Defend what you create

Other Resources

Close

Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Back to news

Doctor Web discovers a botnet that attacks Russian banks

November 14, 2016

Doctor Web’s specialists have pinpointed that the Trojan BackDoor.IRC.Medusa.1 was used by cybercriminals to carry out the recent series of DDoS attacks on the Rosbank and Eximbank of Russia websites.

BackDoor.IRC.Medusa.1 is a malicious program belonging to the IRC bot category. Trojans of this category can unite into botnets and receive instructions over the IRC (Internet Relay Chat) protocol. After connecting to a specific chat channel, IRC bots wait for directives. The main function of BackDoor.IRC.Medusa.1 is to perform DDoS attacks. Doctor Web’s security researchers believe this was the Trojan used to carry out the attack on Sberbank of Russia that was recently covered by the mass media.

BackDoor.IRC.Medusa.1 carries out several types of DDoS attacks and can also download and run executable files on an infected computer. The below figure shows a botnet operator manual published by the virus makers. The manual describes a botnet created using BackDoor.IRC.Medusa.1 and contains a list of commands the Trojan can execute:

screen BackDoor.IRC.Medusa.1 #drweb

The Trojan is being actively promoted on underground forums. Its creators claim that a botnet consisting of 100 infected computers is capable of generating up to 20,000-25,000 requests per second with a peak value of 30,000. As proof, they show a diagram of a test attack on the NGNIX http server:

screen BackDoor.IRC.Medusa.1 #drweb

Currently, 314 active connections are registered on one of the IRC channels controlling the BackDoor.IRC.Medusa.1 botnet. A Doctor Web analysis of the command log revealed that from November 11 to November 14, 2016, the cybercriminals attacked the following websites multiple times: rosbank.ru (Rosbank) and eximbank.ru (Eximbank of Russia) as well as fr.livraison.lu and en.livraison.lu (the Livraison restaurant chain) and korytov-photographer.ru (a private website).

screen BackDoor.IRC.Medusa.1 #drweb

The signature for BackDoor.IRC.Medusa.1 is already in the Dr.Web for Linux database. Doctor Web’s specialists are keeping a close watch on the situation.

More about this Trojan

Tell us what you think

You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.


Other comments

The Russian developer of Dr.Web anti-viruses

Doctor Web has been developing anti-virus software since 1992

Dr.Web is trusted by users around the world in 200+ countries

The company has delivered an anti-virus as a service since 2007

24/7 tech support

© Doctor Web
2003 — 2019

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125040