The bot family, which has been dubbed "YoyoDDoS" after the hostname of one of its initial command-and-control (C&C)servers, was first detected in March. To date, Arbor Networks hasprocessed more than 70 variants from the family and identified at least34 C&C servers, all but three of which are located in China.
DDoS attacks use large numbers of compromised PCs to flood a targeted website withtraffic with the goal of knocking it offline. Out of the 180 YoyoDDoSattacks that have been identified, 126 of them targeted IP addresses inChina, while 32 targeted victims in the United States, nine in SouthKorea, and five in Germany.
Several different online merchants have been targeted, including sites selling auto parts and cosmetics,Edwards said. Several gaming and gambling sites also were attacked,along with a website-hosting provider, a music forum and a personalblog..
“It is not targeted at a specific industry,” said Edwards, a former FBI special agent assigned to the Detroit CybercrimeSquad. “Its more like a general tool, and if somebody wants to take asite down for a certain reason, a lot of time they use this YoyoDDos.”
The attacks typically last between a few hours to two days, he added.Several sites have been attacked continuously for 24 to 48 hours.
Researchers at Arbor Networks said they do not know how many computers have beeninfected with the bot malware, but they believe there are at least threeor four independent YoyoDDoS botnets being controlled by independentoperators.
If this is the case, the code to create the bot malware may be circulating in the cybercrminal underground, Edwards said.
The bot malware, which Edwards said is not especially sophisticated, couldmake its way onto a user's PC via malicious links or attachments inemails. After instillation, the bot connects to the C&C server andreports back details about the victim host, including the make, modeland speed of the processor and the operating system service pack level.Additionally, every time an infected computer is started, the malwaremakes contact with the C&C server.
The bot family uses four different types of DDoS attacks – HTTP, UDP, SYN and ICMP – all ofwhich flood a victim with different types of traffic, Edwards said. Ifan attack is launched with a certain type of traffic, and the victim hasa firewall or another security device that blocks it, another attackmode can be used.
“I do know that it is being actively used based on the number of attacks we are logging,” Edwards said. “We arestill logging attacks and finding [bot malware] specimens we haven'tseen.”
