basic version
  • $125 for a Tor version – connects to the user panel using Tor’s anonymity networking (i.e. nobody will know the location of the Command & Control server). Tor comes preloaded inside of the client and loaded at runtime so nothing has to be downloaded from the internet.
  • $15 set up fee (optional) – the vendor will set up the botnet for the client on a client provided domain but will not maintain the server after setup

How to Protect Against the Zyklon H.T.T.P Botnet?

Perpetrators will create an .exe file with the Zyklon H.T.T.P Builder and send it to the victim via a number of different methods including phishing email. They do this by binding the malicious .exe file with a normal file like a popular game, app or document. Once the victim runs the malicious payload through a number of different ways the malware runs silently in the background with a keylogger and other features. These details are then sent back to the C&C panel according to the settings the attacker has configured. Once infected, there is very little an individual user can do from losing data. The attacker at this point can instruct the victims computer to carry out DDoS attacks as well.

To Avoid Bot Contamination and Guard Sensitive Data:

  • Organizations shall educate their personnel on detecting phishing attempts 
  • Deploy an advanced bot detection solution that can cut the connection between the infected machined and the C&C server
  • Secure leakage of passwords, credentials and confidential files
  • Prevent turning endpoints into proxies

Key Considerations for Effective DDoS Protection

  • A security solution that can protect its infrastructure from multi-vector DDoS attacks including DDoS protection from network and application-based DDoS attacks as well as volumetric DDoS attacks that can saturate the Internet pipe
  • A hybrid solution that includes on-premise detection and DDoS mitigation with cloud-based protection for volumetric DDoS attacks. This provides quick detection, immediate mitigation and protects networks from volumetric attacks that aim to saturate the Internet pipe.
  • A DDoS solution that provides DDoS protection against sophisticated web-based attacks and web site intrusions to prevent defacement and information theft.
  • A cyber-security emergency response plan that includes an emergency DDoS Service with a response team and process in place. Identify areas where help is needed from a third party.

Radware recommends IT crews to monitor security alerts and examine triggers carefully. Tune existing policies and protections to prevent false positives and allow identification of real threats when they occur.

Share to:

Kategori Vendor

Cloud Security
Network Management
Data Center Solutions
Video Intelligent Collaboration
Comprehensive Security
Security Operations Center (SOC)
Next-Gen Endpoint Protection
Edge Network Solutions

Insight

Berita & Artikel
Konten Digital

Perusahaan

Karir

Tentang Kami

Hubungi Kami

Instagram Linkedin Youtube Facebook

Berlanggananlah Berita Kami

Check Our Digital Activities

Virtus Review (VIEW)

 

Aktivitas digital mengenai manfaat produk yang ditawarkan oleh Virtus Technology Indonesia disiarkan di saluran YouTube Virtus.

Virtus Talks

 

Podcast yang membahas tren IT terbaru, juga ditayangkan di saluran YouTube Virtus.

Virtus Highlight

 

Seri reel di Instagram Virtus @virtusid tentang tren dan solusi IT terbaru.

Virtus Life

 

Aktivitas digital yang menampilkan kehidupan karyawan terkait Virtus Technology Indonesia, berdasarkan tren terbaru saat ini.

VIRTUS PARTNER ACADEMY

Program benefit terbaru Virtus untuk Mitra Bisnis. Virtus Partner Academy adalah kursus pelatihan IT online dengan kurikulum lengkap yang dapat diakses kapan saja dan dari mana saja.

Register Now

BELANJA LEBIH, DAPATKAN LEBIH

PROGRAM INSENTIF VIRTUS

untuk Mitra Bisnis

Privacy Policy

PT Virtus Technology Indonesia (“VTI” atau “kami”) sangat berkomitmen untuk memastikan bahwa privasi Anda dilindungi sebagai hal yang sangat penting bagi kami. Pada https://www.virtusindonesia.com/, kami akan mengatur penggunaan Anda terhadap situs web ini, termasuk semua halaman di dalamnya (secara kolektif disebut sebagai “Situs Web ini” di bawah ini), kami ingin berkontribusi untuk menyediakan lingkungan yang aman dan terjamin bagi pengunjung.Berikut adalah ketentuan kebijakan privasi (“Kebijakan Privasi”) antara Anda (“Anda” atau “Anda”) dan VTI. Dengan mengakses situs web ini, Anda mengakui bahwa Anda telah membaca, memahami, dan setuju untuk terikat oleh Kebijakan Privasi ini.
Penggunaan Layanan Langganan oleh VTI dan Pelanggan Kami
Ketika Anda meminta informasi dari VTI dan memberikan informasi yang secara pribadi mengidentifikasi Anda atau memungkinkan kami menghubungi Anda, Anda setuju untuk mengungkapkan informasi tersebut kepada kami. VTI dapat mengungkap informasi tersebut hanya untuk keperluan pemasaran, promosi, dan aktivitas semata-mata untuk kepentingan VTI dan Situs Web.
Pengumpulan Informasi
Anda bebas menjelajahi Situs Web tanpa memberikan informasi pribadi tentang diri Anda. Ketika Anda mengunjungi Situs Web atau mendaftar untuk layanan langganan, kami menyediakan beberapa informasi navigasional agar Anda mengisi informasi pribadi Anda untuk mengakses beberapa konten yang kami tawarkan. VTI dapat mengumpulkan data pribadi Anda seperti nama, alamat email, nama perusahaan, nomor telepon, dan informasi lainnya tentang diri Anda atau bisnis Anda. Kami mengumpulkan data Anda secara online dan offline. VTI mengumpulkan data Anda secara online menggunakan fitur media sosial, pemasaran melalui email, situs web, dan teknologi cookies. Kami mungkin mengumpulkan data Anda offline dalam acara seperti konferensi, pertemuan, lokakarya, dll. Namun, kami tidak akan menggunakan atau mengungkap informasi tersebut kepada pihak ketiga atau mengirim email yang tidak diminta ke alamat yang kami kumpulkan, tanpa izin eksplisit Anda. Kami memastikan bahwa identitas pribadi Anda hanya akan digunakan sesuai dengan Kebijakan Privasi ini.
Cara VTI Menggunakan Informasi yang Dikumpulkan
VTI menggunakan informasi yang dikumpulkan hanya sesuai dengan kebijakan privasi ini. Pelanggan yang berlangganan layanan langganan kami diwajibkan melalui perjanjian dengan mereka untuk mematuhi Kebijakan Privasi ini.
Selain penggunaan informasi Anda, kami dapat menggunakan informasi pribadi Anda untuk:
Meningkatkan pengalaman penjelajahan Anda dengan mempersonalisasi situs web dan meningkatkan layanan langganan.
Mengirim informasi tentang VTI.
Mempromosikan layanan kami kepada Anda dan berbagi konten promosi dan informatif dengan Anda sesuai dengan preferensi komunikasi Anda. Mengirim informasi kepada Anda mengenai perubahan pada ketentuan layanan pelanggan kami, Kebijakan Privasi (termasuk kebijakan cookie), atau perjanjian hukum lainnya.
Teknologi Cookies
Cookies adalah potongan kecil data yang situs web transfer ke hard drive komputer pengguna ketika pengguna mengunjungi situs web. Cookies dapat mencatat preferensi Anda saat mengunjungi situs tertentu dan memberikan keuntungan mengidentifikasi minat pengunjung kami untuk analisis statistik situs kami. Informasi ini dapat memungkinkan kami untuk meningkatkan konten, memodifikasi, dan membuat situs kami lebih ramah pengguna. Cookies digunakan untuk beberapa alasan seperti alasan teknis agar situs web kami beroperasi. Cookies juga memungkinkan kami untuk melacak dan mengarahkan minat pengguna kami untuk meningkatkan pengalaman situs web dan layanan langganan kami. Data ini digunakan untuk memberikan konten dan promosi yang disesuaikan dalam VTI kepada pelanggan yang memiliki minat pada subjek tertentu.Anda memiliki hak untuk memutuskan apakah menerima atau menolak cookies. Anda dapat mengedit preferensi cookies Anda pada pengaturan browser. Jika Anda memilih untuk menolak cookies, Anda masih dapat menggunakan situs web kami meskipun akses Anda ke beberapa fungsi dan area situs web kami mungkin dibatasi.Situs Web ini juga dapat menampilkan iklan dari pihak ketiga yang berisi tautan ke situs web lain yang menarik. Setelah Anda menggunakan tautan ini untuk meninggalkan situs kami, harap dicatat bahwa kami tidak memiliki kendali atas situs tersebut. VTI tidak dapat bertanggung jawab atas perlindungan dan privasi informasi apa pun yang Anda berikan saat mengunjungi situs web tersebut, dan Kebijakan Privasi ini tidak mengatur situs web tersebut.
Kendalikan Data Pribadi Anda
VTI memberikan kontrol kepada Anda untuk mengelola data pribadi Anda. Anda dapat meminta akses, koreksi, pembaruan, atau penghapusan informasi pribadi Anda. Anda dapat berhenti berlangganan dari aktivitas pemasaran kami dengan mengklik berhenti berlangganan dari bagian bawah email kami atau menghubungi kami langsung untuk menghapus Anda dari daftar langganan kami. Kami akan menjaga informasi pribadi Anda agar akurat, dan kami memungkinkan Anda untuk memperbaiki atau mengubah informasi pribadi Anda melalui marketing@virtusindonesia.com.