Researchers Tracking Emerging 'Darkness' Botnet

Trailrunner7 writes "Researchers are tracking a new botnet that has become one of the more active DDoS networks on the Internet since its emergence early last month. The botnet, dubbed 'Darkness,' is being controlled by several domains hosted in Russia and its operators are boasting that it can take down large sites with as few as 1,000 bots. The Darkness botnet is seen as something of a successor to the older Black Energy and Illusion botnets and researchers at the Shadowserver Foundation took a look at the network's operation and found that it is capable of generating large volumes of attack traffic. 'Upon testing, it was observed that the throughput of the attack traffic directed simultaneously at multiple sites was quite impressive,' Shadowserver's analysts wrote in a report on the Darkness botnet. 'It now appears that "Darkness" is overtaking Black Energy as the DDoS bot of choice. There are many ads and offers for DDoS services using "Darkness." It is regularly updated and improved and of this writing is up to version 7. There also appear to be no shortage of buyers looking to add "Darkness" to their botnet arsenal.'"

Charlie Murphy virus?

[MrEricSir]

"AAAAAH! It's a celebration, bitches!"

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Monkeedude1212]

That brings up a good point. How come all the successful botnets and viruses have pretty easy and also socially friendly names? 'Darkness', 'Illusion', 'Black Energy', 'Stuxnet', 'Conficker'

Where's the
f*cksh*tc*nt*ssb*tchp*ssylol Botnet - and why don't I get to hear it on the news every other week?

Re:

[KublaiKhan]

Because the zombie-herders have realized that people are more likely to spend money on "Darkness" than "AssReamer 22k" ...though, IIRC, Conficker is bowlderized from its original name. And Stuxnet may or may not have been the product of some government.

Re:

[Stregano]

Well thanks, now nobody will use my botnet AddReamer 22k

Re:

[blair1q]

And Stuxnet may or may not have been the product of some government.

All the more reason that camouflage requires that it be named Felchnet.

Re:

[MichaelSmith]

Kuang Grade mark eleven must be only around the corner.

Re:

[yerktoader]

"DARNKESS IS SPREADING!"

Re:

[Stregano]

DARKNESS BROTHERS! They should have never given y'all *@&$% any money!

Re:

[Darth_brooks]

This is clearly a predecessor to w32.WesleySnipes worm.

Slightly related question

[afaik_ianal]

Slightly related question: how on Earth would one pay for use of a botnet like this?

It's not like you're going to hand your credit card details over to someone like this, right?

Re:Slightly related question

[machxor]

My assumption is that someone needing a service like this would use *YOUR* credit card details to pay for it ;-)

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[afaik_ianal]

But surely the owners of the botnet would already have access to thousands of stolen credit cards. Surely the owner's of the botnet are going to be pretty pissed off if the payment bounces because someone notices the several thousand dollar change on their stolen card.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[vxice]

It could easily be traded for a list of more cc#s, email lists or something else that could be traded over the net.

Re:

[MichaelSmith]

In Soviet Russia credit card pays you!

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[gimmebeer]

If you have to ask....

Re:

[afaik_ianal]

Ahh, I've answered my own question by re-reading TFA. They accept payment by WebMoney.

To those that answered "they use stolen credit cards", seriously, just think that through. Just because they're criminals, does not mean they're stupid. That they're not getting caught suggests they're not *that* stupid.

Re:

[Will.Woodhull]

how on Earth would one pay for use of a botnet like this?

I understand that the USA Government can simply open a Swiss bank account for the vendor. Or pay in bullion to vendor's destination of choice.

As to how private individuals might pay for this service, I'm pretty sure that in the post Wikileaks era, instructions for that will become available in the usual locations. But first things first.

referral payments

[SethJohnson]

I am betting the spammer has opened up referral accounts with companies that sell pharma, etc. and will pay a percentage of sales that come routed from the ads the spammer sends. So, it's not like someone approaches the spammer saying, "I want these ads sent out. Here's some money." The spammer approaches third-party vendors who have referral programs and opens accounts for that yield a commission on every sale that comes to the site with referral ID XYZ.

As an example, the viagra referral program [supergenericviagra.com]:

Now-a-d

Re:

[Charliemopps]

Go to Walmart. You can pick up a credit card in the checkout that you can load with cash right there. No name, no address to trace back to you.

Re:

[slackbheep]

Other than the transaction at Wal-Mart? :p

Re:

[tehcyder]

You could just wear a disguise and travel there in a stolen vehicle (or by bus) so what else could b e done to trace it to you?

Re:

[Charliemopps]

That's why you pay cash.

Version Numbers

[multipartmixed]

> It is regularly updated and improved and of this writing is up to version 7

That's nothing -- I heard this one goes up to 11!

Re:

[blair1q]

Mine is at version inf.

So there.

Re:

[hedwards]

But does it blend?

Re:

[donscarletti]

This is just the number of times it has been updated, not an arbitrary internal version numbering system, any comparison to arbitrary scales is invalid. This sort of development is hardly publicized, the official major, minor, patch and build numbers, if they exist at all are not publicly known. External security researchers can just say that the first version they see is version 1, the second is version 2, all the way up to the seventh iteration which is version 7. This is not Java or Winamp.

Re:

[Jahava]

My botnet's version is over 9000! [encycloped...matica.com]

With the prevelance of high speed connectivity...

[gimmebeer]

...and the continuance or use stupidity, botnets are just going to get more and more effective with less and less bots required.

Slashvertising botnets now ?

[billcopc]

Are we really slashvertising botnets now ? "up to version 7"... I mean come on, who actually gives a shit ? Botnets exist, and they tend to be based in Russia, which is why I think someone should do the world a solid and drive a backhoe across eastern Europe.

Re:

[c6gunner]

Botnets exist, and they tend to be based in Russia, which is why I think someone should do the world a solid and drive a backhoe across eastern Europe.

That's a quick way to fame, anyway. You'd always be remembered as the first man to wear an ICBM as a suppository.

Re:

[Xaedalus]

Hmmm... thermonuclear bowel movements, anyone?

Re:

[billcopc]

ICBMs ? Yeah sure, if only the Russians remembered where they hid them.

Re:

[c6gunner]

That's easy - just check the pawn-shops.

Re:

[PremiumCarrion]

I hate to be the person to say this, but surely it's more apt:
In Soviet Russia, ICBM wears you.

Just when I consider the suppository idea and relative sizes it seems more accurate a description of the process

Re:

[tehcyder]

And it doesn't even matter if the bit about spam turns out to be true, as long as we were acting in good faith with the best intelligence we could fit together for our purposes.

Re:

[jon3k]

haha damn where are my mod points when I need them. can I drive the backhoe?

Peer-to-peer

[jibjibjib]

> controlled by several domains hosted in Russia

Why are all the major botnets still controlled by domains? It makes them easier to trace and easier to shut down. Is peer-to-peer really that hard?

Re:Peer-to-peer

[Plekto]

The real question is why these "researchers" aren't actively poisoning the wells as it were to disrupt the botnets. It's like watching some nature show where they sit passively while the huge coyote mauls the little pet. At some point you would think that they would try to do something.

Of course, there is a simpler method open to authorities, which is to just not accept connections from Russia. If need be, just cut the wire until the local government hunts these criminals down.

Re:Peer-to-peer

[KublaiKhan]

Because there are ethical considerations involved.

Standard research ethics forbids the researchers from interfering with what is being researched. Part of this is to ensure the safety of the researchers: when the coyote's eating the yorkie, there's a very real danger of the researcher getting bitten by a rabid coyote. Likewise, if the researchers take over a botnet, there's a very real danger that their activities could be traced and the Russian Mafia comes and pays them a visit.

The other part is that the conclusions that they could draw may not be as valid (or completely invalid) if they have interfered. Certainly no respectable peer-reviewed journal would accept the research if it's been tainted like that.

Also, there's a lot more to be learned by watching it evolve naturally; the researchers may require some time to catch the full context of the setup, whereas if they interfered right away they could lose sight of certain management techniques or whatnot that would otherwise help in the botnets' defeat.

Finally, the action you propose is actively illegal. Just because it's a crime against another criminal doesn't mean they can't be prosecuted for it.

Re:

[KiloByte]

The line in WikiLeaks cables that the Russian government is Mafia-driven is quite an understatement.

The authorities there know damn well who's herding botnets, but taking them down would be like taking another department of your own company.

Re:

[Plekto]

If all else fails, the telecommunications companies that own the backbone can literally cut Russia's feed until they get their act together and do something about it.

Simple as turning the connection off - that will get their attention. And as a multinational company, they are pretty much impossible to do much against(unlike a country).

Re:

[MareLooke]

Yeah, and to thank us for that they'll just cut gas supplies to eastern europe, we know how well that worked out last time...

Re:

[mapkinase]

"could be traced and the Russian Mafia comes and pays them a visit."

Any examples of connection between traditional organized crime and cybercrime leading to physical violence against generally speaking, people of cyberspace?

Re:

[hesaigo999ca]

Yeah ....but I think his real point was ...

if I see you being butt raped in some dark alley by some gang of big burly guys..., and I am video taping it (like a nature show) ....would you rather I put down my camera and get involved to help you from suffering what you are going through either by hitting them on the head with a club, or calling the police,

or I could just say to myself, ....it is important to document what is happening so as to later better understand what was going on there, and maybe come up

Re:

[ArsenneLupin]

or I could just say to myself, ....it is important to document what is happening so as to later better understand what was going on there,

It is important that you finish taping the event. Not only for the reasons that you say, but also for uploading it so that other people can wank off to it too.

and maybe come up with a future solution to avoid this from ever happening again....I will let you decide.

that would be kinda sad, as we would have to watch the same tape over and over again.

Re:

[hesaigo999ca]

O_O

Re:

[c0lo]

The real question is why these "researchers" aren't actively poisoning the wells as it were to disrupt the botnets.

Because you are drinking from the same well?

Re:

[glwtta]

It's like watching some nature show where they sit passively while the huge coyote mauls the little pet.

What the hell kind of fucked up "nature shows" do you watch, where pets are mauled by coyotes?

Re:

[brirus]

That sets a very bad precedent. Blocking communication between countries amounts to censorship. Besides, there have GOT to be some honest Russian web sites out there! I know it!

Re:

[Plekto]

You forget that the *companies* that own the cables and machinery of the Internet absolutely have the right to block content that is harmful or wasteful of their resources and hardware. It says so in every contract at every level. When Russia "allows" a carrier to have coverage in a city or region, both sides have such clauses in the fine print to protect themselves.

This isn't about nations, which can cause all sorts of problems and incidents by doing such actions against other nations, but multi-national

Re:

[jon3k]

Most botnets are in the US because it's easier to deliver mail to your target when it's sitting in the same netblock, instead of crossing a couple continents and an ocean. The question isn't where the infected machines are, it's who's running them.

Re:

[tehcyder]

The real question is why these "researchers" aren't actively poisoning the wells as it were to disrupt the botnets. It's like watching some nature show where they sit passively while the huge coyote mauls the little pet. At some point you would think that they would try to do something.

Why? It then stops being a nature show, and turns into Bambi.

Re:

[blair1q]

Decentralized control makes it easier to hijack the whole thing.

Re:

[complete loony]

Not necessarily. With properly implemented public/private crypto you can make it basically impossible to hijack. It might still be possible to disrupt it though.

Re:

[account_deleted]

Comment removed based on user account deletion

The Darkness (botnet)

[Anonymous Coward]

*(obligatory band reference joke)*

Anyone caught operating The Darkness botnet is surely riding a one-way ticket to Hell (and back).

Just some Mountain Dew, Cheetos, and...

[Captain Spam]

Researchers Tracking Emerging 'Darkness' Botnet

Pssht, easy. Just cast magic missile at it. That's a proven method of attacking the darkness.

Re:

[alphatel]

Nyet, light continual is for dark, missiles are for Poland.

Re:

[dropadrop]

if someone is savy enough to write (or even use) such a piece of code, why DOS attacks? Unless, of course that someone works for a government agency and wants to limit...say something like the wikileaks server. I mean if they are that smart, why not hack into, say, a couple million on line bank accounts and just draw out $.25 per month of each one. That'd net you a cool 6 mil smackers per year. I mean what's the point?

I think generally the point is to make money. If they have customers prepared to pay for the attacks, then it's worth it for them. Looking at articles regarding the botnet it seems they will make about 50$ for 24h of attacks. From their price list I would guess that's for about 30 attacking hosts... I don't think the people behind the attacks really care why somebody is paying them to do it.

Re:

[RMH101]

blacklisting blocks in increasing size if the host doesn't fix spammers is how SPEWS/SORBS etc spam blocklists work. You'd be amazed how many people don't get this, and think that the blocklist cabals are the devil

The Darkness Botnet?

[Dangerous_Minds]

Does this botnet believe in a thing called love perchance?

Get off my lawn!

[MistabewM]

I wish I could go back in time and slap myself for being involved in some of these projects in my youth. We just used them to flood other people off irc though, and I don't think I know anyone that actually wrote vx to spread the net. Its sad when your children grow up to be assholes.