The bot family, which has been dubbed "YoyoDDoS" after the hostname of one of its initial command-and-control (C&C) servers, was first detected in March. To date, Arbor Networks has processed more than 70 variants from the family and identified at least 34 C&C servers, all but three of which are located in China.
DDoS attacks use large numbers of compromised PCs to flood a targeted website with traffic with the goal of knocking it offline. Out of the 180 YoyoDDoS attacks that have been identified, 126 of them targeted IP addresses in China, while 32 targeted victims in the United States, nine in South Korea, and five in Germany.
Several different online merchants have been targeted, including sites selling auto parts and cosmetics, Edwards said. Several gaming and gambling sites also were attacked, along with a website-hosting provider, a music forum and a personal blog.
“It is not targeted at a specific industry,” said Edwards, a former FBI special agent assigned to the Detroit Cybercrime Squad. “Its more like a general tool, and if somebody wants to take a site down for a certain reason, a lot of time they use this YoyoDDos.”
The attacks typically last between a few hours to two days, he added. Several sites have been attacked continuously for 24 to 48 hours.
Researchers at Arbor Networks said they do not know how many computers have been infected with the bot malware, but they believe there are at least three or four independent YoyoDDoS botnets being controlled by independent operators.
If this is the case, the code to create the bot malware may be circulating in the cybercrminal underground, Edwards said.
The bot malware, which Edwards said is not especially sophisticated, could make its way onto a user's PC via malicious links or attachments in emails. After instillation, the bot connects to the C&C server and reports back details about the victim host, including the make, model and speed of the processor and the operating system service pack level. Additionally, every time an infected computer is started, the malware makes contact with the C&C server.
The bot family uses four different types of DDoS attacks – HTTP, UDP, SYN and ICMP – all of which flood a victim with different types of traffic, Edwards said. If an attack is launched with a certain type of traffic, and the victim has a firewall or another security device that blocks it, another attack mode can be used.
“I do know that it is being actively used based on the number of attacks we are logging,” Edwards said. “We are still logging attacks and finding [bot malware] specimens we haven't seen.”