The newly discovered IMDDOS Botnet is a commercial DDoS service. The botnet grew large very quickly. Beginning testing in April 2010, it reached a production peak activity by the second week of August of 25,000 unique recursive DNS lookups/hour to the command-and-control (CnC) servers.
This paper details the growth of the IMDDOS Botnet, the commercial aspects of its operation, the technical components of the botnet infrastructure, how it was discovered, and what is currently being done to disrupt its operation.
Damballa is the leading authority in botnets and botnet construction and their criminal operation. Damballa has a globe-spanning array of sensors, including deployments with Internet Service Providers that monitor CnC activity and malicious DNS traffic.
Damballa tracks thousands of botnet operators and their growing cache of botnets every day. Each criminal botnet building campaign is observed, analyzed, catalogued and categorized automatically using a sophisticated array of clustering and machine learning systems. As the criminal botnet operators attempt to grow the botnet, their investments and modifications to their CnC hosting infrastructure are tracked and used as markers for eventual attribution.
This discovery was made possible due to this array of Damballa DNS sensors, which provide worldwide visibility into CnC activity, combined with the understanding and quantification of statistical heuristics that could explain --- and most importantly detect early --- the malicious nature of this botnet operation.