Damballa discovered a botnet that offers pay-for-delivery DDoS attacks. The IMDDOS botnet, named after the commercial name on the botnet website, has grown to be one of the largest active global botnets in less than four months from initial testing.
The infected hosts used in the DDoS attacks have become unwitting participants in the botnet and are widespread. The vast majority of infected hosts are in China, with the United States being in the top 10 countries affected. ISPs worldwide were affected, including the majority of North American ISPs, and a number of major corporate networks are hosting bot agents for the IMDDOS botnet.
The IMDDOS botnet offers a commercial service for delivering DDoS attacks against any desired target. Hosted in China, this publicly available service is available for lease to anyone willing to establish an online account, input the domain(s) they wish to attack, and pay for the service.
Throughout the Damballa period of study, the botnet grew large very quickly. Following testing by the criminal operators in April 2010, it reached a production peak of activity with 25,000 unique Recursive DNS (RDNS) lookups per hour attempting to resolve to the botnet’s command-and-control (CnC) servers.
“The commercial nature of this botnet and the rapid growth and ultimate size are what make this discovery interesting,” stated Gunter Ollmann, vice president of research for Damballa. “The public website hosting the DDoS service offering, with various “plans’ and attack options, speaks to the ease with which anyone can leverage criminal infrastructure. The malware used is simplistic, yet it was successful in spreading rapidly. And while it appears to be primarily a DDoS delivery platform, the size of the botnet reached impressive proportions, certainly large enough to wreak major havoc on any victim organization should it be pointed in the right direction.”