The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Virus Bulletin 2011 - Chinese DDoS Bots

Kurt Baumgartner
Kaspersky Lab Expert
Posted October 05, 12:34  GMT
Tags: Botnets, DDoS

Hello from Virus Bulletin 2011! Several talks this morning were very good, and an unusual topic about DDoS in the east was presented early in the afternoon.

Over 40 families of Chinese DDoS bots were identified by Arbor Networks and have been tracked over the past year. Online occurance of the malware itself is increasing. A ton of these families are cropping up all the time, at least a new one every week appears with an unusual new capability. When these botnets are used to DDoS an online presence, often it is difficult to understand or even speculate what the motivation behind the attack may be. Most of the code base is shared, cobbled together, and generally was thrown together by inexperienced writers.

Arbor writes and maintains "fake bot" monitors to log data and activity of these botnets and build up a better picture of attacks and profile of groups. One of these familes represents the "typical" Chinese DDoS bot: darkshell is a great example of the rudimentary and simple level of network traffic obfuscation, but it's as sophisticated as it gets for these families.

Jeff Edwards described the "typical" CN-DDoS bot as written in C/C++. At Arbor, he sees no delphi, VB, or C# based Chinese DDoS bots. They maintain no advanced hiding mechanisms and there are probably going to be really bad typos in service names or strings in the bots. The bots use a very basic installation to Windows service and some use http, but most use raw tcp connections to their command and control (CnC) servers residing at 3322.org or 8866.org free dynamic dns providers' domains. Surprisingly, they usually attack a single victim at a time, unlike eu, us or russian DDoS botnets. The victim usually hosts Chinese content and attacks usually last two hours. Next in line for Chinese DDoS victims are US sites, and they receive about a quarter of the attacks. Most of these sites host some form of Chinese content, whether it's gaming or music sites.

The Chinese DDoS attack engines that make these bot families unique from other regional bots is the very large set of DDoS attack capabilities maintained in each. Winsock2-based HTTP flood capabilities were the most common or the bots' DDoS capabilities and are used to take down web sites, followed by UDP, TCP and ICMP flood capabilities. Of the ten more common attacks, "slow HTTP" attacks were noticeably absent from Chinese DDoS bots, which are commonly present in Russian, American and Euro DDoS bots. Edwards mentioned that even Anonymous attacks are using slow http.

yoyoddos is the most active of the DDoS families that they are tracking. The family also maintains the first spot as sustaining the longest attack against a site of these CN DDoS families. This one launched a particular attack for 45 days straight. The family consistently attacks Chinese manufacturers of industrial food processing equipment, and Edwards observed the family targeting both ice cream and custard equipment makers in the same campaign.

But Chinese web sites are not the only recipients of the DDoS attacks. jkddos tends to go after large, very prominent, financial and investment companies. On 6 different occasions the family was used to DDoS a very large and prominent NYC commercial real estate holding company, and its longest attack was 33 hours.

It's a new and somewhat unexpected area of bad online behavior.


Oldest first
Table view

Donna J.Marn

2011 Oct 05, 21:22

I am "Sick and Tired",Of Being "Sick and Tired"

I am really sick of all these Things that Infect Our Computers.
Every person that Decides to be a "Ignorant Human Being",Should be held Accountable for their Ignorance.Infecting anyone's Computer,Is a Crime,Or it should be.
"Cyber Bully's",Are Terrible to deal with.
I have a International Tribunal,and International Justice-ITCY,
Name Change,And just trying to send emails,To get help,
Is a Challenge,Everyday,For me.
Young People are Killing Themselve Everyday,Because of Ignorance.
Someone has to take Charge,of this Terrible Problem.NOW


Kurt Baumgartner

2011 Oct 06, 16:54

Re: I am "Sick and Tired",Of Being "Sick and Tired"

Thanks for your comment, Donna. I can understand a certain amount of weariness from the big computer security news stories of the day. There are laws against infecting other folks' computers, so let me re-assure you that it is a crime in most locations. The problem is a complex and large one, but you can find some comfort that there are security folks doing the right thing every day.

Cyber bullying is a problem that seems to be better confronted in the US and elsewhere, but changing the behavior of young people is a difficult one that will take time.



2011 Oct 11, 08:37

Anonymous Attacks

Hi Kurt,

Great reading and thank you for writing it.

I wanted to pick your brain considering the recent attacks by a group that I'm sure you've heard of, Anonymous.

Supposedly, they use botnets to DDoS their targets. I've seen a rather unusual influx of invitations on Facebook, Twitter, Reddit, etc., to certain websites and irc channels that Anonymous frequents. I'm wondering if that is to solicit unwitting victims into drones for their activities?

If so, how would you recommend people protect themselves if they can't satisfy their curiosity of hacktivism from the sidelines and just have to click that link or download mIRC to see for themselves?


Kurt Baumgartner

2011 Oct 14, 03:17

Re: Anonymous Attacks

Hi Kamira-

Thanks for reading. Afaik, there are many different groups, efforts and projects within Anonymous. Some have used lame network traffic generation scripts that anonymous members persuaded somewhat ignorant individuals to download and use from their home or office workstations, others have attacked with overwhelming botnets of compromised machines, and others have used some more interesting 0day DoS exploits from behind proxied, vpn'd connections. The former, rather than the latter, have been offered to individuals new to the group's activities.

Sorry, but I can't just recommend clicking on unsolicited invites and unusual links, and IRC clients have presented a set of security problems for unknowing users.


If you would like to comment on this article you must first

Bookmark and Share

Related Links