Researchers are tracking a new bot that originated in China and is being used by various associated botnets that are hammering away with DDoS attacks aimed at several dozen targets around the world, including a number of telecom companies and specialized manufacturers.
The piece of malware behind these botnets, known as Darkshell, is using a slew of command-and-control servers, nearly all of which are located in China, and is fairly run-of-the-mill in terms of its installation and operation. However, the one rather odd part of the Darkshell botnets’ behavior is that their owners are using the networks to launch attacks against a large number of manufacturers of relatively obscure machinery used for food processing.
It’s not unusual for a particular group of attackers to focus its efforts on bringing down the sites of one specific company or even a group of companies. This often is the result of some slight, real or imagined, committed by the victim, or of an unpopular political opinion held by one of its executives. However, it’s quite odd for several individual botnets–even though they’re using the same bot–to attack such a large number of players in a fairly low-visibility industry.
“However, the most common targets of Darkshell attacks over the past
three months have been the websites of relatively small manufacturers of
industrial food processing equipment and machinery. We have logged
attacks against at least 16 such victims emanating from the Darkshell
botnets, comprising approximately 40% of the victims that we sampled.
One can only speculate on the reasons for this aggressive focus on such a
relatively tiny niche within the online landscape. Several such
attacks have been sustained for over 60 hours at a time, and most of
these equipment vendors have suffered multiple repeat attacks during
this interval of time,” Jeff Edwards of Arbor Networks said in an analysis of the Darkshell attacks.
“One common pattern of Darkshell behavior is to attack three or four
different URLs associated with a particular food processing equipment
vendor; these multiple URLs are typically associated with pages
displaying specific products. We have also observed instances in which multiple Darkshell botnets
engaged in coordinated attacks against a single victim (again, vendors
of industrial food processing equipment.)”
The Darkshell botnets have been on the Arbor researchers’ watch list for about three months now, Edwards wrote, and the bot’s activity seems to be fairly simple. Once installed, the Darkshell bot registers itself as a fake service on the infected machine, and then reaches out to a remote C&C server, which is hard-coded into each bot. The C&C sends instructions to each bot and when the time comes, it will issue a command to launch a DoS attack against a specific target. These attacks come in the form of a large number of HTTP GET requests sent from a high number of TCP ports on the infected PC.
Thirty-two of the 34 IP addresses that Arbor has seen acting as C&C servers for Darkshell botnets are in Chinese IP space. There have been incidents in the past in which rogue companies have hired out botnets and used them to attack competitors’ sites, but as Edwards notes in his analysis, there’s little way of gleaning motive from Darkshell’s method at this point.