What Chinese DDoS malware looks like

While at that same Virus Bulletin conference that I was talking about earlier in my other post, I also had the chance to check out a session on Chinese DDoS malware put on by some folks from Arbor Networks.  As little insight as I have into Android malware, I know even less about Chinese DDoS malware.

So what’s Chinese DDoS malware like?  What are its characteristics?

Well, to begin with, the session presenters looked at command-and-control centers that were hosted within Chinese IP space (a pretty good indicator that it was built and controlled in China) that were used to execute DDoS attacks.  Of these, there were approximately 40 different families.  But these families were not very sophisticated: they used little or weak encryption and used little stealthiness.

The typical Chinese malware family:

  • Is written in C++ and is easy to reverse engineer and analyze.  This contrasts it to malware in Eastern Europe like Cutwail or Waledac that is packed or signed.

  • It installs as a Windows service, and sometimes it contains a typo (e.g., WindoowsController).
  • It phones home via a raw TCP socket which is unusual in how simple it is.  It doesn’t go through some weird port (like 51-a) or through IRC.
  • The domains frequently use some numerical domain controller like 3322.org, or some variant of that.
  • They attack for a couple of hours and usually go after one target at a time.  It is usually against a site with Chinese content.

In terms of the way they attack, I’m kind of out of my element here, but each bot has lots of different DDoS attacks, but the one that they don’t use is slow http.  The most frequent tactic is http flood.  If you don’t know the intricate details of those types of attacks, well… I don’t either.  But I wrote them down anyhow because they sounded important.

The targets are usually Chinese sites, although they hosted in 24 countries (i.e., Taiwan, Hong Kong, or the United States).  Of these countries, #1 was China with 64%, #2 was the United States with 27%.  The types of targets are not always political.  Some target music sites, some target gaming sites and others target online forums.  One attacked a Chinese manufacturer of food processing equipment, another attacked a gold mining and investment firm.

Yet amongst all of this came some reassurance.  These malware authors are a lot like animators on the Simpsons – they re-use a lot of code and there is sloppiness everywhere.  Typos get ported across families, bugs do too, and so do techniques.  They are not like Conficker with tons of encryption but instead are quick-and-dirty applications (in comparison) that are designed to do the job.  It’s kind of like how some magicians (like me) will resort to complex sleight-of-hand to control your card selection which requires hours of practice to get down, and other magicians (like me) that simply use a trick deck.

I walked away from this session informed, and also feeling better that we’re not in over our heads here.

Not yet.

Comments (1)

  1. Think Again says:

    Consider the possibility there are multiple levels of malware, multiple groups. China != 1 type of malware. Anyone who thinks so is making an error…

Skip to main content