Researchers are tracking a new botnet that has become one of the more active DDoS networks on the Internet since its emergence early last month. The botnet, dubbed “Darkness,” is being controlled by several domains hosted in Russia and its operators are boasting that it can take down large sites with as few as 1,000 bots.
The Darkness botnet is seen as something of a successor to the older Black Energy and Illusion botnets and researchers at the Shadow Server Foundation took a look at the network’s operation and found that it is capable of generating large volumes of attack traffic.
“Upon testing, it was observed that the throughput of the attack traffic
directed simultaneously at multiple sites was quite impressive,” Shadowserver’s analysts wrote in a report on the Darkness botnet. “It now appears that ‘Darkness’ is overtaking
Black Energy as the DDoS bot of choice. There are many ads and offers for
DDoS services using ‘Darkness’. It is regularly updated and improved
and of this writing is up to version 7. There also appear to be no
shortage of buyers looking to add ‘Darkness’ to their botnet arsenal.”
Other security researchers who track botnets said that they’ve seen some networks related to the Darkness botnet in operation recently, as well.
have seen relatives of this one – one which we think was named
“optima” and one which the community calls “votwup” – for
some time now,” said Jose Nazarion, senior manager of security research at Arbor Networks. “We do not know how big the botnets are by population count, but they
are active. We do not know how widespread the tools are, they appear so far to
be more limited in use than BlackEnergy 1.x, and possibly fewer people have
them right now.”
The analysis by Shadowserver found that the Darkness botnet has been used to attack more than 100 targets in the last month or so, with some of them being high-profile e-commerce and financial services sites. The botnet is using three separate domains for command and control, although one of them appears to be offline now. The domains include hellcomeback.ru, greatfull-tools.ru and greatfull.ru, though hellcomeback.ru apparently isn’t responding to pings from bots at this point.
The two active domains are registered using the same email address belonging to a Russian domain and the Shadowserver analysts’ research found a number of online ads touting DDoS-for-hire services using the Darkness botnet. One of the ads brags about the amount of traffic that the botnet can generate, saying that just 30 bots can take down an average size site and that only 1,000 bots are needed to overwhelm a large site. Another site that advertises the Darkness botnet’s services says that attacks can be launched for as little as $50 a day.
Good day, dear citizens of DL!
For your attention high quality service DDos
We have the best price and quality!
We take any project regardless of the subject matter of the target!
Constant customers individual conditions!
The average price of service from $ 50 per day
Depends on the complexity of the attacked site
Methods of payments are accepted via WebMoney
For people who are interested in the work
on an ongoing basis is
a separate proposal on which
you will not regret it.
Once the bot is present on an infected system, the malware reaches out to one of the C&C domains and asks for commands. The server will respond with a set of instructions for the bot that is base-64 encoded. The bots are capable of sending DDoS traffic via HTTP, TCP/UDP or ICMP and the C&C server’s instructions will list not only a target for the attack, but also the type of traffic that the bot is to send.
There are new botnets coming online constantly and just as many dropping off as their C&C servers are taken down, their domains are sinkholed by researchers or law enforcement agencies–like the actions against Mega-D–or they simply outlive their usefulness. The Black Energy botnet has been one of the more active ones this year and now the Darkness botnet looks to be making a run. But the botnet problem itself is a thorny one that has a number of components, none of which is easily solvable.