BARCELONA–China may have caught and passed many western nations in terms of economic power and military might, but, despite its reputation as a major player in the malware economy, many of the bots and DDoS tools that come out of the country are shoddy, cobbled-together malware full of bugs and with no real effort made to hide themselves.
“A lot of it has the feel that it was chopped up and hacked together,” Jeff Edwards, a security analyst at Arbor Networks, said in a talk on Chinese bot families at the Virus Bulletin conference here Wednesday. “There’s a lot of sloppiness everywhere with blatant flaws.”
Arbor researchers follow the botnet scene closely and the company took a specific look at a variety of bot families that are commonly used in DDoS attacks originating in China and against Chinese targets. What they found was a collection of roughly 40 bot families, many of which showed evidence of some serious inbreeding. Code re-use is rampant among the major Chinese DDoS bots, and Edwards said that it’s not uncommon to see whole sections lifted from one bot and used in another, bugs and errors included.
Like bots found elsewhere on the Web, Chinese-produced DDoS tools often will have the ability to employ a wide variety of attack methods. The classic SYN flood and TCP flood methods are prevalent, as are HTTP floods. But what’s not typically found at all in Chinese bots is the ability to execute the slow HTTP DDoS attacks that have been cropping up in the United States, Russia and elsewhere in recent years.
This tactic is far less noisy than a typical denial-of-service attack. Instead of sending huge numbers of packets to a target server, these attacks involve breaking up TCP requests into tiny pieces and taking as long as an hour or more to complete one request.
“This just hasn’t show up in the Chinese DDoS space for some reason,” Edwards said.
It may just be a matter of time before this behavior appears in China. But for now, what Edwards and other Arbor researchers found in their study of the landscape is that many DDoS attacks in China tend to focus on smaller, lower profile sites, and some bot families even seem to specialize in attacking one particular industry. The Darkshell bot, for example, tends to target the sites of manufacturers of food processing equipment in China for whatever reason.
In general, the DDoS bots being written and deployed in China right now just aren’t very sophisticated. Few of them employ any meaningful obfuscation and Edwards said he has yet to see any real encryption deployed to complicate analysis.
“There’s virtually no rootkit behavior and no real attempts at hiding,” he said. “There are a ton of these families cropping up all the time, at least one a week. There’s a ton of code sharing across families and there’s little or no stealthiness.”