DDoS – Evolution of DIY tools in the underground

Pierluigi Paganini May 04, 2013

When the DDoS topic is introduced it’s immediate to link it with the most popular tools usable for this type of attacks, but underground offers much more.

When the DDoS topic is introduced it’s immediate to link it with the most popular tools usable for this type of attacks such as the popular LOIC, we must consider that underground offer is plenty of interesting software and services that could be acquired at reasonable prices.

Recent DDoS attacks have demonstrated the impact of these type of offensives on private corporations and  institutions, too many entities are still vulnerable to Denial of Service attacks and cybercrime is trying to monetize it.

The principal ways to monetize a DDoS attack observed are:

  • Conduct DDoS for extortion purposes.
  • Renting of DDoS services.
  • Sale of DDoS bot agents for constitution of dedicated botnets.

New vendors daily propose malicious code, exactly like in every market exist well known vendors with an excellent reputation, meanwhile new actors try to conquer the black market with ingenious proposition on the black market.

Vendors sell products to facilitate the cybercrime activities and monetize their products in the shortest time to avoid to be tracked by security firms and law enforcement.

Dancho Danchev, one of the maximum experts on research on cyber criminal underground has several times explored the black market offer for tools and malware to arrange DDoS attacks.

The end of last year he reported the offer of the DIY IRC-based DDoS bot, a malicious code that since its discovery has been continuously improved, the first version was in fact an IRC-based release, but the agent improved evolving into a HTTP-based one.

What surprised the security experts in the first phase was the fact that the agent used the Internet Relay Chat (IRC) as a centralized command and control infrastructure, another singular thing is that a malware author would not offer you access to a managed IRC server to be used as command and control server. In those cases the author of this IRC-based bot appeared to be using a largely outdated and easily detected C&C communication process. The bot was very light, just 23kb that has standard anti-debugging mechanisms built-in, plus features allowing the update the code to a newer version.

It was easy to provide an improvement with regard to the communication channel with the C&C, an improvement that has come in timely with HTTP-based release.


The malicious application appears very efficient, it supports 10 different DDoS attack types, but what is very singular is that the application once infected its victims is able to remove competing malware such ZeuS, Citadel or SpyEye.




The malicious code is also surprising for its price, according Danchev the IRC version is sold for $100 meanwhile the HTTP version goes for $300, as we has seen in the last months cyber criminals are able to propose a completed offer proposing also bullet proof hosting and managed services IRC, respectively in this case for $15 and $10.

Danchev observed that fellow cyber criminals across multiple cybercrime-friendly communities have also proposed a cracked version available exclusively to members of these communities.

Following the comment of Danchev on his blog post:

“What we’ve got here is yet another example of a technically flawed licensing model for malicious software, allowing fellow cybercriminals to undermine the vendor’s entire business model. Whether competing vendors of malware/crimeware releases targeted by this bot will take action or not, will entirely depend on the market share that it succeeds in securing, once again, thanks to its affordable price.

We’ll continue monitoring the tool’s future development, in particular whether or not it will migrate to a less noisy — like IRC — C&C communication models, taking into consideration the fact that its latest version has indeed migrated to a HTTP-based C&C.”

The case presented the demonstration of how it is simple to arrange a DDoS attack thanks to the cyber criminal offer on the underground that includes all necessary to arrange a powerful offensive.

The offer is daily improved thanks to feedback of buyers and represents lifeblood for the continuing attacks.

Pierluigi Paganini

(Security Affairs – Cybercrime)

you might also like

leave a comment