A paper from Damballa security firm was released about a bot gathering application being marketed openly in China.

Damballa reported that IMDDOS (I’M DDoS), which spread quickly in just four months of operation, started infecting computers since March of this year and today it is still infecting between 2,000 computers a day to 10,000 computers a day. The peak of its operation was seen on August with an hourly 25,000 unique reverse domain-name-server lookup of the command and control station. The infected computers do this to send back information and retrieve instructions.

Researching further, the trojan used by I’M DDoS resolves the IP address of the CnC and downloads a HTML file which contain the details of the target. The report indicates that the filename used by the I’M DDoS trojan is randomly generated. In the case of Damballa, the sample name was goemka.exe. Sunbelt Software’s CWSandbox website also has a malware that generated the uuwmuk.exe filename that was submitted on May exhibiting similar behavior. Both malware samples connect to a IMDDOS server.

Going back to the economic side of the malware business, the I’M DDoS has a website where potential customers can gain knowledge about the services being offered by the bot army. They are introduced to the subscription plan, the attack methodology and tools. Though there is a free service, the strength of the botnet and duration to take down a website depends on the subscription plan chosen by the customer. If a customer encountered some issues, the service also offers customer support which is listed in their contact page. The user is required to contact them using QQ chat application which is used widely in China. Unfortunately, the website and its application graphical user interface are all in written Mandarin.

The website cautions customers that the service should be used for DDoS vulnerability testing of their own websites. Moreover, the services should only be used for non-legitimate sites hosting gambling and pornography content.

Arbor Networks, which had been monitoring another botnet named YoyodDoS, had revealed that YoyodDos might be related to I’M DDoS. They reported that the botnet had targeted almost 200 websites around the globe. Most of the attacks were coming from China. The relation with I’M DDoS was that both of these botnets have high demographics of infected computers from that country. It could probably be that I’M DDoS already has clients subscribed to their service.

Last month, Kaspersky also revealed an affiliate marketing program that uses a rootkit to command a bot army. The marketing program, PMSoftware, has a business model where it rewards affiliate partners based on the number of computers they can infect. They also have a website which they advertise to potential partners.

Herding bots has been around for quite some time. In the past we’ve seen this type of service being offered in underground hacking communities. We’re now seeing these services being offered openly in view of the public through a website. If this illegal business continues to thrive we can expect more people will follow these footsteps and an increase in DDoS attacks.