McAfee has found variations in network traffic and control commands in the new Darkshell versions, researcher Umesh Wanve wrote in a blog this week.
“The Darkshell bot follows a fairly standard installation process by copying itself into the System32 directory with a name that appears to be legitimate, for example, C:\WINDOWS\system32\WinHe803.exe. It then sends the system information of the infected machine to its control server in encrypted format. Once the control server receives the information, it responds with the victim’s address and the type of DDoS attack to perform”, Wanve explained.
The McAfee researcher noted that the Darkshell botnet source code is available online.
“Our research shows that variants of the Darkshell botnet are still evolving, with features such as antidebugging and antidisassembly techniques to make reverse engineering more time consuming. The botnet can launch DDoS attacks using different methods and can flood websites. Further, the presence of free Darkshell builders with source code on the internet opens up the evolution of other variants with other mechanisms”, he concluded.
As Infosecurity reported last year, Darkshell is one of a number of Chinese DDoS botnets that lack sophistication and stealth.
Arbor Networks discovered many of these botnets, which include around 40 bot families. Code re-use is rampant among these Chinese DDoS bots, and it is not uncommon to see whole sections lifted from one bot and used in another, bugs and errors included.