Researchers Tracking Emerging Darkness Botnet

Researchers are tracking a new botnet that has become one of the more active DDoS networks on the Internet since its emergence early last month. The botnet, dubbed “Darkness,” is being controlled by several domains hosted in Russia and its operators are boasting that it can take down large sites with as few as 1,000 bots.

Darkness botnetResearchers are tracking a new botnet that has become one of the more active DDoS networks on the Internet since its emergence early last month. The botnet, dubbed “Darkness,” is being controlled by several domains hosted in Russia and its operators are boasting that it can take down large sites with as few as 1,000 bots.

The Darkness botnet is seen as something of a successor to the older Black Energy and Illusion botnets and researchers at the Shadow Server Foundation took a look at the network’s operation and found that it is capable of generating large volumes of attack traffic.

“Upon testing, it was observed that the throughput of the attack traffic
directed simultaneously at multiple sites was quite impressive,” Shadowserver’s analysts wrote in a report on the Darkness botnet. “It now appears that ‘Darkness’ is overtaking
Black Energy as the DDoS bot of choice. There are many ads and offers for
DDoS services using ‘Darkness’. It is regularly updated and improved
and of this writing is up to version 7. There also appear to be no
shortage of buyers looking to add ‘Darkness’ to their botnet arsenal.”

Other security researchers who track botnets said that they’ve seen some networks related to the Darkness botnet in operation recently, as well.

“We
have seen relatives of this one – one which we think was named
“optima” and one which the community calls “votwup” – for
some time now,” said Jose Nazarion, senior manager of security research at Arbor Networks. “We do not know how big the botnets are by population count, but they
are active. We do not know how widespread the tools are, they appear so far to
be more limited in use than BlackEnergy 1.x, and possibly fewer people have
them right now.”

The analysis by Shadowserver found that the Darkness botnet has been used to attack more than 100 targets in the last month or so, with some of them being high-profile e-commerce and financial services sites. The botnet is using three separate domains for command and control, although one of them appears to be offline now. The domains include hellcomeback.ru, greatfull-tools.ru and greatfull.ru, though hellcomeback.ru apparently isn’t responding to pings from bots at this point.

The two active domains are registered using the same email address belonging to a Russian domain and the Shadowserver analysts’ research found a number of online ads touting DDoS-for-hire services using the Darkness botnet. One of the ads brags about the amount of traffic that the botnet can generate, saying that just 30 bots can take down an average size site and that only 1,000 bots are needed to overwhelm a large site. Another site that advertises the Darkness botnet’s services says that attacks can be launched for as little as $50 a day.

Good day, dear citizens of DL!
For your attention high quality service DDos
We have the best price and quality!
We take any project regardless of the subject matter of the target!
Constant customers individual conditions!
The average price of service from $ 50 per day
Depends on the complexity of the attacked site
Methods of payments are accepted via WebMoney
For people who are interested in the work
on an ongoing basis is
a separate proposal on which
you will not regret it.

Once the bot is present on an infected system, the malware reaches out to one of the C&C domains and asks for commands. The server will respond with a set of instructions for the bot that is base-64 encoded. The bots are capable of sending DDoS traffic via HTTP, TCP/UDP or ICMP and the C&C server’s instructions will list not only a target for the attack, but also the type of traffic that the bot is to send.

There are new botnets coming online constantly and just as many dropping off as their C&C servers are taken down, their domains are sinkholed by researchers or law enforcement agencies–like the actions against Mega-D–or they simply outlive their usefulness. The Black Energy botnet has been one of the more active ones this year and now the Darkness botnet looks to be making a run. But the botnet problem itself is a thorny one that has a number of components, none of which is easily solvable.

Suggested articles

Discussion

  • Expatriated American Patriot on

    > But the botnet problem itself is a thorny one that has a number of components, none of which is easily solvable.

    Very easy to solve problem! Barack Hussein Obama shall issue a US presidental executive decree which orders US Cyber Command and the NSA to forcibly detach Brazil, communist China and the former USSR (sans the Baltika) from the global net. Those three countries are the ones responsible for 90% of the world's malware problem. If they are severed from the worldwide net, surfing and e-shopping will be safe to use again!

    US spec-op submarines shall cut undersea cables and US allies shall cut landline cables leading to communist countries. The ex-soviets and the chinese-communists have no God-given right to use the net, which is an original american creation, just like our Lord originally created the Heaven and Earth! As the Lord banned sinful Adam and Eve from the Paradise he created, so does America determine who can use the net, and if needed, banishes the evil ones from its fruits!

    Whoever disputes this shall also consider "realpolitik": the US Navy has 11 operational nuclear powered aircraft carrier battle groups, roaming the seven seas at will, but no other country has more then one! Accept the God-blessed global leadership of the USA or leave the sphere of anglo-american produced scientific-technological civilization and return to the medieval ages of your own!

    One must clearly recognize that the chinese and the russians, with their state-supported e-crime rampage of several years, have proven themselves unworthy of the gift of freedom associated with the net and digital computing in general.

    God bless America and God save the Net!

  • Anonymous on

    @Expatriated American Patriot

     

    BULLSH**!

     

    your comment doesnot even deserve a reply, but i couldnt help it.

    Simply grouping something as good and bad doesnot solve naything. www without some countries chopped off is not world wide web anymore. your sources are flawed. how many cyber criminals you want me to list, who are troubled americans?

    people are not good or bad because of the place they live. its mny othe rthings.

    crap. i do not want to continue commenting on this on this. go find on your own.

    @moderators,  either you delete both the above comment and this, or let both of them stay. i just want to help any noob reader reading only the above post not be biased and informed only part of the truth.

  • Anonymous on

    Expatriated American Patriot : lmao, nice post :p
  • singloss on

    The naivite displayed by Expatriated American Patriot is one of the key reasons why botnet are such as thorny problem. Most likely Expatriated American Patriot is running a computer which is not properly patched, has no uptodate anti virus running and has no proper password management and as a result that computer may be infected and part of the botnet.

    It also demonstrates the common attitude of such people demanding the government to do the dirty jobs while not being willing to take personal responsibility - at the same time complaining about big government.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.