Researchers at Damballa Inc. have discovered a new botnet that offered distributed denial of service (DDoS) attacks to anyone willing to pay a fee for the service.
The majority of domains were in North America and we believe at this point they have been contained.
senior research analystDamballa Inc.
The IMDDOS Botnet, named after the commercial name on the botnet website, had grown to one of the largest active global botnets in less than four months. Using tens of thousands of malware infected, zombie machines the botnet was strong enough to flood targeted domains with unwanted traffic, crippling them or taking them offline. The researchers identified infected domains in a large number of North American ISPs and a number of major corporate networks, according to Damballa, an Atlanta-based security vendor focusing on botnet detection.
The cybercriminals behind the botnet offered a commercial service for delivering DDoS attacks against any desired target. The service was a complete business operation with a sales team and customer support. It required users to establish an online account and then identify the domains they wish to attack and included attack options and various ways a target can be attacked over time.
Christopher Elisan, a senior research analyst at Damballa, said that nearly all North American ISPs, were unaware they were hosting infected domains for the botnet and have either isolated them or taken them offline. However, two servers, based in China remain in operation, he said.
"The majority of domains were in North America and we believe at this point they have been contained," Elisan said. "There were two domains in China that will be much more difficult to contain or bring down."
Security teams and ISPs have had a difficult time shutting down botnets because they often have back-up command and control servers and can slowly regenerate over time. For example, researchers recently crippled the Pushdo/Cutwail botnet, but new research found the botnet regaining its strength.
Elisan said his team would continue to monitor the IMDDOS botnet. It propagated by spreading malware through file sharing sites. Botnets used for DDoS are typically part of a botnet that have other purposes, such as keylogging, credential stealing, or putting up fake iFrames for banking websites. In some cases DDoS specific botnets are opt-in botnets, in which those behind it, voluntarily install a program on their PCs because they want to target a website against their views.
"With IMDDOS, the controllers of the CnC are the customers of the service and do not control the target. They have to coordinate with the owner of the IMDDOS service," Elisan said.
According to a report detailing Damballa's analysis of IMDDOS, those running the botnet tested it in April, when it reached a production peak of activity with 25,000 unique recursive DNS lookups per hour attempting to resolve to the botnet's command and control servers.
The botnet infrastructure is not innovative and uses well established techniques to infect machines and target domains. Its ability to grow quickly proved that well constructed social engineering campaigns can escalate infection rates dramatically, according to the report.