We’ve profiled the Dirt Jumper DDoS bot before and shown its evolution over the years. We then took this analysis into our zoo to see which DDoS bot families are growing in popularity with attackers. The marketplace has opened up significantly (see Curt’s excellent overview of DDoS tools and services) in recent years, and with that comes competition.
In the past few years, the popular kit we saw in our zoo was Black Energy, an easy to use, powerful DDoS bot distributed in Russian-language spheres. You could find it on the net for anywhere from $40 to free, depending on how hard you looked. Starting in 2009, Black Energy version 2 was available. It boasted a modular architecture and included banking theft Trojan functionality to augment the DDoS functionality. Another competitor that appeared in this timeframe was Optima or Darkness. It then becomes interesting to look in one’s zoo to see which families are popular at present.
The graphic below is from some quick analysis of our zoo, looking at our automated classification system that tags samples with the appropriate family name. Optima includes the group of Darkness, Optima and Votwup samples we have seen; Black Energy focuses on the BEv1 samples we have seen in the wild, and omits any BEv2 samples we have; Dirt Jumper includes all Russkill variants and Dirt Jumper variants we have seen. What we saw was a bit surprising, namely the rate at which Dirt Jumper samples appear in our zoo and quickly overtake the other families in terms of popularity. This matches anecdotally what we had seen, but the magnitude itself is surprising.
Some ideas as to what is going on:
- With BEv2, the Black Energy author (back in 2009 which it was being developed and tested) appears to have tried to piggy back on the Zeus and SpyEye craze that was really gathering momentum at the time. Modules to steal from banks would have been a great complement, in theory, but in reality BE targeted DDoS actors who hang out in different forums than the financial thieves. With the notable exception of the Gameover series of attacks, these two groups don’t spent a lot of time together from my own observations.
- Optima and Darkness make a decent product. I didn’t keep track of pricing or advertising, but their usability, reliability and features all come together to make a great follow-on to the Black Energy model (kit which includes an easy to use web UI and a builder to configure the feature-rich DDoS bot). Why it didn’t take off is really something I can’t explain.
- Finally, Dirt Jumper’s meteoric rise in popularity in this time frame suggests that author (and any promotors they have working for them) is doing something right. Features are getting incorporated well, new versions are released, and the bot’s got traction in the community. An alternative explanation is that the leaks we see leading to “unofficial versions” are also classified as DJ and explain the rise.
In this competitive underground world, it’s fascinating to see market forces at work so clearly. Bear in mind that all this popularity leads to attention, both in terms of CnC tracking (and shutdown) and AV detection, which is counter-productive. We’ll see how these guys react to larger responses.