Chinese botnets target US sites

Basic but dangerous: This was how Chinese Distributed Denial of Service (DDoS) bots were profiled at the annual "Virus Bulletin" anti-malware conference in Barcelona. Kaspersky Labs expert Kurt Baumgartner said the issue was tackled amid the increasing occurrence of the Chinese bots, which experts said are targeting US sites. "The Chinese DDoS attack engines that make these unique is that each bot will typically maintain a very large set of DDoS attack capabilities. Winsock2-based HTTP flood capabilities were the most common and are used to take down web sites, followed by UDP, TCP and ICMP flood capabilities," he said in a blog post. Of the 10 more common attacks, "slow HTTP" attacks were noticeably absent, which are commonly present in Russian, American and Euro DDoS bots, he added. A "typical" Chinese DDoS bot such as darkshell is capable of a rudimentary and simple level of network traffic obfuscation, "but it's as sophisticated as it gets for these families." He said Arbor Networks' Jeff Edwards described the "typical" CN-DDoS bot as written in C/C++, and sees no delphi, VB, or C# based Chinese DDoS bots. "They maintain no advanced hiding mechanisms and there are probably going to be really bad typos in service names or strings in the bots. The bots use a very basic installation to Windows service and some use http, most use raw tcp connections to their command and control (CnC) servers residing at 3322.org or 8866.org domains at free dynamic dns providers," Baumgartner wrote. But surprisingly, he said they usually attack a single victim at a time, unlike European, US or Russian DDoS botnets. The victim usually hosts Chinese content and attacks usually last two hours, he said. Also, he said the next in line for Chinese DDoS victims are US sites, and they receive about a quarter of the attacks. "Most of these sites host some form of Chinese content, whether it's gaming or music sites," he said. He also noted yoyoddos is the most active of the DDoS families, keeping first place in terms of sustaining the longest attack against a site. The yoyoddos launched a particular attack for 45 days straight and consistently attacks Chinese manufacturers of industrial food processing equipment, he said. "But Chinese web sites are not the only recipients of the DDoS attacks. jkddos tends to go after large, very prominent, financial and investment companies. On 6 different occasions the family was used to DDoS a very large and prominent NYC commercial real estate holding company, and its longest attack was 33 hours," he said. "It's a new and somewhat unexpected area of bad online behavior," he added. — TJD, GMA News