Destructive botnet originating from Japan

Prolexic is currently mitigating a 6+ Gbps (12+ Million PPS) DDoS attack that is orginitating from an IRC based botnet server in Japan. The bot software itself runs on GLIBC_2.1.3, GLIBC_2.1, and GLIBC_2.0 compatible x86 Linux boxen. The bot software is about 28.3 KB, it has a lot of capabilities including, HTTP connection, TCP floods, and and broken SYN flooding. We are not sure of the current infection method but it must be a common Redhat Linux vulnerability. We have contacted the network that hosts the IRC controller server server, however, they do not speak english and we have yet to locate a translator.

The botnet controller server is hard coded in the botnet binary at: (

.e…’.: 001 nmdpokdhr :Welcome to the Internet Relay Network nmdpokdhr!
: 002 nmdpokdhr :Your host is, running version 2.10.3p7
: 003 nmdpokdhr :This server was created Sat May 29 2004 at 06:15:50 JST
: 004 nmdpokdhr 2.10.3p7 aoOirw abeiIklmnoOpqrstv
: 251 nmdpokdhr :There are 553 users and 0 services on 1 servers
: 252 nmdpokdhr 1 :operators online
: 253 nmdpokdhr 23 :unknown connections
: 254 nmdpokdhr 10 :channels formed

Please null route that IP on every network you may have access to, that will disable the ability for the bots to get updates and act on behalf of the attacker. The connection port is TCP 3982 (IRC based bot).

We have been running heavy stats collection on the attack, the Prolexic SOC has compiled the enclosed prefix list as malicious and non-spoofed addresses, there are many more, however the list below is some of the highest traffic generators.

Happy hunting and feel free to email me off-list if you would like more information on the attack and the botnet software itself.