Indian network security researchers have noticed an increase in DDoS attacks from a Windows OS and Windows Explorer vulnerability. The attack allows hackers to deliver a malware payload which spreads across the network to infect other machines, and can be controlled by a Command and Control (CnC) server.

In this case, the malware installs via user access to a malicious website. After checking for compatibility, the malware, as part of its penetration into the system, disables restricted VBScript functionality within the browser. This process; which involves changing the safemode flag within the browser, is also known as the “GodMode” exploit. Once “GodMode” is exploited, the virus is downloaded, then the virus payload connects to a remote CnC server, downloads  additional malware executable files, copies itself into C:\WINDOWS\, and deletes itself to avoid detection. Once installed, the malware spreads throughout the network, and executes DDoS attacks specified by the CnC server. To avoid this infection, researchers suggest immediately installing the latest system and browser updates.

Would you be able to tell if your network was infected with this attack? Updating your browser and operating system might stop future infection, but what about if the infection has already happened, and the malware is lying in wait? GREYCORTEX MENDEL identifies threats like the one described here because its advanced artificial intelligence and machine learning identify communication between the malware and its CnC server. MENDEL is unique in the industry because it can distinguish malware communication with a CnC server from human communication. MENDEL can also identify the threat through flow analysis. Because it analyzes all network flow data (rather than just a specific profiled flow - like Netflow or IPFIX), its IDS engine can identify the malware’s signature, even though it is encrypted.

To learn more about how GREYCORTEX can help you identify attacks of this nature, contact your IT Security professional, or GREYCORTEX directly.

The original research on the attack can be found here: http://blogs.quickheal.com/ddos-attacks-spreading-godmode-exploit-cve-2014-6332/