Arbor Networks Researchers Find U.S.-Based DDoS Botnet

Researchers over at Arbor Networks found a Skunkx botnet based in the United States that can perform distributed denial-of-service attacks while detecting and stopping competing DDoS clients on the host.

A distributed denial-of-service botnet has been found in the United States, but not much information is available about it.

Lately, every active botnet used in DDoS attacks seems to originate from China, but there appears to be at least one from the United States, said Jose Nazario of Arbor Networks' Security Engineering and Response Team (SERT). However, other than its origin, Arbor researchers have learned precious little about the botnet they've taken to calling "Skunkx."

Arbor's team has yet to see the bot's attacks in the wild, so its favored victim profiles are still unknown, said Nazario. The researchers do not know the botnet's size, and have not seen the source code or the control panel, he said.

The Arbor researchers have learned how Skunkx propagates itself, its attack capabilities and its defenses. The botnet can perform DDoS attacks by flooding UDP, SYN and HTTP packets as well as using Slowloris, Nazario said.

The botnet infection has several methods of infection, including USB devices, Microsoft's MSN service, Yahoo's Messenger instant messaging service and as a torrent file. Once a system has been infected, the botnet downloads and install itself onto the computer. It updates itself with the latest instructions from a remote command and control server and scans the host computer to detect what applications are installed. It also randomly removes arbitrary programs, Nazario said.

The bot can detect if tools such as Commview, TCPView and Wireshark are installed on the system. These tools allow the user to examine and analyze packets and network traffic. Skunkx also detects virtualization platforms such as QEMU for Linux, VMware for Windows and VirtualPC for the Mac OS X. And it can steal log-in credentials that Mozilla applications store in a SQLite database, according to Nazario.

Skunkx can detect and identify competing DDoS tools already resident on the host system, including DDoSeR, Blackshades Remote Administration Tool (RAT) and any MeTuS or IRC bots that may be running on the box, Nazario said. DDoSeR is a botnet client that provides a front-end interface for launching DDoS attacks using multi-socket UDP floods. MeTuS bots are easily created using host booster kits available online and also involved in DDoS attacks. They also have some encryption capabilities. Blackshades let remote attackers view the desktop or use the Webcam on the host machine. If Skunkx finds any of these running, it stops them, Nazario said.

Skunkx can "speak DDoSeR," Nazario said, as the bot can communicate with the popular client.

Based on its ability to stop competing bots, it's clear that Skunkx's author put in some effort to subvert zombies from other bots for its own use.

The hostnames Arobr SERT uncovered indicate the bot creator is someone "familiar" with underground hosting as the servers appear to go back to Ukraine and Malaysia as well as working alone, Nazario said. The SERT researchers have not yet seen the kit openly available.

Arbor is working with the registrar to shut down the attacker's domain name, Nazario said.

Arbor inspected the captured bots and found that they were using a handful of user-agents and all the HTTP headers were distinctive, meaning network administrators would be able to selectively detect this botnet's traffic, Nazario said. This would allow administrators to shut down the botnet's activity by filtering out the appropriate HTTP headers.

The SERT team has also been "sinkholing" or redirecting IP traffic for the botnet, with hundreds of bots checking in from around the world, according to Nazario. Most of them were in the United States, clustered mainly on the East Coast and the area east of the Mississippi River, Nazario said.

Arbor is working with individual Internet service providers to identify and clean up infected systems, he said.