Tuesday, September 14, 2010

Damballa Discovers New Wide-Spread Global Botnet Offering ‘Commercial’ DDoS Services

(BUSINESS WIRE)--Damballa Inc., the company transforming the fight against cyber threats, today announced the discovery of a new botnet that offers pay-for-delivery Distributed Denial of Service (DDoS) attacks. The ‘IMDDOS’ Botnet, named after the commercial name on the botnet website, has grown to be one of the largest active global botnets in less than four months from initial testing. According to Damballa, the infected hosts used in the DDoS attacks have become unwitting participants in the botnet and are widespread. The vast majority of infected hosts are in China, with the United States being in the top 10 countries affected. Internet Service Providers (ISPs) worldwide were affected, including the majority of North American ISPs, and a number of major corporate networks are hosting bot agents for the IMDDOS Botnet.

“The commercial nature of this botnet and the rapid growth and ultimate size are what make this discovery interesting”

The IMDDOS Botnet offers a commercial service for delivering DDoS attacks against any desired target. Hosted in China, this publicly available service is available for lease to anyone willing to establish an online account, input the domain(s) they wish to attack, and pay for the service. Throughout the Damballa period of study, the botnet grew large very quickly. Following testing by the criminal operators in April 2010, it reached a production peak of activity with 25,000 unique Recursive DNS (RDNS) lookups per hour attempting to resolve to the botnet’s command-and-control (CnC) servers. Damballa is currently working with ISPs and law enforcement officials to contain and nullify the threat.

A 16-page analysis of the discovery can be viewed at: www.damballa.com/IMDDOS. This analysis includes details of the technical infrastructure of the botnet and associated malware as well as an animated illustration of the IMDDOS Botnet’s global growth and impact from early testing stage to peak activity rendered in hourly increments.

A Denial of Service (DoS) attack is a technique used to overwhelm a website/domain in an effort to reduce its responsiveness or completely eliminate its ability to respond to new connection attempts. DoS attacks have historically been used to ‘take down’ political sites, abuse sites, commercial business websites and even military command centers as part of a coordinated targeted campaign.

A DDoS attack utilizes multiple PCs or servers to initiate a coordinated attack against a targeted system. The more assets involved in the attack, the larger the flood of requests and data that can be targeted at the victim. To create a very large army of assets that can launch DDoS attacks, botnets are used to rally and command unwitting victim machines into participating in the attacks.

“The commercial nature of this botnet and the rapid growth and ultimate size are what make this discovery interesting,” stated Gunter Ollmann, vice president of research for Damballa. “The public website hosting the DDoS service offering, with various ‘plans’ and attack options, speaks to the ease with which anyone can leverage criminal infrastructure. The malware used is simplistic, yet it was successful in spreading rapidly. And while it appears to be primarily a DDoS delivery platform, the size of the botnet reached impressive proportions, certainly large enough to wreak major havoc on any victim organization should it be pointed in the right direction.”

This discovery was made possible due to a global array of Damballa sensors, which provide worldwide visibility into CnC activity, combined with the understanding and quantification of statistical heuristics that can explain, and most importantly, quickly detect, the malicious nature of this botnet operation. Damballa tracks thousands of botnet operators and their growing cache of botnets every day. Each criminal botnet building campaign is observed, analyzed, automatically catalogued and categorized using a sophisticated array of clustering and machine learning systems. As the criminal botnet operators attempt to grow the botnet, their investments and modifications to their CnC hosting infrastructure are tracked and used as markers for eventual attribution. Damballa customers benefit from this advanced knowledge of the threat, being alerted to the presence of the malware and being able to terminate the CnC communications.

“Botnets are recognized by industry experts as being the delivery mechanism of choice for the vast majority of today’s cyber threats that plague corporate and ISP networks,” said Val Rahmani, CEO of Damballa. “Botnets and other cyber threats are attacking corporate networks and service providers at an alarmingly high rate and are causing security teams around the world to reevaluate their security investments. Damballa leads the security industry in delivering solutions that detect and terminate botnets and cyber threats, and our research and product teams are constantly innovating and bringing more powerful and automated weapons to the war against cybercrime.”

Community News You Can Use
Fayette Front Page
Georgia Front Page
Follow us on Twitter:  @GAFrontPage

No comments: