Researchers Tracking Emerging 'Darkness' Botnet

Trailrunner7 writes "Researchers are tracking a new botnet that has become one of the more active DDoS networks on the Internet since its emergence early last month. The botnet, dubbed 'Darkness,' is being controlled by several domains hosted in Russia and its operators are boasting that it can take down large sites with as few as 1,000 bots. The Darkness botnet is seen as something of a successor to the older Black Energy and Illusion botnets and researchers at the Shadowserver Foundation took a look at the network's operation and found that it is capable of generating large volumes of attack traffic. 'Upon testing, it was observed that the throughput of the attack traffic directed simultaneously at multiple sites was quite impressive,' Shadowserver's analysts wrote in a report on the Darkness botnet. 'It now appears that "Darkness" is overtaking Black Energy as the DDoS bot of choice. There are many ads and offers for DDoS services using "Darkness." It is regularly updated and improved and of this writing is up to version 7. There also appear to be no shortage of buyers looking to add "Darkness" to their botnet arsenal.'"

Charlie Murphy virus?

[MrEricSir]

"AAAAAH! It's a celebration, bitches!"

Re:Charlie Murphy virus?

[windcask]

Fuck your couch.

Re:Charlie Murphy virus?

[Monkeedude1212]

That brings up a good point. How come all the successful botnets and viruses have pretty easy and also socially friendly names? 'Darkness', 'Illusion', 'Black Energy', 'Stuxnet', 'Conficker'

Where's the
f*cksh*tc*nt*ssb*tchp*ssylol Botnet - and why don't I get to hear it on the news every other week?

Re:Charlie Murphy virus?

[KublaiKhan]

Because the zombie-herders have realized that people are more likely to spend money on "Darkness" than "AssReamer 22k" ...though, IIRC, Conficker is bowlderized from its original name. And Stuxnet may or may not have been the product of some government.

Re:Charlie Murphy virus?

[yerktoader]

"DARNKESS IS SPREADING!"

Re:Charlie Murphy virus?

[Stregano]

DARKNESS BROTHERS! They should have never given y'all *@&$% any money!

Re:Charlie Murphy virus?

[MichaelSmith]

Kuang Grade mark eleven must be only around the corner.

Re:Charlie Murphy virus?

[Stregano]

Well thanks, now nobody will use my botnet AddReamer 22k

Re:Charlie Murphy virus?

[blair1q]

And Stuxnet may or may not have been the product of some government.

All the more reason that camouflage requires that it be named Felchnet.

Re:Charlie Murphy virus?

Did it just get dark in here?

Re:Charlie Murphy virus?

[Darth_brooks]

This is clearly a predecessor to w32.WesleySnipes worm.

Re:Charlie Murphy virus?

[shnull]

let's just block all access to all non government approved ip's. It would be like having a nice hot firewall in a new cold war from the other side without the need for a real iron curtain. party time indeed

Slightly related question

[afaik_ianal]

Slightly related question: how on Earth would one pay for use of a botnet like this?

It's not like you're going to hand your credit card details over to someone like this, right?

Re:Slightly related question

[machxor]

My assumption is that someone needing a service like this would use *YOUR* credit card details to pay for it ;-)

Re:Slightly related question

[windcask]

It's not like you're going to hand your credit card details over to someone like this, right?

Let's seeee. If you're already in the business of botnets and malware, odds are you can get your hands on a stolen credit card fairly easily...

Re:Slightly related question

[gimmebeer]

If you have to ask....

Re:Slightly related question

[windcask]

Damn. You beat me to it.

Re:Slightly related question

[afaik_ianal]

But surely the owners of the botnet would already have access to thousands of stolen credit cards. Surely the owner's of the botnet are going to be pretty pissed off if the payment bounces because someone notices the several thousand dollar change on their stolen card.

Re:Slightly related question

[MichaelSmith]

In Soviet Russia credit card pays you!

Re:Slightly related question

[afaik_ianal]

Ahh, I've answered my own question by re-reading TFA. They accept payment by WebMoney.

To those that answered "they use stolen credit cards", seriously, just think that through. Just because they're criminals, does not mean they're stupid. That they're not getting caught suggests they're not *that* stupid.

Re:Slightly related question

[windcask]

That's why you use a different credit card every month. You might get a rejection every once in a while, but the only people who will notice the charge are those that don't use their cards very often in the first place.

Re:Slightly related question

Why wouldn't you use legit payment methods?

Honor among thieves and all that, but more likely: reneging on someone providing a service would be a good way to get that service yanked out from under you, along with a black mark to your name. Reputation means a lot of things to these types of people...

Furthermore, would you rip off a paying customer? What if that customer was mafilliated? Didn't think so.

Re:Slightly related question

Well duh, not mine.

Re:Slightly related question

[Will.Woodhull]

how on Earth would one pay for use of a botnet like this?

I understand that the USA Government can simply open a Swiss bank account for the vendor. Or pay in bullion to vendor's destination of choice.

As to how private individuals might pay for this service, I'm pretty sure that in the post Wikileaks era, instructions for that will become available in the usual locations. But first things first.

Re:Slightly related question

....the only people who will notice the charge are those that don't use their cards very often in the first place.

And anal people like me that actually reconcile their accounts every month.

Re:Slightly related question

[vxice]

It could easily be traded for a list of more cc#s, email lists or something else that could be traded over the net.

Re:Slightly related question

[Charliemopps]

Go to Walmart. You can pick up a credit card in the checkout that you can load with cash right there. No name, no address to trace back to you.

Re:Slightly related question

[slackbheep]

Other than the transaction at Wal-Mart? :p

Re:Slightly related question

[tehcyder]

You could just wear a disguise and travel there in a stolen vehicle (or by bus) so what else could b e done to trace it to you?

Re:Slightly related question

[Charliemopps]

That's why you pay cash.

Version Numbers

[multipartmixed]

> It is regularly updated and improved and of this writing is up to version 7

That's nothing -- I heard this one goes up to 11!

Re:Version Numbers

> It is regularly updated and improved and of this writing is up to version 7

Sounds just like Windows. ;)

Re:Version Numbers

> It is regularly updated and improved and of this writing is up to version 7

That's nothing -- I heard this one goes up to 11!

Mine is at version 5,653,897.2874563 So not only is it the best (because of the highest revision level) but the most accurate (because of the highest number of decimal places).

Re:Version Numbers

[blair1q]

Mine is at version inf.

So there.

Re:Version Numbers

[hedwards]

But does it blend?

Re:Version Numbers

[donscarletti]

This is just the number of times it has been updated, not an arbitrary internal version numbering system, any comparison to arbitrary scales is invalid. This sort of development is hardly publicized, the official major, minor, patch and build numbers, if they exist at all are not publicly known. External security researchers can just say that the first version they see is version 1, the second is version 2, all the way up to the seventh iteration which is version 7. This is not Java or Winamp.

Re:Version Numbers

It IS just like Windows.

Re:Version Numbers

[Jahava]

My botnet's version is over 9000!

With the prevelance of high speed connectivity...

[gimmebeer]

...and the continuance or use stupidity, botnets are just going to get more and more effective with less and less bots required.

Slashvertising botnets now ?

[billcopc]

Are we really slashvertising botnets now ? "up to version 7"... I mean come on, who actually gives a shit ? Botnets exist, and they tend to be based in Russia, which is why I think someone should do the world a solid and drive a backhoe across eastern Europe.

Re:Slashvertising botnets now ?

[c6gunner]

Botnets exist, and they tend to be based in Russia, which is why I think someone should do the world a solid and drive a backhoe across eastern Europe.

That's a quick way to fame, anyway. You'd always be remembered as the first man to wear an ICBM as a suppository.

Re:Slashvertising botnets now ?

[Xaedalus]

Hmmm... thermonuclear bowel movements, anyone?

Re:Slashvertising botnets now ?

[billcopc]

ICBMs ? Yeah sure, if only the Russians remembered where they hid them.

Re:Slashvertising botnets now ?

[c6gunner]

That's easy - just check the pawn-shops.

Re:Slashvertising botnets now ?

[PremiumCarrion]

I hate to be the person to say this, but surely it's more apt:
In Soviet Russia, ICBM wears you.

Just when I consider the suppository idea and relative sizes it seems more accurate a description of the process

Re:Slashvertising botnets now ?

Most spam originates in USA. We should do the rest of the world a favour and nuke it.

Re:Slashvertising botnets now ?

[tehcyder]

And it doesn't even matter if the bit about spam turns out to be true, as long as we were acting in good faith with the best intelligence we could fit together for our purposes.

Re:Slashvertising botnets now ?

[jon3k]

haha damn where are my mod points when I need them. can I drive the backhoe?

Peer-to-peer

[jibjibjib]

> controlled by several domains hosted in Russia

Why are all the major botnets still controlled by domains? It makes them easier to trace and easier to shut down. Is peer-to-peer really that hard?

Re:Peer-to-peer

[Plekto]

The real question is why these "researchers" aren't actively poisoning the wells as it were to disrupt the botnets. It's like watching some nature show where they sit passively while the huge coyote mauls the little pet. At some point you would think that they would try to do something.

Of course, there is a simpler method open to authorities, which is to just not accept connections from Russia. If need be, just cut the wire until the local government hunts these criminals down.

Re:Peer-to-peer

[blair1q]

Decentralized control makes it easier to hijack the whole thing.

Re:Peer-to-peer

[vbraga]

If I recall correctly, Storm used Overnet for communication between nodes.

Re:Peer-to-peer

[KublaiKhan]

Because there are ethical considerations involved.

Standard research ethics forbids the researchers from interfering with what is being researched. Part of this is to ensure the safety of the researchers: when the coyote's eating the yorkie, there's a very real danger of the researcher getting bitten by a rabid coyote. Likewise, if the researchers take over a botnet, there's a very real danger that their activities could be traced and the Russian Mafia comes and pays them a visit.

The other part is that the conclusions that they could draw may not be as valid (or completely invalid) if they have interfered. Certainly no respectable peer-reviewed journal would accept the research if it's been tainted like that.

Also, there's a lot more to be learned by watching it evolve naturally; the researchers may require some time to catch the full context of the setup, whereas if they interfered right away they could lose sight of certain management techniques or whatnot that would otherwise help in the botnets' defeat.

Finally, the action you propose is actively illegal. Just because it's a crime against another criminal doesn't mean they can't be prosecuted for it.

Re:Peer-to-peer

[c0lo]

The real question is why these "researchers" aren't actively poisoning the wells as it were to disrupt the botnets.

Because you are drinking from the same well?

Re:Peer-to-peer

[KiloByte]

The line in WikiLeaks cables that the Russian government is Mafia-driven is quite an understatement.

The authorities there know damn well who's herding botnets, but taking them down would be like taking another department of your own company.

Re:Peer-to-peer

[complete+loony]

Not necessarily. With properly implemented public/private crypto you can make it basically impossible to hijack. It might still be possible to disrupt it though.

Re:Peer-to-peer

[glwtta]

It's like watching some nature show where they sit passively while the huge coyote mauls the little pet.

What the hell kind of fucked up "nature shows" do you watch, where pets are mauled by coyotes?

Re:Peer-to-peer

[Plekto]

If all else fails, the telecommunications companies that own the backbone can literally cut Russia's feed until they get their act together and do something about it.

Simple as turning the connection off - that will get their attention. And as a multinational company, they are pretty much impossible to do much against(unlike a country).

Re:Peer-to-peer

[MareLooke]

Yeah, and to thank us for that they'll just cut gas supplies to eastern europe, we know how well that worked out last time...

Re:Peer-to-peer

[brirus]

That sets a very bad precedent. Blocking communication between countries amounts to censorship. Besides, there have GOT to be some honest Russian web sites out there! I know it!

Re:Peer-to-peer

[mapkinase]

"could be traced and the Russian Mafia comes and pays them a visit."

Any examples of connection between traditional organized crime and cybercrime leading to physical violence against generally speaking, people of cyberspace?

Re:Peer-to-peer

[hesaigo999ca]

Yeah ....but I think his real point was ...

if I see you being butt raped in some dark alley by some gang of big burly guys..., and I am video taping it (like a nature show) ....would you rather I put down my camera and get involved to help you from suffering what you are going through either by hitting them on the head with a club, or calling the police,

or I could just say to myself, ....it is important to document what is happening so as to later better understand what was going on there, and maybe come up with a future solution to avoid this from ever happening again....I will let you decide.

Re:Peer-to-peer

[tehcyder]

The real question is why these "researchers" aren't actively poisoning the wells as it were to disrupt the botnets. It's like watching some nature show where they sit passively while the huge coyote mauls the little pet. At some point you would think that they would try to do something.

Why? It then stops being a nature show, and turns into Bambi.

Re:Peer-to-peer

[ArsenneLupin]

or I could just say to myself, ....it is important to document what is happening so as to later better understand what was going on there,

It is important that you finish taping the event. Not only for the reasons that you say, but also for uploading it so that other people can wank off to it too.

and maybe come up with a future solution to avoid this from ever happening again....I will let you decide.

that would be kinda sad, as we would have to watch the same tape over and over again.

Re:Peer-to-peer

[hesaigo999ca]

O_O

Re:Peer-to-peer

[Plekto]

You forget that the *companies* that own the cables and machinery of the Internet absolutely have the right to block content that is harmful or wasteful of their resources and hardware. It says so in every contract at every level. When Russia "allows" a carrier to have coverage in a city or region, both sides have such clauses in the fine print to protect themselves.

This isn't about nations, which can cause all sorts of problems and incidents by doing such actions against other nations, but multi-national companies that aren't associated with any one government. They could make a decision to block a neighboring country's or customer's main arteries and restrict that flow to a trickle.

ie - "find another provider"
Eventually Russia (as an example) might very well find itself running out of companies that want to work with it. That's perfectly fair, isn't it?

What needs to happen is for them to get tougher and in the case that a researcher finds a problem provider, at least notify the company instead of sitting on their hands passively watching.

http://en.wikipedia.org/wiki/E-mail_spam
80% of spam is sent via botnets. Of course, a little research shows that 30% of all botnets are in Brazil and only 7% are in Russia. (roughly 20% of spam by volume, though, is sent from the U.S. - and that's entirely within their rights to crack down upon - just read your terms of service)

While cutting off Russia might be somewhat problematic(though all of the EU which most of the wires route through has laws against spam), I doubt if cutting off Brazil and smaller countries until they clean up their act would amount to much international fallout. Doubly so since these are companies and not governments making the decision that it's just too expensive and too risky to do so any more.

And as for the other person's comment about it turning into "Bambi", well, we're talking about over 20 billion dollars a year in lost productivity just in the U.S. alone. There's a real reason TO keep the coyotes out of the hen house, no matter how fascinating it might be to watch. I guess a better analogy would have been a nature show about wolves and the scene being one getting into a commercial poultry farm. I'd expect the farm/business to be a MITE bit angry if they passively sat back and let several thousand dollars worth of damage occur just to get their film done.

Re:Peer-to-peer

[jon3k]

Most botnets are in the US because it's easier to deliver mail to your target when it's sitting in the same netblock, instead of crossing a couple continents and an ocean. The question isn't where the infected machines are, it's who's running them.

[OTSO] Reminds me of..

"Watchers of the Dark" by Lloyd Biggle Jr.

An excellent sci-fi detective story. "Sinister, invisible forces of a secret mental weapon known only as The Dark are threatening the entire Primores galaxy, several transmitting leaps away from Earth. By the time a bizarre Mr. Smith comes to detective Jan Darzek's New York office, whole planets have been lain waste. Darzek is offered a million dollars by Smith to accept a job that will almost certainly be fatal: identify the incredible power that is about to overwhelm the few remaining planets in the beleaguered galaxy, so that these worlds might somehow halt the rampage."

The Darkness (botnet)

*(obligatory band reference joke)*

Anyone caught operating The Darkness botnet is surely riding a one-way ticket to Hell (and back).

Just some Mountain Dew, Cheetos, and...

[Captain+Spam]

Researchers Tracking Emerging 'Darkness' Botnet

Pssht, easy. Just cast magic missile at it. That's a proven method of attacking the darkness.

Re:Just some Mountain Dew, Cheetos, and...

[alphatel]

Nyet, light continual is for dark, missiles are for Poland.

Why don't...

[vrythmax]

we just write a counter virus since the botnets can only exist on wide open systems. Infection vectors should be easy. Be funny to see a botnet infected.

Re:Why don't...

This happens all the time, a bunch of bots actually remove their "competitors" from systems already infected with another bot.

referral payments

[SethJohnson]

I am betting the spammer has opened up referral accounts with companies that sell pharma, etc. and will pay a percentage of sales that come routed from the ads the spammer sends. So, it's not like someone approaches the spammer saying, "I want these ads sent out. Here's some money." The spammer approaches third-party vendors who have referral programs and opens accounts for that yield a commission on every sale that comes to the site with referral ID XYZ.

As an example, the viagra referral program:

Now-a-days, affiliate marketing is becoming one of the most popular forms of advertising on the web. It provides low cost way to market the products and services. Web masters or Internet Marketers have a huge opportunity to monetize their web sites more efficiently. So if you are a web master, web site owner, or associated with email marketing, you can make a fortune through online pharmacy affiliate program at eMedOutlet.com

Seth

Does not compute...

if someone is savy enough to write (or even use) such a piece of code, why DOS attacks? Unless, of course that someone works for a government agency and wants to limit...say something like the wikileaks server. I mean if they are that smart, why not hack into, say, a couple million on line bank accounts and just draw out $.25 per month of each one. That'd net you a cool 6 mil smackers per year.
I mean what's the point?

Re:Does not compute...

[dropadrop]

if someone is savy enough to write (or even use) such a piece of code, why DOS attacks? Unless, of course that someone works for a government agency and wants to limit...say something like the wikileaks server. I mean if they are that smart, why not hack into, say, a couple million on line bank accounts and just draw out $.25 per month of each one. That'd net you a cool 6 mil smackers per year. I mean what's the point?

I think generally the point is to make money. If they have customers prepared to pay for the attacks, then it's worth it for them. Looking at articles regarding the botnet it seems they will make about 50$ for 24h of attacks. From their price list I would guess that's for about 30 attacking hosts... I don't think the people behind the attacks really care why somebody is paying them to do it.

I will never get how this is still a problem

FTA : AS49089 is a small provider that only seems to be announcing the /24 netblock 91.212.124.0/24

Why don't Level 1 carriers simply start discarding ANYTHING coming or going to that netblock ? If anything legitimate is running there, they will get so pissed it will force the host to clean his network.

ISP's could also disconnect any host they determine is a bot ...

Am I oversimplifying things or is there a lack of goodwill somewhere ?

Re:I will never get how this is still a problem

[RMH101]

blacklisting blocks in increasing size if the host doesn't fix spammers is how SPEWS/SORBS etc spam blocklists work. You'd be amazed how many people don't get this, and think that the blocklist cabals are the devil

The Darkness Botnet?

[Dangerous_Minds]

Does this botnet believe in a thing called love perchance?

They can't touch me, & here is HOW/WHY

From the source article, I obtained their server's domain/hostnames and nameservers, which I now have added to my custom HOSTS file... & blocked out, thus:

0.0.0.0 greatfull-toolss.ru
0.0.0.0 ns1.reg.ru
0.0.0.0 ns2.reg.ru
0.0.0.0 greatfull.ru
0.0.0.0 ns1.arbusi-host.net
0.0.0.0 ns2.arbusi-host.net
0.0.0.0 hellcomeback.ru

They're not going to get to ME, because I cannot get to they now... & what I can't touch, I cannot be "burned" by, simple!

HOSTS as blacklists, work! Some evidences & cases why you may be interested in implementing such protective (and speed gaining features too) measures:

---

15++ ADVANTAGES OF HOSTS FILES OVER DNS SERVERS &/or ADBLOCK ALONE for added layered security:

1.) Adblock blocks ads in only 1 browser family (Disclaimer: Opera now has an AdBlock addon (now that Opera has addons above widgets), but I am not certain the same people make it as they do for FF or Chrome etc.).

2.) HOSTS files are useable for all these purposes because they are present on all Operating Systems that have a BSD based IP stack (even ANDROID) and do adblocking for ANY webbrowser, email program, etc. (any webbound program).

3.) Adblock doesn't protect email programs external to FF, Hosts files do. THIS IS GOOD VS. SPAM MAIL or MAILS THAT BEAR MALICIOUS SCRIPT, or, THAT POINT TO MALICIOUS SCRIPT VIA URLS etc.

4.) Adblock won't get you to your favorite sites if a DNS server goes down or is DNS-poisoned, hosts will (this leads to points 4-7 next below).

5.) Adblock doesn't allow you to hardcode in your favorite websites into it so you don't make DNS server calls and so you can avoid tracking by DNS request logs, hosts do (DNS servers are also being abused by the Chinese lately and by the Kaminsky flaw -> http://www.networkworld.com/news/2008/082908-kaminsky-flaw-prompts-dns-server.html for years now). Hosts protect against those problems via hardcodes of your fav sites (you should verify against the TLD that does nothing but cache IPAddress-to-domainname/hostname resolutions via PINGS &/or WHOIS though, regularly, so you have the correct IP & it's current)).

6.) HOSTS files protect you vs. DNS-poisoning &/or the Kaminsky flaw in DNS servers, and allow you to get to sites reliably vs. things like the Chinese are doing to DNS -> http://yro.slashdot.org/story/10/11/29/1755230/Chinese-DNS-Tampering-a-Real-Threat-To-Outsiders

7.) AdBlock doesn't let you block out known bad sites or servers that are known to be maliciously scripted, hosts can and many reputable lists for this exist:

GOOD INFORMATION ON MALWARE BEHAVIOR LISTING BOTNET C&C SERVERS + MORE (AS WELL AS REMOVAL LISTS FOR HOSTS):

http://ddanchev.blogspot.com/
http://www.malware.com.br/lists.shtml
http://www.stopbadware.org/
http://blog.fireeye.com/
http://mtc.sri.com/
http://news.netcraft.com/
http://www.shadowserver.org/

REGULARLY UPDATED HOSTS FILES SITES (reputable/reliable sources):

http://www.mvps.org/winhelp2002/hosts.htm
http://someonewhocares.org/hosts/
http://hostsfile.org/hosts.html
http://hostsfile.mine.nu/downloads/
http://hosts-file.net/?s=Download

Get off my lawn!

[MistabewM]

I wish I could go back in time and slap myself for being involved in some of these projects in my youth. We just used them to flood other people off irc though, and I don't think I know anyone that actually wrote vx to spread the net. Its sad when your children grow up to be assholes.