Forgot your password?
typodupeerror
Botnet Security IT

Researchers Tracking Emerging 'Darkness' Botnet 85

Posted by Soulskill
from the new-kid-on-the-block dept.
Trailrunner7 writes "Researchers are tracking a new botnet that has become one of the more active DDoS networks on the Internet since its emergence early last month. The botnet, dubbed 'Darkness,' is being controlled by several domains hosted in Russia and its operators are boasting that it can take down large sites with as few as 1,000 bots. The Darkness botnet is seen as something of a successor to the older Black Energy and Illusion botnets and researchers at the Shadowserver Foundation took a look at the network's operation and found that it is capable of generating large volumes of attack traffic. 'Upon testing, it was observed that the throughput of the attack traffic directed simultaneously at multiple sites was quite impressive,' Shadowserver's analysts wrote in a report on the Darkness botnet. 'It now appears that "Darkness" is overtaking Black Energy as the DDoS bot of choice. There are many ads and offers for DDoS services using "Darkness." It is regularly updated and improved and of this writing is up to version 7. There also appear to be no shortage of buyers looking to add "Darkness" to their botnet arsenal.'"
This discussion has been archived. No new comments can be posted.

Researchers Tracking Emerging 'Darkness' Botnet

Comments Filter:
  • by MrEricSir (398214) on Monday December 06, 2010 @06:37PM (#34467242) Homepage

    "AAAAAH! It's a celebration, bitches!"

    • by windcask (1795642)

      Fuck your couch.

      • That brings up a good point. How come all the successful botnets and viruses have pretty easy and also socially friendly names? 'Darkness', 'Illusion', 'Black Energy', 'Stuxnet', 'Conficker'

        Where's the
        f*cksh*tc*nt*ssb*tchp*ssylol Botnet - and why don't I get to hear it on the news every other week?

        • Because the zombie-herders have realized that people are more likely to spend money on "Darkness" than "AssReamer 22k" ...though, IIRC, Conficker is bowlderized from its original name. And Stuxnet may or may not have been the product of some government.
          • by Stregano (1285764)
            Well thanks, now nobody will use my botnet AddReamer 22k
          • by blair1q (305137)

            And Stuxnet may or may not have been the product of some government.

            All the more reason that camouflage requires that it be named Felchnet.

        • Kuang Grade mark eleven must be only around the corner.

    • "DARNKESS IS SPREADING!"
    • by Stregano (1285764)
      DARKNESS BROTHERS! They should have never given y'all *@&$% any money!
    • This is clearly a predecessor to w32.WesleySnipes worm.

  • Slightly related question: how on Earth would one pay for use of a botnet like this?

    It's not like you're going to hand your credit card details over to someone like this, right?

    • by machxor (1226486) on Monday December 06, 2010 @06:39PM (#34467268)
      My assumption is that someone needing a service like this would use *YOUR* credit card details to pay for it ;-)
      • by windcask (1795642)

        Damn. You beat me to it.

      • But surely the owners of the botnet would already have access to thousands of stolen credit cards. Surely the owner's of the botnet are going to be pretty pissed off if the payment bounces because someone notices the several thousand dollar change on their stolen card.

        • by windcask (1795642)

          That's why you use a different credit card every month. You might get a rejection every once in a while, but the only people who will notice the charge are those that don't use their cards very often in the first place.

        • by vxice (1690200)
          It could easily be traded for a list of more cc#s, email lists or something else that could be traded over the net.
      • In Soviet Russia credit card pays you!

    • by windcask (1795642)

      It's not like you're going to hand your credit card details over to someone like this, right?

      Let's seeee. If you're already in the business of botnets and malware, odds are you can get your hands on a stolen credit card fairly easily...

    • If you have to ask....
    • Re: (Score:3, Informative)

      by afaik_ianal (918433) *

      Ahh, I've answered my own question by re-reading TFA. They accept payment by WebMoney.

      To those that answered "they use stolen credit cards", seriously, just think that through. Just because they're criminals, does not mean they're stupid. That they're not getting caught suggests they're not *that* stupid.

    • how on Earth would one pay for use of a botnet like this?

      I understand that the USA Government can simply open a Swiss bank account for the vendor. Or pay in bullion to vendor's destination of choice.

      As to how private individuals might pay for this service, I'm pretty sure that in the post Wikileaks era, instructions for that will become available in the usual locations. But first things first.

    • I am betting the spammer has opened up referral accounts with companies that sell pharma, etc. and will pay a percentage of sales that come routed from the ads the spammer sends. So, it's not like someone approaches the spammer saying, "I want these ads sent out. Here's some money." The spammer approaches third-party vendors who have referral programs and opens accounts for that yield a commission on every sale that comes to the site with referral ID XYZ.

      As an example, the viagra referral program [supergenericviagra.com]:

      Now-a-d

    • Go to Walmart. You can pick up a credit card in the checkout that you can load with cash right there. No name, no address to trace back to you.
  • by multipartmixed (163409) on Monday December 06, 2010 @06:40PM (#34467278) Homepage

    > It is regularly updated and improved and of this writing is up to version 7

    That's nothing -- I heard this one goes up to 11!

    • This is just the number of times it has been updated, not an arbitrary internal version numbering system, any comparison to arbitrary scales is invalid. This sort of development is hardly publicized, the official major, minor, patch and build numbers, if they exist at all are not publicly known. External security researchers can just say that the first version they see is version 1, the second is version 2, all the way up to the seventh iteration which is version 7. This is not Java or Winamp.
    • by Jahava (946858)
      My botnet's version is over 9000! [encycloped...matica.com]
  • ...and the continuance or use stupidity, botnets are just going to get more and more effective with less and less bots required.
  • by billcopc (196330) <vrillco@yahoo.com> on Monday December 06, 2010 @06:47PM (#34467368) Homepage

    Are we really slashvertising botnets now ? "up to version 7"... I mean come on, who actually gives a shit ? Botnets exist, and they tend to be based in Russia, which is why I think someone should do the world a solid and drive a backhoe across eastern Europe.

    • by c6gunner (950153)

      Botnets exist, and they tend to be based in Russia, which is why I think someone should do the world a solid and drive a backhoe across eastern Europe.

      That's a quick way to fame, anyway. You'd always be remembered as the first man to wear an ICBM as a suppository.

    • by jon3k (691256)
      haha damn where are my mod points when I need them. can I drive the backhoe?
  • > controlled by several domains hosted in Russia

    Why are all the major botnets still controlled by domains? It makes them easier to trace and easier to shut down. Is peer-to-peer really that hard?

    • Re:Peer-to-peer (Score:4, Interesting)

      by Plekto (1018050) on Monday December 06, 2010 @07:13PM (#34467752)

      The real question is why these "researchers" aren't actively poisoning the wells as it were to disrupt the botnets. It's like watching some nature show where they sit passively while the huge coyote mauls the little pet. At some point you would think that they would try to do something.

      Of course, there is a simpler method open to authorities, which is to just not accept connections from Russia. If need be, just cut the wire until the local government hunts these criminals down.

      • Re:Peer-to-peer (Score:4, Insightful)

        by KublaiKhan (522918) on Monday December 06, 2010 @07:34PM (#34467976) Homepage Journal
        Because there are ethical considerations involved.

        Standard research ethics forbids the researchers from interfering with what is being researched. Part of this is to ensure the safety of the researchers: when the coyote's eating the yorkie, there's a very real danger of the researcher getting bitten by a rabid coyote. Likewise, if the researchers take over a botnet, there's a very real danger that their activities could be traced and the Russian Mafia comes and pays them a visit.

        The other part is that the conclusions that they could draw may not be as valid (or completely invalid) if they have interfered. Certainly no respectable peer-reviewed journal would accept the research if it's been tainted like that.

        Also, there's a lot more to be learned by watching it evolve naturally; the researchers may require some time to catch the full context of the setup, whereas if they interfered right away they could lose sight of certain management techniques or whatnot that would otherwise help in the botnets' defeat.

        Finally, the action you propose is actively illegal. Just because it's a crime against another criminal doesn't mean they can't be prosecuted for it.
        • by KiloByte (825081)

          The line in WikiLeaks cables that the Russian government is Mafia-driven is quite an understatement.

          The authorities there know damn well who's herding botnets, but taking them down would be like taking another department of your own company.

        • by Plekto (1018050)

          If all else fails, the telecommunications companies that own the backbone can literally cut Russia's feed until they get their act together and do something about it.

          Simple as turning the connection off - that will get their attention. And as a multinational company, they are pretty much impossible to do much against(unlike a country).

          • Yeah, and to thank us for that they'll just cut gas supplies to eastern europe, we know how well that worked out last time...
        • by mapkinase (958129)

          "could be traced and the Russian Mafia comes and pays them a visit."

          Any examples of connection between traditional organized crime and cybercrime leading to physical violence against generally speaking, people of cyberspace?

        • Yeah ....but I think his real point was ...

          if I see you being butt raped in some dark alley by some gang of big burly guys..., and I am video taping it (like a nature show) ....would you rather I put down my camera and get involved to help you from suffering what you are going through either by hitting them on the head with a club, or calling the police,

          or I could just say to myself, ....it is important to document what is happening so as to later better understand what was going on there, and maybe come up

          • or I could just say to myself, ....it is important to document what is happening so as to later better understand what was going on there,

            It is important that you finish taping the event. Not only for the reasons that you say, but also for uploading it so that other people can wank off to it too.

            and maybe come up with a future solution to avoid this from ever happening again....I will let you decide.

            that would be kinda sad, as we would have to watch the same tape over and over again.

      • by c0lo (1497653)

        The real question is why these "researchers" aren't actively poisoning the wells as it were to disrupt the botnets.

        Because you are drinking from the same well?

      • by glwtta (532858)
        It's like watching some nature show where they sit passively while the huge coyote mauls the little pet.

        What the hell kind of fucked up "nature shows" do you watch, where pets are mauled by coyotes?
      • by brirus (1938402)
        That sets a very bad precedent. Blocking communication between countries amounts to censorship. Besides, there have GOT to be some honest Russian web sites out there! I know it!
        • by Plekto (1018050)

          You forget that the *companies* that own the cables and machinery of the Internet absolutely have the right to block content that is harmful or wasteful of their resources and hardware. It says so in every contract at every level. When Russia "allows" a carrier to have coverage in a city or region, both sides have such clauses in the fine print to protect themselves.

          This isn't about nations, which can cause all sorts of problems and incidents by doing such actions against other nations, but multi-national

          • by jon3k (691256)
            Most botnets are in the US because it's easier to deliver mail to your target when it's sitting in the same netblock, instead of crossing a couple continents and an ocean. The question isn't where the infected machines are, it's who's running them.
      • by tehcyder (746570)

        The real question is why these "researchers" aren't actively poisoning the wells as it were to disrupt the botnets. It's like watching some nature show where they sit passively while the huge coyote mauls the little pet. At some point you would think that they would try to do something.

        Why? It then stops being a nature show, and turns into Bambi.

    • by blair1q (305137)

      Decentralized control makes it easier to hijack the whole thing.

      • Not necessarily. With properly implemented public/private crypto you can make it basically impossible to hijack. It might still be possible to disrupt it though.
    • by vbraga (228124)

      If I recall correctly, Storm used Overnet for communication between nodes.

  • by Anonymous Coward

    *(obligatory band reference joke)*

    Anyone caught operating The Darkness botnet is surely riding a one-way ticket to Hell (and back).

  • by Captain Spam (66120) on Monday December 06, 2010 @07:40PM (#34468058) Homepage

    Researchers Tracking Emerging 'Darkness' Botnet

    Pssht, easy. Just cast magic missile at it. That's a proven method of attacking the darkness.

  • Does this botnet believe in a thing called love perchance?
  • I wish I could go back in time and slap myself for being involved in some of these projects in my youth. We just used them to flood other people off irc though, and I don't think I know anyone that actually wrote vx to spread the net. Its sad when your children grow up to be assholes.

egrep -n '^[a-z].*\(' $ | sort -t':' +2.0

Working...