Virus Bulletin 2011 – Chinese DDoS Bots

Hello from Virus Bulletin 2011! Several talks this morning were very good, and an unusual topic about DDoS in the east was presented early in the afternoon.

Over 40 families of Chinese DDoS bots were identified by Arbor Networks and have been tracked over the past year. Online occurance of the malware itself is increasing. A ton of these families are cropping up all the time, at least a new one every week appears with an unusual new capability. When these botnets are used to DDoS an online presence, often it is difficult to understand or even speculate what the motivation behind the attack may be. Most of the code base is shared, cobbled together, and generally was thrown together by inexperienced writers.

Arbor writes and maintains “fake bot” monitors to log data and activity of these botnets and build up a better picture of attacks and profile of groups. One of these familes represents the “typical” Chinese DDoS bot: darkshell is a great example of the rudimentary and simple level of network traffic obfuscation, but it’s as sophisticated as it gets for these families.

Jeff Edwards described the “typical” CN-DDoS bot as written in C/C++. At Arbor, he sees no delphi, VB, or C# based Chinese DDoS bots. They maintain no advanced hiding mechanisms and there are probably going to be really bad typos in service names or strings in the bots. The bots use a very basic installation to Windows service and some use http, but most use raw tcp connections to their command and control (CnC) servers residing at 3322.org or 8866.org free dynamic dns providers’ domains. Surprisingly, they usually attack a single victim at a time, unlike eu, us or russian DDoS botnets. The victim usually hosts Chinese content and attacks usually last two hours. Next in line for Chinese DDoS victims are US sites, and they receive about a quarter of the attacks. Most of these sites host some form of Chinese content, whether it’s gaming or music sites.

The Chinese DDoS attack engines that make these bot families unique from other regional bots is the very large set of DDoS attack capabilities maintained in each. Winsock2-based HTTP flood capabilities were the most common or the bots’ DDoS capabilities and are used to take down web sites, followed by UDP, TCP and ICMP flood capabilities. Of the ten more common attacks, “slow HTTP” attacks were noticeably absent from Chinese DDoS bots, which are commonly present in Russian, American and Euro DDoS bots. Edwards mentioned that even Anonymous attacks are using slow http.

yoyoddos is the most active of the DDoS families that they are tracking. The family also maintains the first spot as sustaining the longest attack against a site of these CN DDoS families. This one launched a particular attack for 45 days straight. The family consistently attacks Chinese manufacturers of industrial food processing equipment, and Edwards observed the family targeting both ice cream and custard equipment makers in the same campaign.

But Chinese web sites are not the only recipients of the DDoS attacks. jkddos tends to go after large, very prominent, financial and investment companies. On 6 different occasions the family was used to DDoS a very large and prominent NYC commercial real estate holding company, and its longest attack was 33 hours.

It’s a new and somewhat unexpected area of bad online behavior.