Researchers have detected new attacks originating from a souped-up variant of the DIY Dirt Jumper DDoS toolkit they’ve taken to calling Drive.
While it hasn’t been seen spreading through any underground forums yet, the up-and-coming threat apparently boasts a “much more powerful DDoS engine than its predecessors” and could be primed for expansion. Currently attacks coming from the toolkit have connected with 15 unique command and control servers that have gone on to hit 60 targets at once over an extended time period.
Jason Jones with Arbor Networks’ Security Engineering and Response Team (ASERT) wrote about the malware yesterday on the company’s blog.
According to Jones, Drive has “targeted a popular online retailer, search engine, a popular security news site and some foreign financial institutions for a number of hours” over the past few months.
One of Drive’s C+C servers was online for at least three months, a long time for something coming from the Dirt Jumper family. According to Arbor’s research that C+C had queries peaking above 2,000 while most averaged around 1,500, making it a “significant threat,” at least for those three months.
That same C+C was also spotted blocking connections based on geographic location – something that gave the Arbor Networks researchers trouble at first.
“This C+C was seen targeting foreign financial institutions and has recently appeared to go offline again, but it is possible that it once again shifted its allowed victims to a different geography,” Jones wrote.
Dirt Jumper has been seen in the past, mostly driving politically motivated attacks. In 2011 it was spotted launching DDoS attacks on Russian gaming and technology websites before going on to plague Russian media sites in advance of the nation’s presidential election in 2012.
It sounds as if Drive, clearly more sophisticated than Dirt Jumper, has fixed the weaknesses researchers previously found in its original incarnation. Last year, researchers at Prolexic discovered a way to stop Dirt Jumper attacks by identifying its C+C servers and altering its back-end database.
“With this information, it is possible to access the C&C server and stop the attack,” Prolexic CEO Scott Hammack said at the time.
While Dirt Jumper’s heyday was mostly thought to be over, a newer, more refined variant like Drive – even though it’s in its infancy – could kickstart the toolkit’s popularity.