FYI...Chinese DDoS malware
October 5th, 2011 - "... Our malware stream contains a lot of DDoS bots, many from China*..."
"... Over 40 families
of Chinese DDoS bots were identified by Arbor Networks
and have been tracked over the past year. Online occurance of the malware itself is increasing. A ton of these families are cropping up all the time, at least a new one every week appears with an unusual new capability
... it is difficult to understand or even speculate what the motivation behind the attack may be. Most of the code base is shared, cobbled together, and generally was thrown together by inexperienced writers... One of these familes represents the "typical" Chinese DDoS bot: darkshell
is a great example of the rudimentary and simple level of network traffic obfuscation, but it's as sophisticated as it gets for these families... The bots use a very basic installation to Windows service and some use http, but most use raw tcp connections to their command and control (CnC) servers residing at 3322 .org or 8866 .org
free dynamic dns providers' domains... The Chinese DDoS attack engines that make these bot families unique from other regional bots is the very large set of DDoS attack capabilities maintained in each. Winsock2-based HTTP flood capabilities were the most common or the bots' DDoS capabilities and are used to take down web sites, followed by UDP, TCP and ICMP flood capabilities...yoyoddos
is the most active of the DDoS families that they are tracking. The family also maintains the first spot as sustaining the longest attack against a site of these CN DDoS families. This one launched a particular attack for 45 days straight... Chinese web sites are not the only recipients of the DDoS attacks. jkddos
tends to go after large, very prominent, financial and investment companies. On 6 different occasions the family was used to DDoS a very large and prominent NYC commercial real estate holding company, and its longest attack was 33 hours. It's a new and somewhat unexpected area of bad online behavior."
"... Part of this site was listed for suspicious activity 23 time(s) over the past 90 days... Malicious software includes 2040 exploit(s), 1341 trojan(s), 145 backdoor(s)
... this site has hosted malicious software over the past 90 days. It infected 254 domain(s)..."
"... Part of this site was listed for suspicious activity 8 time(s) over the past 90 days... Malicious software includes 162 exploit(s), 77 scripting exploit(s), 38 trojan(s)
... this site has hosted malicious software over the past 90 days. It infected 133 domain(s)..."
October 5th, 2011 - "... Aldi Bot is a newer inexpensive DDoS bot that is growing in popularity. Recent data (September 30 2011) suggests that there are at least 50 distinct Aldi bot binaries that have been seen in the wild with 44 unique Command & Control points
. We see the bot active in Russia, the Ukraine, the US, and Germany
. While it has been stated that Aldi Bot won’t be developed further, the source code has leaked which makes it easy to find and use... All it takes is one bot such as Aldi Bot or other tool such as a Remote Access Trojan (RAT) to provide an attacker a handhold on the inside of an organization that can lead to a much larger security breach... attacks involving the exfiltration of sensitive data typically start with one smaller compromise that is then leveraged for additional access
. Additionally Aldi Bot steals passwords
, and passwords are often re-used for convenience even though it is a dangerous practice
. Without proper monitoring of system and network activity, such infected nodes can be long-lived and pose significant risk... While it has been speculated that Aldi Bot has borrowed from the Zeus banking Trojan source code release in early 2011, Aldi bot is written in Delphi with a PHP back-end, while Zeus is written in C++ with PHP on the back-end. The only obvious similarity between Zeus and Aldi Bot that I can see at first glance is that both of them tend to use a filename called gate.php
on the web-based back-end as a “drop zone” to process stolen data."
Edited by AplusWebMaster, 13 October 2011 - 12:17 PM.