Madness Pro is a recently discovered DDoS bot, which looks at using standard methods to achieve persistence on a system and evade detection.
Madness uses many standard DDoS attack techniques and it has the ability to attack multiple sites at the same time or launch many different attacks on the same site. The ability to attack a site in multiple ways is what sets it apart from other DDoS malware and puts it in the league of malware like the DirtJumper family of DDoS malware. In October 2013, Charlie Hurel an independent security researcher based in France, observed the now defunct Cool Exploit Kit installing Madness on compromised PCs. In the space of a few days, a botnet of over 10,000 PCs was built and being used to launch attacks. For Madness to be used as the payload in something like CoolEK – which was known to use 0-days before dying off with the arrest of its author – makes it a considerable threat and something we take notice of very quickly.
By monitoring attacks launched by the different botnets that have been built by cybercriminals who have purchased the malware, it is apparent that targeted sites have mostly been competing underground forums, “carding” sites, and sites engaging in illegal activity. Legitimate sites have been targeted, but that does not seem to be the norm. A blog post profile by Kafeine provides a good insight into one method of infection and how quickly a potent DDoS botnet can be built.
Given the breadth of the DDoS attacks available in Madness and the ability to attack large numbers of targets at the same time, it does not appear that Madness will be going away anytime soon in the DDoS space.
Contributed by Jason Jones, ASERT research analyst, Arbor Networks