Arbor Networks at Virus Bulletin 2011
Arbor’s ASERT team has a paper at this year’s Virus Bulletin conference in Barcelona, Spain. The paper, by Arbor’s Jeff Edwards and Jose Nazario, is titled A survey of Chinese DDoS malware and is based on some of the detailed analysis we did as part of the development of the ATLAS intelligence feed or AIF. Our malware stream contains a lot of DDoS bots, many from China, one of the more interesting ecosystems of malware development.
The abstract follows:
This paper surveys the diverse landscape of Trojan horse families populating a specific niche in the overall malware ecosystem: botnets that primarily serve as Distributed Denial of Service (DDoS) attack agents and which are believed to be of Chinese origin and/or to be primarily controlled from Chinese IP space.
Approximately two dozen distinct malware families will be described and documented, including the Rincux, NetBot Attacker, IMDDOS, Darkshell and YoyoDDoS families. These families will be characterized in terms of their command and control (CnC) protocols, DDoS attack capabilities, general code architecture, organization of their CnC infrastructure, and preferred targets.
Findings regarding the evolution and sharing/cross-pollination of malcode, as well as the build/release frequency of new versions will be presented. An approximate taxonomy of this particular space of malware will be proposed. The bulk malware analysis infrastructure that was used to obtain these findings will also be briefly described.
The paper is quite in-depth and contains a lot of technical details not covered in the talk, so be sure to refer to the paper if the talk is at all interesting.