Botnet-For-Hire Model Resurfaces in New IMDDOS Botnet

Researchers have identified a new botnet based in China that was openly selling DDoS-for-hire services and had managed to plant roots inside a number of major U.S. ISPs. The botnet, known as IMDDOS, is mostly contained right now and the researchers are working with authorities to locate its operators.

Researchers have identified a new botnet based in China that was openly selling DDoS-for-hire services and had managed to plant roots inside a number of major U.S. ISPs. The botnet, known as IMDDOS, is mostly contained right now and the researchers are working with authorities to locate its operators.

A group of researchers at Damballa discovered the botnet a few months ago when they stumbled upon a couple of suspect domains while investigating another incident. They traced the domains back to a single domain in China. The more they looked into the botnet, the more infections they found, eventually identifying infected domains in a large number of ISPs in the U.S. and abroad.

The IMDDOS botnet was being leased out in discrete chunks to customers willing to pony up the cash. This is a fairly common business model for bot herders, but it’s not that often that the crew behind the operation puts up a professional Web front end and hires a sales team to market their services. But that’s the way this crew was going about it, the Damballa researchers said. A customer could rent out a specific piece of the botnet and then turn it loose on whatever target he had in mind.

Damballa officials said the operation appeared to be quite professional, and went so far as to include a dedicated sales team. They estimate that the IMDDOS botnet is somewhat larger in terms of activity than the Bobax botnet, but didn’t have an estimated number of infected machines.

The malware planted on infected machines isn’t especially sophisticated, although the bot herders took some precautions to ensure that there’s no cross-pollination among customers. For example, there are small differences between each version of the malware that customers get, so each one has a different hash. When the malware connects back to the C&C server, it is only able to access the one portion of the server where his target list is hosted.

“Each version has certain identifying characteristics that distinguish them,” said Christopher Elisan, senior research analyst at Damballa. “One PC could be infected with multiple copies and controlled by different bot operators.”

Most of the infections appear to be in mainland China and the main Chinese domain associated with the botnet has a list of other domains that are part of the botnet, which can be leased out to customers. Damballa researchers have been in touch with law enforcement authorities and the ISPs that they’ve identified as being infected by IMDDOS. They believe that the botnet is mostly contained at this point, as they’ve identified what they think are all of the C&C servers. However, it’s not clear whether the hosting providers who own those servers will all cooperate in taking the botnet down.

Suggested articles