Skunkx DDoS Bot Analysis

Lest you think all of the DDoS bots we focus on come only from China, we found one that appears to be from the US. We’re calling this bot “Skunkx”. We have not yet seen the bot’s attacks in the wild, however, and so we do not know its favored victim profiles. We also do not know how big this botnet is at this time.

The bot’s capabilities include:

  • Perform DDoS attacks: UDP floods, SYN floods, HTTP floods, and Slowloris attacks
  • Detect some analyst tools (Commview, TCPView, and Wireshark) and platforms (QEMU, VMWare, VirtualPC)
  • Spread over USB, MSN, YahooMessenger
  • “Visit” sites, speedtest
  • Download and install, update, and remove arbitrary software
  • Detect and stop DDoSer, Blackshades, Metus and IRC bots on the box; it apparently can speak “DDoSer” too
  • Spread as a torrent file
  • Steal logins stored in the SQLite DB by Mozilla

We have not seen source or the control panel of the bot. The author appears to like the “JoinVPS” service, however. His servers that he has used go back to “Net-0x2a: Zharkov Mukola Mukolayovuch” in the Ukraine, and also “PIRADIUS” in Malaysia. This is someone familiar with underground hosting, it seems.

Some of the samples have been UPX packed, but not all use such simple packing. The hostnames in use suggest one attacker, and we have not seen the kit openly available for sale or review. CnC communications use an obfuscated ASCII protocol that is not unlike a basic IRC method. We are worked with the registrar to shut down the domain name used by the attacker.

Skunkx in IDA console

Inspection of the bots we captured show a handful of user-agents (my favorite is the Cyberdog one!) and HTTP headers that appear distinctive, enabling us to detect its traffic selectively. The author appears to have imported Slowloris’ attack method without any modification.

We have also been sinkholing this botnet. Inspection shows hundreds of bots checking in from around the world, with most in the US. Here’s a map showing botted hosts:

We continue to work with network providers to get these hosts cleaned up.

Samples by hash and dates:


Many thanks to Jeff Edwards for his help during this analysis.

4 Responses to “Skunkx DDoS Bot Analysis”

March 14, 2011 at 1:57 pm, IT Secure Site » Skunkx DDoS Bot Analysis said:

[…] (source: Arbor Networks Security) […]

March 16, 2011 at 10:38 am, Ben said:

Arbor, first of all, you rock. I love the detailed analysis you provide on these threats.

Could I request that you add a “printable version” link to these pages? That would make it even more awesome.

March 17, 2011 at 4:56 am, Arbor Networks Researchers Find US-based DDoS Botnet | Linux Virtualization said:

[…] to originate from China, but there appears to be at least one from the U.S., said Jose Nazario of Arbor Networks Security Engineering and Response Team (SERT). However, other than its origin, Arbor researchers have learned precious little about the […]

July 30, 2011 at 3:17 am, Mehul Doshi said:

Skunkx malware analysis by endpoint security or antimalware client or a link via virustotal would help. We are seeing a similar pattern however the virus variant are drastically different. Does that mean Skunkx is changing the malware variant for propogation with various organizations. Indian organizations are not aware of this threat and would indian cert be updated or you are only working with network providers.

Comments are closed.