DDoS attacks are being implemented using the Flusihoc Botnet, some as recording speeds as quick as 45 Gbps according to investigators at Arbor networks.
The Flusihoc botnet has been in action for a minimum two years, although activity has grown over the last few months, with more than 900 attacks initiated using the Flusihoc botnet over the past four months.
The botnet has in excess of 48 active command and control servers, although there have been over 154 detected. The malware is being continuosly updated with more than 500 versions of the C++ malware having been discovered in the past 24 months.
Arbor networks is of the belief that the botnet is available on a hire basis, based on the variety of its targets. The latest version of the software analyzed by Arbor makes an alteration to the registry to ensure persistence – a change from recent versions – and while the sample found by Arbor communicates in plain text HTTPS, a more recent version has been discovered that uses an encrypted C2. Arbor believes the Flusihoc Botnet was developed in China, due to several debug strings using Chinese characters.
It is though that, on average, in excess of 14 DDoS attacks are carried out each day using the Flusihoc botnet. Those attacks average at 603.24 Mbps, and normally involve TCP SYN over port 80, 1-1023 and 443. However, with the capacity to instigate attacks of at least 45 Gbps, the botnet poses potential danger to any website operator that is not implementing a DDoS mitigation service. Currently the DDoS attacks have been focused on China.
Though many new malware types are developed for DDoS attacks, Flusihoc seems to have been smartly developed and is capable of initiating nine different varieties of DDoS attacks, including two types of CC floods and SYN, UDP, ICMP, TCP, HTTP, DNS, and CON attacks. The malware can also download additional malware onto an infected computer. Yara Rules have been released, allowing groups to add detection rules to their networks to find computer infections.