Home / Blogs

What Chinese DDoS Malware Looks Like

While at that same Virus Bulletin conference that I was talking about earlier in my other post, I also had the chance to check out a session on Chinese DDoS malware put on by some folks from Arbor Networks. As little insight as I have into Android malware, I know even less about Chinese DDoS malware.

So what’s Chinese DDoS malware like? What are its characteristics?

Well, to begin with, the session presenters looked at command-and-control centers that were hosted within Chinese IP space (a pretty good indicator that it was built and controlled in China) that were used to execute DDoS attacks. Of these, there were approximately 40 different families. But these families were not very sophisticated: they used little or weak encryption and used little stealthiness.

The typical Chinese malware family:

  • Is written in C++ and is easy to reverse engineer and analyze. This contrasts it to malware in Eastern Europe like Cutwail or Waledac that is packed or signed.
  • It installs as a Windows service, and sometimes it contains a typo (e.g., WindoowsController).
  • It phones home via a raw TCP socket which is unusual in how simple it is. It doesn’t go through some weird port (like 51-a) or through IRC.
  • The domains frequently use some numerical domain controller like 3322.org, or some variant of that.
  • They attack for a couple of hours and usually go after one target at a time. It is usually against a site with Chinese content.

In terms of the way they attack, I’m kind of out of my element here, but each bot has lots of different DDoS attacks, but the one that they don’t use is slow http. The most frequent tactic is http flood. If you don’t know the intricate details of those types of attacks, well… I don’t either. But I wrote them down anyhow because they sounded important.

The targets are usually Chinese sites, although they hosted in 24 countries (i.e., Taiwan, Hong Kong, or the United States). Of these countries, #1 was China with 64%, #2 was the United States with 27%. The types of targets are not always political. Some target music sites, some target gaming sites and others target online forums. One attacked a Chinese manufacturer of food processing equipment, another attacked a gold mining and investment firm.

Yet amongst all of this came some reassurance. These malware authors are a lot like animators on the Simpsons—they re-use a lot of code and there is sloppiness everywhere. Typos get ported across families, bugs do too, and so do techniques. They are not like Conficker with tons of encryption but instead are quick-and-dirty applications (in comparison) that are designed to do the job. It’s kind of like how some magicians (like me) will resort to complex sleight-of-hand to control your card selection which requires hours of practice to get down, and other magicians (like me) that simply use a trick deck.

I walked away from this session informed, and also feeling better that we’re not in over our heads here.

Not yet.

By Terry Zink, Program Manager

Filed Under


Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



New TLDs

Sponsored byRadix

Threat Intelligence

Sponsored byWhoisXML API


Sponsored byDNIB.com


Sponsored byVerisign

Domain Names

Sponsored byVerisign

Brand Protection

Sponsored byCSC

IPv4 Markets

Sponsored byIPv4.Global