Tracking the IMDDOS Botnet

Description of the IMDDOS Botnet

On March 20, 2010, a criminal organization registered a series of malicious domains signaling the birth of a new botnet; one designed to offer a commercial service for delivering Distributed Denial of Service (DDoS) attacks on any desired target.  This publicly available service, hosted in China, is available for lease to anyone willing to establish an on-line account , input the domain(s) they wish to attack, and pay for the service.
 
The website promoting this service is called “IM DDOS”, elsewhere referred to as “I’M DDOS”.
Damballa announced the discovery of this new botnet on September 13, 2010, and has named it the IMDDOS Botnet.

For the compelete report on the IMDDOS Botnet,
Click to Download

What are Distributed Denial of Service Attacks?

A Distributed Denial of Service (DDoS) attack utilizes multiple PCs or servers to initiate a coordinated attack against a targeted system.  To create a very large army of assets that can launch these DDoS attacks, botnets are used to rally and command unwitting victim machines into participating in the attacks.  The criminals establish the botnet by using malicious software (malware) to infect victim machines (hosts). The infected hosts are rallied and then instructed to launch a coordinated DDoS attack against the victim of choice.  In this manner, thousands or tens of thousands of unwitting hosts can simultaneously flood a list of targeted systems, rendering even the most robust websites or web applications unable to respond to legitimate customer requests.

The risk to enterprise networks is that the enterprise is unwittingly participating in attacks on unknown victims, and that malware capable of a variety of criminal attacks has penetrated the enterprise.  For ISPs and their customers, it represents a tremendous drain on network and computing resources, which can result in poor network performance and significant loss of otherwise revenue-generating bandwidth.

Tracking the Global Growth of the IMDDOS Botnet

The newly discovered IMDDOS Botnet is a commercial DDoS service.  The botnet grew large very quickly. Beginning testing in April 2010, it reached a production peak activity by the second week of August of 25,000 unique recursive DNS lookups/hour to the command-and-control (CnC) servers.

This paper details the growth of the IMDDOS Botnet, the commercial aspects of its operation, the technical components of the botnet infrastructure, how it was discovered, and what is currently being done to disrupt its operation.

Click to see the growth of the IMDDOS Botnet from April 2010 - September 2010

How it was Discovered

Damballa is the leading authority on botnets, bot malware, botnet construction and their criminal operation. Damballa has a globe-spanning array of sensors, including deployments with Internet Service Providers that monitor CnC activity and malicious DNS traffic.

Damballa tracks thousands of botnet operators and their growing cache of botnets every day. Each criminal botnet building campaign is observed, analyzed, catalogued and categorized automatically using a sophisticated array of clustering and machine learning systems. As the criminal botnet operators attempt to grow the botnet, their investments and modifications to their CnC hosting infrastructure are tracked and used as markers for eventual attribution.

This discovery was made possible due to this array of Damballa DNS sensors, which provide worldwide visibility into CnC activity, combined with the understanding and quantification of statistical heuristics that could explain --- and most importantly detect early --- the malicious nature of this botnet operation.

Potential Impact and Actions Taken

• Damballa Failsafe customers have been preemptively alerted to the IMDDOS Botnet.  The Knowledge Base that Damballa Failsafe customers use to detect CnC activity has been updated every time a new domain has been used by the IMDDOS service provider.  If the malware associated with this botnet has infected assets within their enterprise, they are being alerted to its presence and we have identified the exact assets that have been compromised.
• The proper authorities and unwitting hosts of the botnet CnC domains have been notified and all appropriate information has been shared to contain, and ultimately dismantle the botnet.
• All malware samples and domains have been shared with the security community through appropriate posting and distribution channels.

How Damballa Can Help Your Organization

Damballa detects and terminates command-and-control communication that advanced malware and bots use to send and receive information once they infect the endpoint. By listening at strategic points in your network, Damballa can determine which endpoints in the enterprise are breached and can terminate the command-and-control communication, eliminating the threat.

To see if your network has been breached by botnets, malware or other advanced threats,
sign-up for a Damballa audit today.