Zscaler ThreatLabZ researchers identified a new DoS bot family named Siren that uses 10 different DoS methods to carry out attacks.
The bot is capable of carrying out HTTP, HTTPS, and UDP flooding on any web server location as instructed by the command-and-control (C&C) server, according to a Dec. 21 blog post.
Siren is also capable of downloading and executing a payload from the URL given by the C&C server, updating, deleting itself using the cmd process, and uninstalling itself using the same process.
“We saw that a Russian education material website (https://deti-online[.]com) was the intended target for this bot,” researchers said in the report. “We also identified other locations, such as forum.exlpoit[.]in and x3p0[.]xyz, as the DoS targets from the C&C server during our analysis.”
The bot selects its DoS method based on data it receives from its C&C server such as the type of ports, data, sleep time, sockets, and size of packets that will be used during flooding.
One of the methods involves getting cookies for the target URL using InternetGetCookieEx and uses them in the HTTP header when generating flood requests then sends multiple requests to the target URL based on the protocol (HTTP/HTTPS) and method (POST/GET).
In another method the malware creates 50 sockets and sends 50 HTTP requests before executing a sleep command with the value supplied by the C&C server and will repeat the process until taskID is active.
The bot also uses various methods that receive arguments such as the size of random data, number of sockets, and port information from the C&C server and will generate random data based on specified size, open multiple sockets, and flood the target URL with the randomly generated data.
