According to Dennis Fisher, the editor of the ThreatPost newswire, many of the bots and DDoS tools that come out of the country are shoddy, cobbled-together malware full of bugs and with no real effort made to hide themselves.
Reporting from the Virus Bulletin conference taking place in Barcelona this week, Fisher quoted Jeff Edwards, a security analyst with Arbor Networks, as saying that the botnet code has the feel that it was chopped up and hacked together, adding that there is a lot of sloppiness everywhere, with blatant flaws.
Arbor researchers, said Fisher, follow the botnet scene closely and the company took a specific look at a variety of bot families that are commonly used in DDoS attacks originating in China and against Chinese targets.
What they found, he added, was a collection of roughly 40 bot families, many of which showed evidence of some serious inbreeding. Code re-use is rampant among the major Chinese DDoS bots, and he noted Edwards as saying that it's not uncommon to see whole sections lifted from one bot and used in another, bugs and errors included.
“Like bots found elsewhere on the Web, Chinese-produced DDoS tools often will have the ability to employ a wide variety of attack methods. The classic SYN flood and TCP flood methods are prevalent, as are HTTP floods. But what's not typically found at all in Chinese bots is the ability to execute the slow HTTP DDoS attacks that have been cropping up in the United States, Russia and elsewhere in recent years”, wrote Fisher in his latest security posting.
“This tactic is far less noisy than a typical denial-of-service attack. Instead of sending huge numbers of packets to a target server, these attacks involve breaking up TCP requests into tiny pieces and taking as long as an hour or more to complete one request”, he added.
Interestingly, Fisher reported Edwards as saying that this bot variant has not shown up in the Chinese DDoS space for some reason.
It may, said Fisher, just be a matter of time before this behavior appears in China. But for now, what Edwards and other Arbor researchers found in their study of the landscape is that many DDoS attacks in China tend to focus on smaller, lower-profile sites, and some bot families even seem to specialize in attacking one particular industry.
The Darkshell bot, for example, he asserted, tends to target the sites of manufacturers of food processing equipment in China, for whatever reason.