Threat Research

Neurevt DDoS Attacks Turkish Organizations

By He Xu | April 09, 2014

Neurevt, a.k.a. Beta Bot, is an infamous bot that has caught our attention since March 2013. This bot carries many efficient modules that meet most of the requirements for cybercrime-related purposes, including the ability to launch distributed denial-of-service (DDoS) attacks according to commands issued by its command-and-control (C&C) server.

Neurevt supports several methods of DDoS attacks, such as UDP, TCP, HTTP GET, etc. Recently, one Neurevt variant raised a huge DDoS attack from its network of compromised computers. This attack was captured by our botnet monitoring system, which has been tracking the activities of most Neurevt variants.

The DDoS Attacks

On March 27, 2014, Neurevt started simultaneous attacks against three organizations in Turkey.

Target 1: TCP Method

The first victim is a data center. The bot sent several TCP packets to the destination IP, shown here as {Removed}.88.64, using port 13000.

Neurevt DDoS Figure 1

Figure 1. TCP packets sent.

If the bot was able to successfully connect to the server, it receives 15 bytes of data from the server then closes the connection immediately. Line 4 of Figure 2 below shows the data received from the server.

Neurevt DDoS Figure 2

Figure 2. Successful connection.

Below is an example of the 15-byte data that was sent.

Neurevt DDoS Figure 3

Figure 3. 15-byte data received from server.

Due to the TCP traffic mechanism, the server must keep the connection for a while to continue waiting for a response from the client - which, in this case, is the bot. If the server has too many open connections similar to this, its resources are exhausted.

Target 2: HTTP GET Method

The second target is tur{Removed}.net, a game web site located in Umraniye, Turkey. In this attack, the bot used the HTTP GET method to continuously download the web site's home page.

We could not get the details for the attack against this domain because its IPs, shown here as {Removed}.0.58 and {Removed}.126.18, were already down at the time of our monitoring. The TCP connection was unreachable most of the time, and there was no longer any response when the bot attempted to connect to it.

Neurevt DDoS Figure 4

Figure 4. Server unreachable.

Even in the few cases of the bot being able to connect to the server, the TCP connection was always unstable. We could only get the initial TCP SYN traffic, as seen below.

Neurevt DDoS Figure 5

Figure 5. Unstable TCP connection.

Target 3: TCP Method On Two Ports

The third target is another data center. For this attack, the Neurevt C&C server released two DDoS commands that attacked two TCP ports of the target server at the same time. As seen in Figure 6 below, the target IP is {Removed}.35.22 and the ports used are 13000 and 3306. Port 3306 is the default port used when connecting to a mySQL database server.

Neurevt DDoS Figure 6

Figure 6. TCP attacks on two ports.

Sometimes, the initial TCP traffic could continue for a while, but will eventually fail and receive the server's error message.

Neurevt DDoS Figure 7

Figure 7. TCP traffic.

The error message received from the server is "Too many connections" in plain text, so we can imagine that during that attacking period, the database will be inaccessible and all services related to the database will fail.

Neurevt DDoS Figure 8

Figure 8. Error message.


According to our analysis, once the bot receives and executes the corresponding attack command from its C&C server, it continues to perform the attack indefinitely, which causes the exhaustion of the compromised network's bandwidth and the infected user may be unable to use their system for normal purposes. The only way to terminate the attack is to manually kill the bot process or to reboot the system.

As we have seen, these kinds of DDoS attacks can be particularly damaging. In order to make sure that your computer is not part of a malicious botnet such as Neurevt's, safe computing practices should be applied. Always be careful when clicking on links and opening attachments, and always make sure that you have the latest antivirus software and packages installed.


Join the Discussion