Flusihoc

A DDoS botnet first discovered in 2015 has ramped up activity during the summer and is responsible for over 900 DDoS attacks during the past four months, the biggest of which reached 45 Gbps.

Named Flusihoc, the malware behind this botnet targets Windows computers and was first detected by Microsoft and other antivirus vendors back in 2015, but new versions have appeared on a regular basis, the most recent one last month.

Flusihoc botnet most likely operated out of China

Arbor Networks, a company that keeps an eye on the DDoS landscape, says there's been an influx of new versions this year, and after digging around into the botnet's history has found over 154 different command and control servers used to manage the botnet infrastructure, of which 48 were still active last month.

Clues researchers found in over 500 different Flusihoc versions spotted during the past two years suggest the malware was put together by a user based in China.

Researchers found many debug strings containing Chinese words and characters, while many C&C servers and DDoS attack targets were based in China.

"Analysis suggests this botnet is part of a regional DDoS [for hire] service based on the variance of targets," said TJ Nelson, Arbor Networks analyst.

It's no surprise that Arbor noted an increased activity from Flusihoc. Research released two months ago by Cisco Talos tied the sudden increase of Chinese-based DDoS-for-hire services to the leak of a DDoS booter platform that experts believe someone translated to Chinese and offered on Chinese underground hacking forums.

Operators of the Flusihoc botnet might have ramped up activity with the release of new tools to keep up with the growing competition.

Flusihoc launched over 900 DDoS attacks since June

Arbor says it detected 909 DDoS attacks launched by Flusihoc since June 2017, with 14.66 attacks per day, on average. While the biggest attack peaked at 45.08 Gbps, attack average was only 603.24 Mbps, which is more than enough to bring down websites not running a DDoS mitigation service.

Despite living in the shadows of larger DDoS botnets, Flusihoc is not an amateurish attempt at malware. According to an analysis of the Flusihoc code, Arbor says infected computers can launch nine types of different DDoS attacks, such as SYN, UDP, ICMP, TCP, HTTP, DNS, CON, and two types of CC floods.

In addition, starting with April 2017, Flusihoc received the ability to download and execute third-party binaries. While this mechanism is used to self-update the Flusihoc DDoS bot, botnet operators can use it at any time to download other types of malware on infected hosts, such as infostealers, banking trojans, or ransomware.

Because of the growing dangers coming from this threat, Arbor released today YARA rules so other security researchers can track down recent Flusihoc samples and add detection rules for their products and internal networks.