[Dshield] Fwd: Destructive botnet originating from Japan

Mark Owen mr.markowen at gmail.com
Sat Dec 24 02:13:19 GMT 2005

Received this from NANOG.

---------- Forwarded message ----------
From: Barrett G. Lyon <blyon at prolexic.com>
Date: Dec 23, 2005 2:55 PM
Subject: Destructive botnet originating from Japan
To: nanog at merit.edu

Prolexic is currently mitigating a 6+ Gbps (12+ Million PPS) DDoS
attack that is orginitating from an IRC based botnet server in Japan. 
The bot software itself runs on GLIBC_2.1.3, GLIBC_2.1, and GLIBC_2.0
compatible x86 Linux boxen.  The bot software is about 28.3 KB, it has
a lot of capabilities including, HTTP connection, TCP floods, and and
broken SYN flooding.  We are not sure of the current infection method
but it must be a common Redhat Linux vulnerability.  We have contacted
the network that hosts the IRC controller server server, however, they
do not speak english and we have yet to locate a translator.

The botnet controller server is hard coded in the botnet binary at: (www.vectant.co.jp):

.e....'.: 001 nmdpokdhr :Welcome to the Internet Relay
Network nmdpokdhr!~rjhriafit at cpe-70-116-65-96.houston.res.rr.com
: 002 nmdpokdhr :Your host is, running version 2.10.3p7
: 003 nmdpokdhr :This server was created Sat May 29 2004 at
06:15:50 JST
: 004 nmdpokdhr 2.10.3p7 aoOirw abeiIklmnoOpqrstv
: 251 nmdpokdhr :There are 553 users and 0 services on 1 servers
: 252 nmdpokdhr 1 :operators online
: 253 nmdpokdhr 23 :unknown connections
: 254 nmdpokdhr 10 :channels formed

Please null route that IP on every network you may have access to,
that will disable the ability for the bots to get updates and act on
behalf of the attacker.  The connection port is TCP 3982 (IRC based

We have been running heavy stats collection on the attack, the
Prolexic SOC has compiled the enclosed prefix list as malicious and
non-spoofed addresses, there are many more, however the list below is
some of the highest traffic generators.

Happy hunting and feel free to email me off-list if you would like
more information on the attack and the botnet software itself.



Barrett Lyon
CTO and founder
Prolexic Technologies, Inc;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

Mark Owen

More information about the list mailing list