Tuesday, September 14, 2010

Botnet-For-Hire Model Resurfaces in New IMDDOS Botnet

Via Threatpost.com -

Researchers have identified a new botnet based in China that was openly selling DDoS-for-hire services and had managed to plant roots inside a number of major U.S. ISPs. The botnet, known as IMDDOS, is mostly contained right now and the researchers are working with authorities to locate its operators.

A group of researchers at Damballa discovered the botnet a few months ago when they stumbled upon a couple of suspect domains while investigating another incident. They traced the domains back to a single domain in China. The more they looked into the botnet, the more infections they found, eventually identifying infected domains in a large number of ISPs in the U.S. and abroad.

The IMDDOS botnet was being leased out in discrete chunks to customers willing to pony up the cash. This is a fairly common business model for bot herders, but it's not that often that the crew behind the operation puts up a professional Web front end and hires a sales team to market their services. But that's the way this crew was going about it, the Damballa researchers said. A customer could rent out a specific piece of the botnet and then turn it loose on whatever target he had in mind.

Damballa officials said the operation appeared to be quite professional, and went so far as to include a dedicated sales team. They estimate that the IMDDOS botnet is somewhat larger in terms of activity than the Bobax botnet, but didn't have an estimated number of infected machines.


Most of the infections appear to be in mainland China and the main Chinese domain associated with the botnet has a list of other domains that are part of the botnet, which can be leased out to customers. Damballa researchers have been in touch with law enforcement authorities and the ISPs that they've identified as being infected by IMDDOS. They believe that the botnet is mostly contained at this point, as they've identified what they think are all of the C&C servers. However, it's not clear whether the hosting providers who own those servers will all cooperate in taking the botnet down.

No comments:

Post a Comment