The Flusihoc Botnet is being used for crippling DDoS attacks, some as high as 45 Gbps according to researchers at Arbor networks. The botnet has been operational for at least two years, although activity has increased over the past few months, with more than 900 attacks conducted using the Flusihoc botnet over the past four months.
The botnet has more than 48 active command and control servers, although there have been more than 154 detected. The malware is being constantly updated with more than 500 versions of the C++ malware having been identified in the past 2 years.
Arbor networks suggests that the botnet is available for hire, based on the variance of its targets. The latest version analyzed by Arbor makes a change to the registry to ensure persistence – a change from recent versions – and while the sample obtained by Arbor communicates in plain text HTTPS, a newer version has been identified that uses an encrypted C2. Arbor believes the Flusihoc Botnet was developed in China, due to several debug strings containing Chinese characters.
On average, more than 14 DDoS attacks are performed each day using the Flusihoc botnet. Those attacks average at 603.24 Mbps, and typically involve TCP SYN over port 80, 1-1023 and 443. However, with the capacity to conduct attacks of at least 45 Gbps, the botnet poses a significant threat to any website operator that is not using a DDoS mitigation service. At present the DDoS attacks have been concentrated in China.
While many new malware variants are developed for DDoS attacks, Flusihoc appears to have been well written and is capable of launching nine different types of DDoS attacks, including two types of CC floods and SYN, UDP, ICMP, TCP, HTTP, DNS, and CON attacks. The malware also has the capability of downloading additional malware onto an infected computer. Yara Rules have been published, allowing organizations to add detection rules to their networks to identify infections.