Researchers over at Arbor Networks found a Skunkx botnet based in the United States that can perform distributed denial-of-service attacks while detecting and stopping competing DDoS clients on the host.
A distributed denial-of-service botnet has been found in the United
States, but not much information is
available about it.
Lately, every active botnet used in DDoS attacks seems to originate from
China, but there appears to be at least one from the United States, said Jose Nazario of Arbor
Networks' Security Engineering and Response Team
other than its origin, Arbor researchers have learned precious little about the
botnet they've taken to calling "Skunkx."
Arbor's team has yet to see the bot's attacks in the wild, so its favored
victim profiles are still unknown, said Nazario. The researchers do not know
the botnet's size, and have not seen the source code or the control panel, he
The Arbor researchers have learned how Skunkx propagates itself, its attack
capabilities and its defenses. The botnet can perform DDoS attacks by
flooding UDP, SYN and HTTP packets as well as using Slowloris, Nazario said.
The botnet infection has several methods of infection, including USB
devices, Microsoft's MSN service, Yahoo's
Messenger instant messaging service and as a torrent file. Once a system has
been infected, the botnet downloads and install itself onto the computer. It
updates itself with the latest instructions from a remote command and control
server and scans the host computer to detect what applications are installed.
It also randomly removes arbitrary programs, Nazario said.
The bot can detect if tools such as Commview, TCPView and Wireshark are
installed on the system. These tools allow the user to examine and analyze
packets and network traffic. Skunkx also detects virtualization platforms such
as QEMU for Linux, VMware for Windows and VirtualPC for the Mac OS X. And it
can steal log-in credentials that Mozilla applications store in a SQLite
database, according to Nazario.
Skunkx can detect and identify competing DDoS tools already resident on the
host system, including DDoSeR, Blackshades Remote Administration Tool (RAT) and
any MeTuS or IRC bots that may be running on the box, Nazario said. DDoSeR is a
botnet client that provides a front-end interface for launching DDoS attacks
using multi-socket UDP floods. MeTuS bots are easily created using host booster
kits available online and also involved in DDoS attacks. They also have some
encryption capabilities. Blackshades let remote attackers view the desktop or
use the Webcam on the host machine. If Skunkx finds any of these running, it
stops them, Nazario said.
Skunkx can "speak DDoSeR," Nazario said, as the bot can
communicate with the popular client.
Based on its ability to stop competing bots, it's clear that Skunkx's author
put in some effort to subvert zombies from other bots for its own use.
The hostnames Arobr SERT uncovered indicate the bot creator is someone "familiar"
with underground hosting as the servers appear to go back to Ukraine and
Malaysia as well as working alone, Nazario said. The SERT researchers have not
yet seen the kit openly available.
Arbor is working with the registrar to shut down the attacker's domain name,
Arbor inspected the captured bots and found that they were using a handful
of user-agents and all the HTTP headers were distinctive, meaning network
administrators would be able to selectively detect this botnet's traffic,
Nazario said. This would allow administrators to shut down the botnet's
activity by filtering out the appropriate HTTP headers.
The SERT team has also been "sinkholing" or redirecting IP traffic
for the botnet, with hundreds of bots checking in from around the world,
according to Nazario. Most of them were in the United
States, clustered mainly on the East Coast
and the area east of the Mississippi River, Nazario said.
Arbor is working with individual Internet service providers to identify and
clean up infected systems, he said.