A survey of Chinese DDoS malware presented at Virus Bulletin 2011

by Jeff Edwards (Arbor networks),

URL : http://www.virusbtn.com/conference/vb2011/abstracts/EdwardsNazario.xml

Summary : This paper surveys the diverse landscape of Trojan horse families populating a specific niche in the overall malware
ecosystem: botnets that primarily serve as Distributed Denial of Service (DDoS) attack agents and which are believed to
be of Chinese origin and/or to be primarily controlled from Chinese IP space. Approximately two dozen distinct malware
families will be described and documented, including the Rincux, NetBot Attacker, IMDDOS, Darkshell and YoyoDDoS families.
These families will be characterized in terms of their command and control (CnC) protocols, DDoS attack capabilities,
general code architecture, organization of their CnC infrastructure, and preferred targets. Findings regarding the
evolution and sharing/cross-pollination of malcode, as well as the build/release frequency of new versions will be
presented. An approximate taxonomy of this particular space of malware will be proposed. The bulk malware analysis
infrastructure that was used to obtain these findings will also be briefly described.