BlackEnergy competitor – The 'Darkness' DDoS bot

From Botnets.fr
Jump to navigation Jump to search

(Publication) Google search: [1]

BlackEnergy competitor – The 'Darkness' DDoS bot
120px
Botnet Darkness, BlackEnergy
Malware Darkness (bot)
Botnet/malware group
Exploit kits
Services
Feature
Distribution vector
Target
Origin
Campaign
Operation/Working group
Vulnerability
CCProtocol
Date 2010 / 5 décembre 2010
Editor/Conference Shadowserver Foundation
Link http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20101205 (Archive copy)
Author André M. DiMino, Mila Parkour
Type

Abstract

Just recently, I began watching the activity of a new DDoS bot that has been quite active over the past few weeks targeting a fairly large variety of websites. What I also found interesting was that this is not the usual prolific BlackEnergy botnet, but a botnet called “Destination Darkness Outlaw System”(D.D.O.S), aka “Darkness”.

As with BlackEnergy, “Darkness” is easy to purchase, easy to deploy, and is very effective and efficient in what it does. This particular version of “Darkness” is using the domains greatfull-toolss.ru and greatfull.ru for its command and control (C&C). As we will discuss later, a third domain, hellcomeback.ru, was also utilized but is no longer available now. Since November 12 of this year, we have seen over 100 different hosts targeted by 'greatfull.ru'. Initially, the botnet's attacks seem localized and against various MU Online gaming sites, but eventually, it was seen targeting more high profile sites in the financial, insurance, cosmetics, clothing, accessories, and gifts industries.

Bibtex

 @misc{DiMino2010BFR837,
   editor = {Shadowserver Foundation},
   author = {André M. DiMino, Mila Parkour},
   title = {BlackEnergy competitor – The 'Darkness' DDoS bot},
   date = {Error: Invalid time.},
   month = Error: Invalid time.,
   year = {2010},
   howpublished = {\url{http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20101205}},
 }