[nsp-sec] New Chinese DDoS Bot Family - BFDDOS Bot
jose nazario
jose at arbor.net
Thu Jul 3 10:35:53 EDT 2008
On 7/2/08 9:46 AM, "jose nazario" <jose at arbor.net> wrote:
> Similar to my message from may 8, 2008 to this list - Subject New (?) chinese
> ddos bot ... - I think I've found another new Chinese DDoS bot family. This
> one appears to like to call itself BFDDOS.
[snip]
Deeper analysis indicates that BFDDOS is related to Rincux, a known
chinese-language ddos bot. BFDDOS appears to have a few more commands, a
slightly different vocabulary, and some additional components.
Rincux uses the same nonce/number scheme as does bfddos and "powerbot": it
sends up VERSION:2|256|<processor information> to get commands. Its command
vocabulary appears to be:
COMSPEC
REMOVE
DOWNLOAD:
STOPATTACK
FLOOD:
GET:
Slightly different than BFDDOS. No dropped DLL and no rootkit, it seems.
I suspect that the source for all of these is floating around, if someone
wants to help.
So far the DDoS activity I'm seeing here is minimal and only against minor
AS4134 targets (same for powerbot).
-- jose
-------------------------------------------------------------
jose nazario, ph.d. <jose at arbor.net>
security researcher, office of the CTO
Arbor Networks
v: (734) 821 1427
PGP: 0x40A7BF94
www.arbornetworks.com
-------------------------------------------------------------
More information about the nsp-security
mailing list