Another family of DDoS bots: Avzhan

Jump to navigation Jump to search

(Publication) Google search: [1]

Another family of DDoS bots: Avzhan
Botnet Avzahn
Botnet/malware group
Exploit kits
Distribution vector
Operation/Working group
Date 2010 / 2010-09-22
Editor/Conference Arbor Networks
Link (Archive copy)
Author Jeff Edwards
Type Blogpost


Earlier this month, security researchers at Damballa published their findings regarding a new commercial DDoS service called IMDDOS. In addition to observing a number of samples of IMDDOS bots in our malware analysis sandboxes, we have also seen a significant number of samples recently from a new DDoS family which appears to be closely related to IMDDOS; we have been referring to this new malware family as “Avzhan” based on the host names of some of the initial malware distribution servers. The IMDDOS and Avzhan families appear to have significant similarities in terms of their installation mechanisms, their DDoS attack engines, and certain aspects of their bot-to-CnC communications. Both families tend to be controlled from Chinese IP space.

Malcode Properties

The Avzhan malware is distributed in the form of a small executable that is most commonly 45,056 bytes in size; we have also seen slightly larger samples (e.g. 45,568 or 46,080 bytes) as well.


 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2010BFR1404,
   editor = {Arbor Networks},
   author = {Jeff Edwards},
   title = {Another family of DDoS bots: Avzhan},
   date = {22},
   month = Sep,
   year = {2010},
   howpublished = {\url{}},