Network Security, Malware, Network Security

New commercial DDoS botnet discovered

Researchers have discovered a fast-growing botnet that was designed as part of a commercial service for launching distributed denial-of-service (DDoS) attacks against any target.

The “IMDDOS” botnet, named after the website promoting its DDoS attack services, dates back to March 20 when a criminal organization registered a series of domains to serve as the botnet's command-and-control (C&C) hubs, according to a report issued Monday by security firm Damballa.

Growing at a rate of as many as 10,000 new victims each day, IMDDOS became one of the largest active botnets in the world in fewer than four months, David Holmes, vice president of marketing at Damballa, told on Tuesday.

The botnet can be leased to launch DDoS attacks, which use a large number of compromised PCs, or bots, to flood a targeted website with requests, causing it to become unresponsive.

The commercial DDoS service is widely available through a website called “IM DDOS,” which is written in Mandarin Chinese and provides details about attack methodology and contact information. Prospective customers are instructed to contact customer service via the Chinese chat service, QQ, to obtain a price quote.

Several different service agreements are offered, including free and paid services, as well as subscriptions for monthly, annual or lifetime access, researchers said. The site boasts that lifetime customers receive 24/7 technical support.

“It's one of the first times we've seen something so public and commercialized,” Holmes said. “Literally anyone who can read or work with a Mandarin Chinese website can go onto their self-service portal, create an account and pick their victim of choice for a DDoS attack.”

The botnet's C&C domains, located in China, are used to push out instructions to infected bots to launch DDoS attacks against a list of targeted domains. Researchers are unsure of the price of IMDDOS attack services and do not know the actual domain names targeted by IMDDOS customers. 

Most of the infected machines that make up the IMDDOS botnet are located in China, but many are located in the United States, Holmes said. Moreover, a number of major corporate networks are hosting infected IMDDOS bots.

The malware is fairly unsophisticated and is being distributed via file-sharing networks, masquerading as a “Windows 7 crack,” along with other enticing file names, Christopher Elisan, senior research analyst at Damballa, told on Tuesday.

Damballa has worked with law enforcement and hosting providers to shut down the U.S.-based attacker-owned domains being used. This has effectively crippled large portions of the scheme, but the botnet has not been fully dismantled because its C&C servers in China are still active.

“We are very careful not to say we have killed this thing and destroyed it,” Holmes said. “It's very difficult to stop these things entirely.”

The botnet signals a growing trend of malicious activity being commercialized in countries that do not have strong laws governing cybercrime, Elisan said. These services allow anyone, even those without technical skills, to launch malicious attacks.

“There will be more services like this,” he said.

The IMDDOS botnet is also a good representation of the advancement that has taken place in the DDoS “industry,” André DiMino, co-founder and director of The Shadowserver Foundation, an all-volunteer web intelligence gathering group, told on Tuesday.

In the past, DDoS was just part of a botnet's larger arsenal of cybercrime capabilities, but now that the attack method is coming into its own and botnets are being specifically created for DDoS purposes, DiMino said. And, because of its architecture and the way it is deployed and operated, IMDDOS is more advanced than earlier generations of DDoS botnets.

“In the past, you told the guy what you wanted done, and now you have this more customer-service-friendly environment to arrange for your request,” he said. “So the evolution is alarming to see where this is all going.”

And, while the supply for DDoS services has increased, so has the demand, DiMino said. Attackers have launched DDoS assaults against a wide spectrum of industries, motivated by political, social and economic reasons.

“These advancements in the DDoS industry might be beneficial for botnet operators, but it is a serious matter for law enforcement, and they will continue to investigate these activities," he said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.