Symantec Warns of New Zemra Bot


Symantec researchers have uncovered a new DDoS crimeware bot called Zemra.

"Lately, this threat has been observed performing denial-of-service attacks against organizations with the purpose of extortion," writes Symantec's Alan Neville. "Zemra first appeared on underground forums in May 2012 at a cost of €100. This crimeware pack is similar to other crime packs, such as Zeus and SpyEye, in that is has a command-and-control panel hosted on a remote server. This allows it to issue commands to compromised computers and act as the gateway to record the number of infections and bots at the attacker's disposal."

"Zemra’s main functionality is to launch DDOS attacks, but it also comes with a number of other interesting features," writes Softpedia's Eduard Kovacs. "It’s able to monitor devices, collect system information, execute files, and even update or uninstall itself if necessary. The malware uses 256-bit DES encryption for communicating with its command and control (C&C) server and it can spread via USB devices."

"Symantec researchers analyzed two types of Zemra’s DDoS attacks: the HTTP flood and the SYN flood," writes Threatpost's Christopher Brook. "The HTTP flood attack can open and close raw socket connections while the SYN flood can send multiple requests via SYN packets to a targeted computer. The abundance of requests creates a backlog of TCB creation requests, fatiguing the server and making it unable to address any legitimate requests."