Arbor Networks: Security to the Core

In the past couple of months we’ve been looking at a lot of DDoS bots, some for specific events like the CNN attacks and some for generic monitoring. This is a report we drafted about a specific bot that emerged from China dubbed “Hitpop”. It’s a basic HTTP-bot that can do generic HTTP request flooding. Most of the targets are Chinese websites, and often associated with online games like World of Warcraft. This bot did not appear to participate in the CNN attacks last month.

Beginning in March 2008, Arbor Networks began seeing a new distributed denial of service (DDoS) bot in the wild. This malcode uses an HTTP server to receive commands. This DDoS bot appears to be Chinese in origin, and appears to target Chinese users. At present we are aware of 32 active command and control (C&C) servers, usually located in ChinaNet AS4134 or China169 AS4837. The analysis shared here remains incomplete, with a number of questions presented at the end of the document.

You can read the full report here: Hitpop_DDoS_Malware_Analysis_PUBLIC.pdf [PDF], 9 pages.

This entry was posted on Thursday, May 15th, 2008 at 5:09 pm and is filed under ATLAS, Arbor Networks, Botnets, Interesting Research. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.