Darkshell: A DDoS bot targetting vendors of industrial food-processing equipment
by Jeff EdwardsThis week, we continue our efforts to document the crowded space of Chinese DDoS bots by analyzing Darkshell. This particular malware family has recently been used to attack quite a few companies involved in the industrial food processing industry.
Malcode Properties
The Darkshell malware is distributed in the form of a small executable which typically ranges in size from approximately 66,048 bytes to 79,360 bytes. Here are the MD5 hashes for the 42 Darkshell samples we have analyzed to date:
ccb07865a8ba624c27c03024805624d2 0bef3c845c7b83b8c4e67090827c3680 a2b44c7ffce42cd6fcfe5a6e7c57853d d6932bd1f84b03edb21b6749d25ac267 1a4a37d55a02f4541113a4c7bfaa4a6a 971e89f7e99c2af7117a1ec40d3dfe6d 8cf97cb9f76cc02ecd3a9e9e8ba268fe 07022e10f7dd52fa5f503d53143cf4ff 9f294c680cccf428487768a2eda0b59e f570a9648575175d7dd1202cfe26474a 86c0a68e2db7fd2b8d3acdb2e864a914 c862538d7b6fceeba9dda0bed74642ab 63672dcde4bae762bc588c42c3189f53 3de053e9bda604a3f4683f87aa046bfa 70f0aada94cac2309faa4cbcaa742dad d164e9048454bd1b267a8ba8bf50948c 4fa8430485784c68c249005ff9a2a067 ee244509ce21e2c685f129f8f985688f 75240cb1ab2cb9c65035c99f2687c01f e8e9dd3638d0415d4da6f1b09728986f c0ad6a2621a2a5925edec03a58a2f159 7fc1194c06700ef5c34edc12418842ea 94063f3b92e4f08ea5c789fc2b31cd4b e2ff76137d122f7b7d8c609fc7b96abc 5302199cc2fdb3fddf71457f885c777a 28dcabf6d6860c3b303720462adfce80 ccda2b93ed4aacffdc9aab151c24f52b b07a43cd8062791935cec2f3d1d58c3f a7fb233ab799e1a0c4e4e57a4a7a2eda 57523283b8fdd9f3f66622b454bb05da 2c22f53b9d7f2144853ffa9683200f6c 20fa022aaf9162e88c7c92e332f99c21 2be7320313ffb59e942eb0a7254b7a19 d9debcb20307e6ed8fface8bf5cbeea6 316a9e1acf24e51f198efa864801fc2f 7bb75a70f95ddb7c8109b397435ea002 2484e79c6403985e7b7081ffd2b01021 c1e66b1167c90446933a26f13a9f26e5 6361ae5f223f9ef8cc799047fa849cc8 b83c0b457d42d5682142558555a6ade8 9c3d1a99d74a0174eebadcb32b80d8c1 726795453f01742e97038ad1a303a71d
Most of the Darkshell samples we have observed were originally hosted in Chinese IP space; here are some representative sample URLs (defanged) that have recently hosted Darkshell executables:
hxxp://1qzf.net/ms.exe hxxp://www.sudupay.com/down/down.exe hxxp://61.147.120.135:81/v7.exe hxxp://www.jishu8.net/a3.exe hxxp://60.173.8.118:8080/upload/1986.exe hxxp://61.147.120.135:81/msierit32.exe hxxp://61.147.120.135:81/srv1112.exe
None of these URLs are still serving Darkshell malware at this time. Here is a representative sampling of net blocks that have distributed Darkshell malware:
61.164.118.139 CN 4134 SHANGHAI QILI NETWORK TECHNOLOGY CORP 222.186.32.153 CN 4134 CHINANET JIANGSU PROVINCE NETWORK 61.147.120.135 CN 4134 CHINANET JIANGSU PROVINCE NETWORK 60.190.216.46 CN 4134 NINBO LANZHONG NETWORK LTD 60.173.8.118 CN 4134 CHINANET ANHUI PROVINCE NETWORK 61.147.120.135 CN 4134 CHINANET JIANGSU PROVINCE NETWORK 121.12.127.155 CN 4134 SHENZHENSHILUOHUQUHEPINGLUYIFENGGUANGCHANGCZUO32H
Installation
Once launched, a Darkshell bot performs a fairly standard installation process. It copies itself into the C:\Windows\System32 directory. In an attempt to be stealthy, it will usually name the installed copy of itself so as to appear to be a legitimate system file; the installation names we have observed include:
regedit32.exe regedit325516.exe regedut32.exe Msierit32.exe Msbbrit32.exe domain.exe
Darkshell will then register itself to run as a fake service that is automatically started upon reboot. This service will be registered with one of the following names:
BackGround Switch BackGround switch BackGroucd Switch BackGround Switch5516 domain Switch Domain Switch
The display name of the installed service will claim to be “BackGround Switch Disktop Control”, or some derivative thereof (note the misspelling of “Desktop”).
Most Darkshell bots will also install a small driver file, beep.sys, into C:\Windows\System32\drivers. It is believed that the purpose of this driver is to hook the infected host’s SSDT in order to hide from anti-virus software. The driver creates a device named “\\.\Re1986SDTDOS” on the system.
Communication Protocol
Upon completion of its installation procedure, the Darkshell bot will phone home to its CnC server by opening a TCP socket and sending a binary block of data exactly 260 bytes in length. This block of data reports the name of the infected computer (as returned by the Win32 API GetComputerName), the version of Windows and amount of physical memory installed on the host, and the version or ID string of the Darkshell bot. The format of this data is a rigid structure that can be represented by the following C struct:
// Darkshell bot-to-CnC comms
struct {
// Header:
DWORD dwMagic; // always 0x00000010 for Darkshell
// Obfuscated section:
char szComputerName[64]; // Name of infected host, NULL-terminated/extended
char szMemory[32]; // Amount of memory in infected host; format "%dMB"; NULL-terminated/extended
char szWindowsVersion[32]; // Specifies version of Windows; one of: Windows98, Windows95,
// WindowsNT, Windows2000, WindowsXP, Windows2003, or Win Vista;
// NULL-terminated/extended
char szBotVersion[32]; // Specifies version of bot; NULL-terminated/extended;
DWORD szUnknown1[4]; // ??? - Always NULL-terminated 'n'
// Binary section:
char szPadding1[32]; // Filled with 0x00 bytes
WORD wUnknown2; // ??? - We have seen 0x00A0, 0x00B0, and 0x00C0
WORD wUnknown3; // ??? - Always 0xFD7F
char szPadding2[20]; // Filled with 0x00 bytes
WORD wUnknown4; // ??? - Always 0xB0FC
BYTE cUnknown5; // ??? - We have seen 0xD6, 0xD7, 0xE6, 0xE7, and 0xF1
BYTE cZero; // Always 0x00
DWORD dwSignature[8]; // Always 0x00000000, 0xFFFFFFFF, 0x18EE907C, 0x008E917C,
// 0xFFFFFFFF, 0xFA8D91&C, 0x25D6907C, 0xCFEA907C
};
Here is a representative example of a Darkshell bot-to-CnC message:
00000000 00 00 00 10 a8 95 9b aa 95 91 de de de de de de ........ ........ 00000010 de de de de de de de de de de de de de de de de ........ ........ 00000020 de de de de de de de de de de de de de de de de ........ ........ 00000030 de de de de de de de de de de de de de de de de ........ ........ 00000040 de de de de cc c9 c8 91 9c de de de de de de de ........ ........ 00000050 de de de de de de de de de de de de de de de de ........ ........ 00000060 de de de de a7 75 70 7a 6f 87 8b a6 ae de de de .....upz o....... 00000070 de de de de de de de de de de de de de de de de ........ ........ 00000080 de de de de a8 75 8e cc ce cd ce ce c6 cd de de .....u.. ........ 00000090 de de de de de de de de de de de de de de de de ........ ........ 000000A0 de de de de 70 de de de 00 00 00 00 00 00 00 00 ....p... ........ 000000B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 000000C0 00 00 00 00 00 00 00 00 00 b0 fd 7f 00 00 00 00 ........ ........ 000000D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 000000E0 b0 fc f1 00 00 00 00 00 ff ff ff ff 18 ee 90 7c ........ .......| 000000F0 00 8e 91 7c ff ff ff ff fa 8d 91 7c 25 d6 90 7c ...|.... ...|%..| 00000100 cf ea 90 7c ...|
Note that bytes 4 through 168 are encoded using a crude obfuscation scheme that can be reversed using the following snippet of Python code:
def decrypt_darkshell(cipherbytes, start_idx=0x04, stop_idx=0xA8):
"""
De-obfuscates Darkshell comms encoded using the following method:
cipherbyte = 0xDE - [plainbyte - (plainbyte & 0x10) << 1]
The obfuscation is reversed as follows:
intermediate = 0xDE - cipherbyte
plainbyte = intermediate + (intermediate & 0x10) << 1
"""
len_mesg = len(cipherbytes)
if len_mesg != 260:
raise RuntimeError("Darkshell bot-to-CnC comms are always 260 bytes")
plainbytes = []
for cipherbyte in cipherbytes[start_idx:stop_idx]:
intermediate= 0xDE - ord(cipherbyte)
plainbytes += [chr(intermediate + ((intermediate & 0x10) << 1))]
return cipherbytes[:start_idx] + ''.join(plainbytes) + cipherbytes[stop_idx:]
Applying this de-obfuscation process to the above sample comms results in the following:
00000000 00 00 00 10 56 49 43 54 49 4d 00 00 00 00 00 00 ....VICT IM...... 00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 00000040 00 00 00 00 32 35 36 4d 42 00 00 00 00 00 00 00 ....256M B....... 00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 00000060 00 00 00 00 57 69 6e 64 6f 77 73 58 50 00 00 00 ....Wind owsXP... 00000070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 00000080 00 00 00 00 56 69 70 32 30 31 30 30 38 31 00 00 ....Vip2 010081.. 00000090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 000000A0 00 00 00 00 6e 00 00 00 00 00 00 00 00 00 00 00 ....n... ........ 000000B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 000000C0 00 00 00 00 00 00 00 00 00 b0 fd 7f 00 00 00 00 ........ ........ 000000D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 000000E0 b0 fc f1 00 00 00 00 00 ff ff ff ff 18 ee 90 7c ........ .......| 000000F0 00 8e 91 7c ff ff ff ff fa 8d 91 7c 25 d6 90 7c ...|.... ...|%..| 00000100 cf ea 90 7c ...|
Note the version/ID string “Vip2010081″ located at byte offset 0×84. Each Darkshell specimen has one of these strings hard-coded within its executable. Our conjecture is that this string specifies some form of version identifier for the malcode. The version strings we have seen to date include:
Vip2010081 VIP100707 Private520
Note that there are several fields within the 260-byte message structure for which we have not yet determined an interpretation.
Upon receipt of the “phone home” message, the CnC will either respond with an idle or “standby” command, which consists of a single byte 0×30 (i.e., decimal “0″ character) indicating that the bot is to perform no further actions for now, or it will respond with a 260-byte binary structure containing the instructions for a DDoS attack. If an attack is ordered, the format of the response will be as follows:
// Darkshell CnC attack command
struct {
DWORD dwCode; // 0x00000030 for HTTP flood attack
DWORD dwParameter; // ??? - We have seen 0x0800
char szTarget[99]; // URL of target to attack, NULL-terminated/extended
WORD wPort; // Port to attack (usually 80)
char szPadding[151]; // Always filled with 0x00 bytes
};
Unlike the phone home message, the attack instructions are not obfuscated in any way. Here is a representative example (with the real target’s host name changed to www.victim1.com):
00000000 00 00 00 30 08 00 00 00 68 74 74 70 3a 2f 2f 77 ...0.... http://w 00000010 77 77 2e 76 69 63 74 69 6d 31 2e 63 6f 6d 2f 75 ww.victi m1.com/u 00000020 2e 70 68 70 3f 61 63 74 69 6f 6e 3d 73 68 6f 77 .php?act ion=show 00000030 26 75 69 64 3d 36 32 30 31 34 00 00 00 00 00 00 &uid=620 14...... 00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 00000060 00 00 00 00 00 00 00 00 00 00 00 00 50 00 00 00 ........ ....P... 00000070 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 00000080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 00000090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 000000A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 000000B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 000000C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 000000D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 000000E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 000000F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 00000100 00 00 00 00 ....
Attack Traffic
Upon receipt of such an attack command, the Darkshell bot will begin flooding the victim with large numbers of HTTP GET requests. Each of these GET requests is identical. The GET requests are initiated from sequentially increasing source ports. Each bot simultaneously opens a large number (e.g., 15-25) of TCP connections to the specified target URL; each such connection continually issues the same identical GET request multiple times, regardless of the response (if any) from the victim; these requests have the following format:
GET /u.php?action=show&uid=62014 HTTP/1.1 Host: www.victim1.com Cache-Control: no-store, must-revalidate Referer: http://www.victim1.com Connection: Close
The Host and Referer header fields will be customized based upon the specified target, but the rest of the HTTP header will be fixed as above.
Control Servers
To date, we have identified at least 30 unique host names and 34 unique IP addresses that have been used as Darkshell CnCs. 32 of these CnC IP addresses have resided in Chinese IP space:
CnC IP Address Port CC ASN NetName 111.226.71.35 5288 CN 4134 CHINANET HEBEI PROVINCE NETWORK 116.11.186.119 5516 CN 4134 CHINANET GUANGXI PROVINCE NETWORK 119.183.244.214 8012 CN 4837 CHINA UNICOM SHANDONG PROVINCE NETWORK 121.12.117.109 603 CN 4134 SHENZHENSHILUOHUQUHEPINGLUYIFENGGUANGCHANGCZUO32H 121.12.127.155 8000 CN 4134 SHENZHENSHILUOHUQUHEPINGLUYIFENGGUANGCHANGCZUO32H 121.12.127.99 8001 CN 4134 SHENZHENSHILUOHUQUHEPINGLUYIFENGGUANGCHANGCZUO32H 121.14.153.183 8000 CN 4134 DONGGUANSHIWEIYIWANGLUOKEJIYOUX 121.14.155.164 8000 CN 4134 DONGGUANSHIWEIYIWANGLUOKEJIYOUX 121.14.156.126 2345 CN 4134 DONGGUANSHIWEIYIWANGLUOKEJIYOUX 121.14.219.195 2991 CN 4134 SHANTOUSHILONGHUQUHUAMEIZHUANGHUAMEIHUAYUANDI9ZUO601HAOFANG 122.227.45.12 603 CN 4134 ZHEJIANG HUANLONG NEW MATERIALS TECHNOLOGY CO. LTD 122.230.137.109 8080 CN 4134 CHINANET-ZJ HUZHOU NODE NETWORK 124.237.78.135 888 CN 4134 THE YANDA ZHENGYANG ELECTRON LTD. OF QINHUANGDAO 125.113.113.149 80 CN 4134 CHINANET-ZJ JINHUA NODE NETWORK 202.109.143.77 3266 CN 4134 CHINANET JIANGXI PROVINCE NETWORK 218.29.97.162 8080 CN 4837 MZTCWLKJYXGS CORP 218.60.132.110 7080 CN 4837 CHINA UNICOM LIAONING PROVINCE NETWORK 218.61.13.253 9000 CN 4837 CHINA UNICOM LIAONING PROVINCE NETWORK 220.172.151.241 9000 CN 4134 CHINANET GUIZHOU PROVINCE NETWORK 222.189.238.156 7433 CN 4134 CHINANET JIANGSU PROVINCE NETWORK 222.217.155.94 8080 CN 4134 CHINANET GUANGXI PROVINCE NETWORK 222.218.211.229 8080 CN 4134 CHINANET GUANGXI PROVINCE NETWORK 222.83.212.225 8080 CN 4134 CHINANET GUANGXI PROVINCE NETWORK 58.221.33.159 1111 CN 4134 CHINANET JIANGSU PROVINCE NETWORK 58.221.44.193 8000 CN 4134 CHINANET JIANGSU PROVINCE NETWORK 58.53.128.83 8181 CN 4134 CHINANET HUBEI PROVINCE NETWORK 59.188.23.12 4520 HK 17444 NEW WORLD TELECOM LTD. HONG KONG 59.57.113.118 7000 CN 4134 CHINANET FUJIAN PROVINCE NETWORK 59.57.123.203 8001 CN 4134 CHINANET FUJIAN PROVINCE NETWORK 60.173.8.118 1986 CN 4134 CHINANET ANHUI PROVINCE NETWORK 61.129.33.151 603 CN 4812 GREEN POWER BAR 61.147.99.243 8080 CN 4134 CHINANET JIANGSU PROVINCE NETWORK 61.164.150.155 1234 CN 4134 VA OFFICE BRANCH OF CHINA TELECOM CORP 98.126.74.51 4567 US 4213 VPLS INC. D/B/A KRYPT TECHNOLOGIES
The Darkshell bots have the identity of their CnC hard-coded within their executable (in plain, non-obfuscated text); as is common, these CnCs are identified by host name rather than raw IP address. The majority of Darkshell CnC host names are associated with the 3322.org domain, a large Chinese provider of dynamic DNS services, including:
ddosbox.3322.org a90722692.3322.org sawyer.3322.org babab2hd2.3322.org gd0168.3322.org jhz100.3322.org juhuatai0.3322.org jzn1986.3322.org kuilei65551543.3322.org li0427.3322.org nacui120.3322.org nb969798.3322.org qingcs.3322.org wudikoko.3322.org xplin.3322.org yaolin001.3322.org yhyhwjwj.3322.org ziyingtianxia.3322.org zxswww.3322.org
On occasion, Darkshell CnCs may be found on non-3322.org host names, such as the following:
ddos.zh-cn.cc winmbddos.8866.org 1qzf.net appleyhoo.net dkzy.8866.org g5512484.8866.org lang12397007.2288.org maipianzhu.8800.org qjwl8866.8866.org wsxe.8866.org
We have observed Darkshell CnCs operating on a wide variety of ports (usually non-standard ones), including:
80 603 888 1111 1234 1986 2345 2991 3266 4520 4567 5288 5516 7000 7080 7433 8000 8001 8012 8080 8181 9000
Victims
We have been tracking various Darkshell-based botnets for approximately three months using our usual technique of periodically connecting to known Darkshell CnCs and sending 260-byte messages that imitate particular Darkshell specimens that have been captured and analyzed. During this period of time, we have observed Darkshell botnets issue DDoS attack commands against approximately 97 unique victims in China (65), the United States (23), Hong Kong (4), South Korea (3), Netherlands (1), and Sweden (1). The victims have been distributed across networks and hosting providers as follows:
CC ASN Network CN 4134 CHINANET ANHUI PROVINCE NETWORK CN 4134 CHINANET FUJIAN PROVINCE NETWORK CN 4134 CHINANET GUANGDONG PROVINCE NETWORK CN 4134 CHINANET HEBEI PROVINCE NETWORK CN 4134 CHINANET HUNAN PROVINCE NETWORK CN 4134 CHINANET JIANGSU PROVINCE NETWORK CN 4134 CHINANET JIANGXI PROVINCE NETWORK CN 4134 CHINANET SICHUAN PROVINCE NETWORK CN 4134 CHINANET XINJIANG PROVINCE NETWORK CN 4134 CHINANET-HN CHENZHOU NODE NETWORK CN 4134 DONGGUANSHIWEIYIWANGLUOKEJIYOUX CN 4134 HANGZHOU GSOFT SCIENCE&TECHNOLOGY DEVELOPMENT CO. LTD CN 4134 HANGZHOU SILK ROAD CN 4134 LISHUI DIANXIN COLTD CN 4134 NINBO LANZHONG NETWORK LTD CN 4134 RUIAN TELECOM CN 4134 SHANTOU TIANYIN TECHNOLOGY CO. LTD CN 4134 SHANTOUSHIJINSHADONGLUJINLONGDASHABDONG12A CN 4134 SHENZHENSHILUOHUQUHEPINGLUYIFENGGUANGCHANGCZUO32H CN 4134 WENBIN ZHAO CN 4134 WENZHOU LIANZHONG NETWORK TECHNOLOGY LTD CN 4134 WENZHOU TELECOM CO. LTD CN 4134 WORLD CROSSING TELECOM(GUANGZHOU) LTD CN 4134 WUJINGBO CN 4134 XIAMEN SANWU NETWARE SCIENCE CO. LTD CN 4134 XIAMEN TELECOM IDC CN 4812 CHINANET SHANGHAI PROVINCE NETWORK CN 4837 CHINA UNICOM HEILONGJIANG PROVINCE NETWORK CN 4837 CHINA UNICOM HENAN PROVINCE NETWORK CN 4837 XIAMEN CITY FUJIAN PROVINCE CN 4847 FOR GREAT WALL BROADBAND NETWORK SERVICE ACCESS IN BEIJING CN 9929 NINGBO CITY ZHEJIANG PROVINCE CN 17964 BEIJING XIRANG MEDIA CULTURAL CO. LTD CN 37943 ZHENGZHOU GIANT COMPUTER NETWORK TECHNOLOGY CO. LTD CN 38356 HICHINA WEB SOLUTIONS (BEIJING) LIMITED HK 4058 ASIA DATA (HONG KONG)INC.LIMITED HK 4645 HKNET COMPANY LIMITED HK 17444 NWT IDC DATA SERVICE KR 3786 KOREA INTERNET DATA CENTER INC KR 3786 LG DACOM KIDC KR 4766 KOREA TELECOM NL 47869 NETROUTING TELECOM SE 49770 SERVERCONNECT.SE US 4213 VPLS INC. D/B/A KRYPT TECHNOLOGIES US 23338 DCS PACIFIC STAR LLC US 25761 STAMINUS COMMUNICATIONS US 26496 GODADDY.COM INC US 30058 FDCSERVERS.NET US 36351 1WEBHOST US 36351 HOSTING SERVICES INC US 36351 SOFTLAYER TECHNOLOGIES INC US 46844 SHARKTECH INTERNET SERVICES
The recent victims have included online merchants of baby products, jewelry, and cosmetics, as well as a social networking site and numerous video game-related sites.
However, the most common targets of Darkshell attacks over the past three months have been the websites of relatively small manufacturers of industrial food processing equipment and machinery. We have logged attacks against at least 16 such victims emanating from the Darkshell botnets, comprising approximately 40% of the victims that we sampled. One can only speculate on the reasons for this aggressive focus on such a relatively tiny niche within the online landscape. Several such attacks have been sustained for over 60 hours at a time, and most of these equipment vendors have suffered multiple repeat attacks during this interval of time.
One common pattern of Darkshell behavior is to attack three or four different URLs associated with a particular food processing equipment vendor; these multiple URLs are typically associated with pages displaying specific products.
We have also observed instances in which multiple Darkshell botnets engaged in coordinated attacks against a single victim (again, vendors of industrial food processing equipment.)
A/V Detections
Overall, anti-virus detection of Darkshell bots is reasonably good at this point. Detection rates for the specimens we have analyzed are typically in the 65%-85% range, although we have analyzed several samples for which the detection rate was 0%. Here are some representative detections:
Kaspersky Backdoor.Win32.DarkShell.fu Microsoft Backdoor:Win32/Httpbot.A CAT-QuickHeal Backdoor.DarkShell.fu Antiy-AVL Backdoor/Win32.DarkShell.gen ViRobot Backdoor.Win32.DarkShell.79360 nProtect Backdoor/W32.DarkShell.79360.B JiangMin Backdoor/NetBot.qg Symantec Spyware.Ardakey TrendMicro BKDR_BVOK.SM
Summary
At first glance we expected Darkshell to be another mundane entry in the seemingly never-ending rogue’s gallery of DDoS-focused botnets; in other words, not terribly advanced in terms of cutting edge technology, but nevertheless quite active and effective at shutting down victims, unfortunately. However, we were surprised when we discovered that its operators have such a propensity for attacking one particular commercial market segment. Until we’ve gathered more information, we can only speculate upon the motivations of the criminals operating and/or using the Darkshell botnets, and the nature of the axe they apparently have to grind against certain suppliers of industrial food-processing equipment.
We will, however, definitely be keeping a close eye on this particular family going forward.
Popularity: 6% [?]
[...] This post was mentioned on Twitter by Oxblood Ruffin, Nart Villeneuve, Brent Wrisley, Greg Walton, Guillermo and others. Guillermo said: RT @nartv: DDoS botnets: Darkness: http://bit.ly/gvY7Us, Chcod: http://bit.ly/fVk3HM, and Darkshell http://bit.ly/e4xXVL [...]