1. Introduction of the New Botnet RDDoS
In early November 2023, NSFOCUS’s Global Threat Hunting System detected that an unknown elf file was spreading widely, which aroused our vigilance. After further analysis, we confirmed that this batch of elf samples belonged to a new botnet family. NSFOCUS Security Research Labs named the botnet Trojan as RDDoS.
The main function of the RDDoS is to launch DDoS attacks and it has the ability to execute commands, which further improves its threat. RDDoS also sets online parameters to distinguish the type of infected devices, and at the same time distinguishes real devices and sandboxes by whether the online package carries operating parameters. RDDoS has strong adversarial capabilities.
Monitoring data shows that RDDoS tends to use ICMP_flood method to launch DDoS attacks on targets 24 hours a day, and nearly 80% of attack activities are carried out in this way. In terms of target selection, the first choice for RDDoS was the United States (36%), followed by Brazil (22%) and France (15%). In addition, countries such as China, Germany and the Netherlands were also affected.
2. Sample Analysis of Botnet RDDoS
Host-side Behaviors
RDDoS will first change the working directory of the current process to the root directory during operation, and then create a sub-process. If the sub-process is not created successfully, it will exit directly. After the sub-process is created successfully, subsequent functions will continue to be executed in the sub-process.
There are two ways for the controlled terminal to execute on the victim host, with and without parameters. Different ways determine the content of the online package when it is first launched. It is presumed that the attacker’s intention is to make a corresponding judgment according to the online content. The online parameters can be used to distinguish the type of infected device. In addition, if the online package contains parameters and the parameters are correct, it indicates that the controlled terminal is issued by the attacker; if the controlled terminal does not carry parameters during execution, the “unknown” string will be spliced into the online content, indicating that the Trojan may be in a sandbox environment.
Online Package Characteristics
In the process of establishing a connection with the control terminal, the controlled terminal will splice the command line parameters as an online package. When no parameter is transmitted, the “unknown” string will be spliced, as shown in the following figure.
The traffic generated when going online is shown in the following figure:
Instruction Analysis
After the online operation is completed, the controlled terminal waits for an instruction issued by the control terminal and judges subsequent operations according to parameters such as instruction length and first-byte value. The implementation process is as follows:
When the first byte of received data is “0x02”, the bot process terminates; when the first byte of received data is “0x03”, the sub-process created earlier ends; when the first byte of received data is “0x04”, the bot executes the corresponding command through /bin/sh.
The DDoS function is executed when the data length received by the bot is greater than 13 and the first byte is “0x05”, “0x06”, “0x07”, “0x08” or “0x09”.
The DDoS attack instruction is parsed as follows:
Table 1 Instruction Parsing
| Receive Data | Implication | Comment |
| recv_buf[0] | Attack type | 1 byte to determine the type of attack (e.g. 0x05->UDP, 0x06->ICMP, 0x07->TCP_SYN, 0x08->TCP_ACK, 0x09->TCP_PSH_ACK) |
| recv_buf[1-4] | Destination IP | 4 bytes, determining the IP address of the target host |
| recv_buf[5-6] | Destination port | 2 bytes, determine the target host port. If it is 0x0000, it will be randomly generated |
| recv_buf[7-10] | Attack duration | 4 bytes, determining the attack duration |
| recv_buf[11-12] | Packet length | 2 bytes, determining the length of data packets sent to the target host |
| recv_buf[13] | Source IP structure | 1 byte. The value of 1 indicates that the source IP is randomized, and other values indicate that the source IP is the IP address of the controlled host |
3. Conclusion
The RDDoS is relatively uncomplicated. It is a new botnet family built from scratch. Recently, its controllers have continuously updated and iterated the Trojan to add new DDoS attack methods and improve functions. It is worth noting that it also possesses command execution capabilities, which further increases the level of threat it poses.
In recent years, it has been common for attackers to use botnets as channels and then launch APT or ransomware attacks based on them. We need to strengthen our attention to this type of botnet, as most of the newly emerging botnet families, although appearing to be extremely simple-looking Trojans, may have a constant influx of variants.
We infer that the family will remain active for some time to come, and NSFOCUS Security Research Labs will continue to strengthen its monitoring of this botnet family and the threat actors operating behind it.
NSFOCUS Anti-DDoS solution stands at the forefront of safeguarding organizations against the rising threat of RDDoS attacks. Leveraging a vast database of global threat intelligence and cutting-edge technology, NSFOCUS provides a comprehensive defense mechanism to detect, mitigate, and neutralize RDDoS threats effectively.
4. IOC
09b8159120088fea909b76f00280e3ebca23a54f2b41d967d0c89ebb82debdbf
7ca0663c88c59b83f26b6ae8664d189a
