Saturday, June 18, 2011

Dark Shell: A DDOS targeting industries

Dark Shell, a Distributed Denial of Service botnet was first originated in china and now used by many around the world targeting industries and plants.
The piece of malware behind these botnets, known as Darkshell, is using a slew of command-and-control servers, nearly all of which are located in China, and is fairly run-of-the-mill in terms of its installation and operation. However, the one rather odd part of the Darkshell botnets' behavior is that their owners are using the networks to launch attacks against a large number of manufacturers of relatively obscure machinery used for food processing.
An attacker can use this to bring down the industry sites and/or an critical application belonging to an individual company or a group of company. Here, its odd fro several individual bot-nets though the are using the same bots to attack a large number of specific industry sector.
One common pattern of Darkshell behavior is to attack three or four different URLs associated with a particular food processing equipment vendor; these multiple URLs are typically associated with pages displaying specific products. We have also observed instances in which multiple Darkshell botnets engaged in coordinated attacks against a single victim (again, vendors of industrial food processing equipment.)
for more specific details on Malware details, communication protocols, attack traffic and control servers, visit