The Elknot DDoS Botnets We Watched

Presented at VB2016, Oct. 7, 2016, noon (30 minutes).

Elknot, also known as Linux/BillGates, is a notorious DDoS botnet family which runs on both *Linux* and *Windows* platforms. We have collected about 9,000 Elknot samples and extracted over 1,600 unique C&C servers. 500 of the servers were successfully contacted by our command tracking system. Over 50,000 unique victims were detected from the 37 million received attacking commands. The data we collected has given us various interesting pieces of information including details of botnet operations, attack methods and patterns. We observed some serious DDoS attack events, e.g. several DNS root servers being attacked on 30 November 2015 and 1 December 2015. Detailed studies have been carried out on the collected data in terms of C&C communications, botnet scales, attack methods, and victims. Attempts to connect Elknot botnets to other botnet families were also made. With the help of passive DNS and NetFlow data, we got some interesting results, which make us believe that it is possible to depict the big picture of popular Elknot botnets. We think our analysis will help to better detect and mitigate future DDoS threats.

Presenters:

  • Ya Liu - Qihoo 360
    Ya Liu Ya Liu has over six years of experience in network security, specializing in honeypot, malware analysis, and botnet detection and tracking. Currently he works in the Network Security Research Lab of Qihoo 360, focusing mainly on botnet tracking. Before joining Qihoo 360 he worked at NSFOCUS on honeypot development and malware analysis. @liuya0904
  • Hui Wang - Qihoo 360
    Hui Wang Hui Wang is a sofware engineer with a passion for honeypot development. He has a wealth of experience in WEB development and data analysis. Now he works in the Network Security Research Lab of Qihoo 360 where he attempts to build large-scale honeypot systems to capture popular attacks on the Internet. @acey9_

Links:

Similar Presentations: