A denial of service (DOS) attack typically requires a coordinated effort of a large number of Internet hosts to simultaneously flood the host under attack. A sizable number of machines all sending copious amounts of packets to a single machine or network can overload it to the point where it becomes unusable, or perhaps even cause it to crash.
The hosts involved in the attacking are often regular home computers that have been hijacked into doing the attacker's bidding. The computers have somehow become infected with a program that takes commands remotely. Many of these programs login to the Internet Relay Chat (IRC) network and join a predefined IRC chat area. Once logged in, they sit and wait for commands. When their master wants to launch an attack, he connects to IRC, informs all of the connected servant programs what he wants done, and they go do it. Spooky, eh?
The LURHQ Threat Intelligence Group has dissected one of these servant programs named PhatBot and posted information about its feature-set, just how advanced they have become and the list of commands they can respond to.
Here are a few of the more interesting commands:
- bot.command :: runs a command with system()
- rsl.reboot :: reboots the computer
- ddos.synflood :: starts an SYN flood
- redirect.https :: starts a https proxy
- harvest.cdkeys :: makes the bot get a list of cdkeys
I blogged some thoughts - see URL.