Chinese DDoS Bots Lack Sophistication, Stealth

BARCELONA–China may have caught and passed many western nations in terms of economic power and military might, but, despite its reputation as a major player in the malware economy, many of the bots and DDoS tools that come out of the country are shoddy, cobbled-together malware full of bugs and with no real effort made to hide themselves.

China botsBARCELONA–China may have caught and passed many western nations in terms of economic power and military might, but, despite its reputation as a major player in the malware economy, many of the bots and DDoS tools that come out of the country are shoddy, cobbled-together malware full of bugs and with no real effort made to hide themselves.

“A lot of it has the feel that it was chopped up and hacked together,” Jeff Edwards, a security analyst at Arbor Networks, said in a talk on Chinese bot families at the Virus Bulletin conference here Wednesday. “There’s a lot of sloppiness everywhere with blatant flaws.”

Arbor researchers follow the botnet scene closely and the company took a specific look at a variety of bot families that are commonly used in DDoS attacks originating in China and against Chinese targets. What they found was a collection of roughly 40 bot families, many of which showed evidence of some serious inbreeding. Code re-use is rampant among the major Chinese DDoS bots, and Edwards said that it’s not uncommon to see whole sections lifted from one bot and used in another, bugs and errors included.

Like bots found elsewhere on the Web, Chinese-produced DDoS tools often will have the ability to employ a wide variety of attack methods. The classic SYN flood and TCP flood methods are prevalent, as are HTTP floods. But what’s not typically found at all in Chinese bots is the ability to execute the slow HTTP DDoS attacks that have been cropping up in the United States, Russia and elsewhere in recent years.

This tactic is far less noisy than a typical denial-of-service attack. Instead of sending huge numbers of packets to a target server, these attacks involve breaking up TCP requests into tiny pieces and taking as long as an hour or more to complete one request.

“This just hasn’t show up in the Chinese DDoS space for some reason,” Edwards said.

It may just be a matter of time before this behavior appears in China. But for now, what Edwards and other Arbor researchers found in their study of the landscape is that many DDoS attacks in China tend to focus on smaller, lower profile sites, and some bot families even seem to specialize in attacking one particular industry. The Darkshell bot, for example, tends to target the sites of manufacturers of food processing equipment in China for whatever reason.

In general, the DDoS bots being written and deployed in China right now just aren’t very sophisticated. Few of them employ any meaningful obfuscation and Edwards said he has yet to see any real encryption deployed to complicate analysis.

“There’s virtually no rootkit behavior and no real attempts at hiding,” he said. “There are a ton of these families cropping up all the time, at least one a week. There’s a ton of code sharing across families and there’s little or no stealthiness.”

Suggested articles

Exploit Kits Now Updated With New Wares Before Patches Are Ready

The creators and maintainers of exploit kits often rely on public reports of new exploits and proof-of-concept exploit code in order to be able to add new exploits to their software. And in many cases, the exploits included in kits such as Black Hole and Eleonore and others will be for vulnerabilities that are older and have long since been patched. But, if recent events are any indication, that could be changing.

New Version of REMnux Malware-Analysis Linux Distribution Released

A new version of the REMnux specialized Linux distribution has been released, and it now includes a group of new tools for reverse-engineering malware. The new additions include a tool for memory forensics as well as one for analyzing potentially malicious PDFs.

Microsoft Unveils New Windows Defender Offline Tool

Microsoft has released a beta version of a new tool that can help victims of malware attacks recover from ugly infections, even if they don’t have the ability to reach the Internet. The Windows Defender Offline tool enables users to clean their systems of malware from a CD or other removable media.

Discussion

  • Anonymous on

    There are over 1.3 billion Chinese.  How much more anonymous do you think they need to be?

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.