2014-2.10-Chinese-Chicken-Multiplatform-DDoS-Botnets.pdf

Chinese Chicken: Multiplatform DDoS botnets Peter Kálnai @pkalnai Jaromír Ho?ej?í @JaromirHorejsi Dec 3nd – Dec 5th 2014 Nancy, France Outline ? Timeline (+References) ? Binaries, common characteristics ? Advertisements ? Infection vector ? Flooding tools/Trojans: ? Elknot Bill Gates ? Mr. Black ? IptabLes/IptabLex ? XOR.DDoS ? gh0st RAT ? Statistics and victim preference ? Summary Timeline (+ References) ? (Edwards, Nazario (ArborNetworks): “A Survey of Contemporary Chinese DDoS Malware”, VB2011, Barcelona) ? First builder of Linux flooding bot received at our backend in November 2013 ? Secure Honey honeypot: “Trojan Horse Uploaded”, November 2013 ? MalwareMustDie! : “Lets be more serious about (mitigating) DNS Amp ELF hack attack”, December 2013 (Linux:Elknot) ? Sempersecurus: “Another look at a cross-platform DDoS botnet”, Dec 2014 ? ValdikSS – “Исследуем Linux Botnet ?BillGates?”, February 2014 ? Associating Elknot name with previous research, March 2014 ? Dr. Web – “DDoS Trojans attack Linux”, May 2014 (+Linux:MrBlack) Timeline (+ References) ? Kaspersky: “Versatile DDoS Trojan for Linux”, July 2014 ? Kaspersky: “elasticsearch Abuse on Amazon Cloud and More for DDoS and Profit”, July 2014 (Infection chain) ? Prolexic (Akamai): “IptabLes/IptabLex DDoS Bots”, September 2014 ? MMD!: “Tango down report of OP China ELF DDoSer”, September 2014 ? MMD!: “MMD-0026-2014 - Router Malware Warning | Reversing an ARM arch ELF AES.DDoS”, September 2014 (UPX-packed ELF:MrBlack) ? Prolexic (Akamai): “Spike DDoS Toolkit”, October 2014 (ELF:MrBlack) ? ESET: “G20 2014 Summit Lure used to target Tibetan activists”, November 2014 (Windows gh0st RAT) ? MMD!: “China ELF botnet malware infection distribution scheme unleashed”, November 2014 Infection chain ? Attackers ? build ELF malware using a customized builder ? start HTTP File Server (HFS) to host the previously built malicious binaries ? run port scanners on