Chinese botnets were poorly constructed and riddled with errors, according to security researchers.
Jeff Edwards and Jose Nazario, researchers at denial of service (DoS) prevention firm Arbor Networks, said Trojan malware used in the botnets contained flaws and were not concealed.
They told the Virus Bulletin 2011 conference in Barcelona that blatant flaws in the used DoS attack botnets were duplicated by rival botnets that stole the source code.
Sophisticated modern botnets often used rootkits to conceal presence, were encrypted and could be difficult to trace and eradicate. The botnets also used varied DoS tactics such as low rate denial of service attacks (pdf).
But Edwards and Nazario said Chinese botnets lacked the technology and conducted only simple DoS attacks such as SYN, TCP and HTTP floods.
They found about 40 Chinese-based botnet families of which about 20 were distinct malware families, including Darkshell, IMDDOS, Rincux, NetBot Attacker and YoyoDDoS families the researchers said.
The botnets targeted specific victims. The Darkshell botnet attacked the industrial food processing industry, IMDDOS attacked gambling websites, Rincux attacked the mining sector, and versions of Netbot Attacker had in 2008 targeted US news site CNN.
“We were surprised when we discovered that its operators have such a propensity for attacking one particular commercial market segment,” he said in a blog post.
All of the studied botnets were thought to be built in China or were controlled primarily from Chinese IP addresses.