FYI...

Skunkx DDoS Bot Analysis
- http://asert.arbornetworks.com/2011/...-bot-analysis/
March 14th, 2011 - "... appears to be from the US. We’re calling this bot “Skunkx”. We have not yet seen the bot’s attacks in the wild, however, and so we do not know its favored victim profiles. We also do not know how big this botnet is at this time. The bot’s capabilities include:
* Perform DDoS attacks: UDP floods, SYN floods, HTTP floods, and Slowloris attacks
* Detect some analyst tools (Commview, TCPView, and Wireshark) and platforms (QEMU, VMWare, VirtualPC)
* Spread over USB, MSN, YahooMessenger
* “Visit” sites, speedtest
* Download and install, update, and remove arbitrary software
* Detect and stop DDoSer, Blackshades, Metus and IRC bots on the box; it apparently can speak “DDoSer” too
* Spread as a torrent file
* Steal logins stored in the SQLite DB by Mozilla
We have not seen source or the control panel of the bot. The author appears to like the “JoinVPS” service, however. His servers that he has used go back to “Net-0x2a: Zharkov Mukola Mukolayovuch” in the Ukraine, and also “PIRADIUS” in Malaysia. This is someone familiar with underground hosting, it seems... We have also been sinkholing this botnet. Inspection shows hundreds of bots checking in from around the world, with most in the US..."
Map showing botted hosts:
- http://farm6.static.flickr.com/5217/...6c467802_o.png

JKDDOS: DDoS bot...
- http://asert.arbornetworks.com/2011/...ning-industry/
March 8th, 2011 - "... Looking back through our malware zoo, we observed our first JKDDOS sample as early as September 2009. Since then, we have analyzed almost 50 unique JKDDOS samples, the most recent of which we acquired in December 2010. Based on its recent history of attacks, the operators of this family appear to have an axe to grind against several relatively large international holding companies that have connections to the mining industry... The JKDDOS malware is distributed in the form of a relatively small executable that tends to vary widely in size across different samples; we have seen specimens as small as 17,408 bytes and as large as 240,997 bytes. The most common size for a JKDDOS sample is approximately 33.5 KB; recently, the JKDDOS samples we have analyzed have usually been packed whereas earlier samples were not... Once launched, a JKDDOS bot performs a fairly standard installation process. It copies itself into the C:\Windows\System32 directory. In an attempt to be stealthy, it will sometimes name the installed copy of itself so as to appear to be a legitimate system file..."

(More detail at both URLs above.)