{"id":15368,"date":"2012-04-05T10:00:53","date_gmt":"2012-04-05T17:00:53","guid":{"rendered":"http:\/\/blogs.mcafee.com\/?p=15368"},"modified":"2025-05-29T03:20:53","modified_gmt":"2025-05-29T10:20:53","slug":"darkshell-ddos-botnet-evolves-with-variants","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/darkshell-ddos-botnet-evolves-with-variants\/","title":{"rendered":"Darkshell DDOS Botnet Evolves With Variants"},"content":{"rendered":"<p>Darkshell is a distributed denial of service (DDoS) botnet targeting Chinese websites. It was found in 2011 and was first analyzed by Arbor Networks. McAfee Labs recently analyzed a few new samples that turned out to be variants of Darkshell, and we found extensive variations in network traffic and control commands.<\/p>\n<p>The Darkshell bot follows a fairly standard installation process by copying itself into the System32 directory with a name that appears to be legitimate, for example, C:\\WINDOWS\\system32\\WinHe803.exe. It then sends the system information of the infected machine to its control server in encrypted format. Once the control server receives the information, it responds with the victim\u2019s address and the type of DDoS attack to perform.<\/p>\n<h2>Here are a few of the MD5 hashes we analyzed:<\/h2>\n<ul>\n<li>aff00fac695971c1aea37ce51f4d6228<\/li>\n<li>beec4de4740da867ed44c666d283c4f2<\/li>\n<li>b3e28fc05514abbaea1e12b676bef2a8<\/li>\n<li>bc47ff49ba8ea1bc0c028edd7262c0ac<\/li>\n<li>bcb210972648719e7d53223fbb7210ab<\/li>\n<li>beec4de4740da867ed44c666d283c4f2<\/li>\n<li>bf56f97511c4c4bc23d92c17d5e976fe<\/li>\n<li>c008c851bef86764943f7a4a2a16d7c6<\/li>\n<li>c74890f5a5400e70ff40da0493a933d7<\/li>\n<\/ul>\n<p>The binaries we analyzed were compiled in a way that it makes them hard to reverse engineer (and ease our analysis). Each binary contained a lot of junk code and made multiple calls between the junk codes to complete a single task. We also found that the binaries used antidebugging and antidisassembly techniques to evade disassembly and reversing. The code was written in C++.<\/p>\n<p>Let\u2019s dig into some detailed analysis of the new variant of Darkshell. The binary executed fake code along with a debugger detection check, and exited the process while debugging. The binary accessed heap flags from the Process Environment Block (PEB) structure to detect our debugger. (Heap flags are set to \u201c0x50000062\u201d when a process is being debugged.) The following figure shows the actual code from the botnet binary:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/?attachment_id=15369\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-medium wp-image-15369\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2012\/04\/peb_heap-300x31.png\" alt=\"\" width=\"300\" height=\"31\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2012\/04\/peb_heap-300x31.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2012\/04\/peb_heap.png 693w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>If the flags are set to 0x50000062, the bot will detect the debugger and will exit the process. Once we bypassed this defense, the botnet started its decryption routine with the help of the hard-coded XOR key shown below:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/?attachment_id=15370\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-medium wp-image-15370\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2012\/04\/xor_key-300x27.png\" alt=\"\" width=\"300\" height=\"27\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2012\/04\/xor_key-300x27.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2012\/04\/xor_key.png 693w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>First, the binary decrypted 1917 (hex) bytes of the code with the preceding XOR key, starting at the address 0x00401000. Next, it decrypted all the strings using the same XOR key. Following that, the bot built its import address table using the \u201cLoadLibrary()\u201d and \u201cGetProcAddress()\u201d functions. We found it interesting that the bot did not call LoadLibrary() and GetProcAddress() in the usual way. In this sample, it first pushed the address of the LoadLibrary() function on the stack and then returned to it, as shown in the next image:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/?attachment_id=15371\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-15371\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2012\/04\/loadlib-300x26.png\" alt=\"\" width=\"300\" height=\"26\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2012\/04\/loadlib-300x26.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2012\/04\/loadlib.png 789w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>After the LoadLibrary() function, the sample returned to a piece of code that the OllyDbg 1.1 debugger failed to recognize.<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/?attachment_id=15372\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-medium wp-image-15372\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2012\/04\/fail_code-300x39.png\" alt=\"\" width=\"300\" height=\"39\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2012\/04\/fail_code-300x39.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2012\/04\/fail_code.png 789w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>This maneuver means the binary uses an antidisassembly technique. To get around this obstacle, we tried OllyDbg 2.0, which successfully assembled the code as follows:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/?attachment_id=15373\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-medium wp-image-15373\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2012\/04\/olly2-300x89.png\" alt=\"\" width=\"300\" height=\"89\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2012\/04\/olly2-300x89.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2012\/04\/olly2.png 693w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>The malware used a similar move with the GetProcAddress() function, pushing the address on the stack and returning to it. This way the bot built its import address table and jumped to original entry point, as we can see in the next image:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/?attachment_id=15374\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-15374\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2012\/04\/oep-300x124.png\" alt=\"\" width=\"300\" height=\"124\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2012\/04\/oep-300x124.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2012\/04\/oep.png 813w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>By looking at the preceding code, we can easily say that this is a generic Microsoft Visual C++ executable entry point. Finally, we dumped the process and fixed the import table to unpack it in the original format. Here are the strings from the unpacked binary:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/?attachment_id=15375\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-medium wp-image-15375\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2012\/04\/strings-283x300.png\" alt=\"\" width=\"283\" height=\"300\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2012\/04\/strings-283x300.png 283w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2012\/04\/strings.png 612w\" sizes=\"auto, (max-width: 283px) 100vw, 283px\" \/><\/a><\/p>\n<p>Now we have our unpacked binary. Rather than dive into the reverse engineering, we will focus on network control activity. The bot sends a TCP packet of 228 bytes in encrypted format to its control server. Here is the packet capture:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/?attachment_id=15376\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-medium wp-image-15376\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2012\/04\/sent_packet-300x146.png\" alt=\"\" width=\"300\" height=\"146\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2012\/04\/sent_packet-300x146.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2012\/04\/sent_packet.png 612w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>We identified the routine in use\u2014a fairly simple XOR and substitution\u2014with the help of the hard-coded value \u201c7DB\u201d in following snippet:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/?attachment_id=15377\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-medium wp-image-15377\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2012\/04\/encrypt_call-300x75.png\" alt=\"\" width=\"300\" height=\"75\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2012\/04\/encrypt_call-300x75.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2012\/04\/encrypt_call.png 806w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>The XOR key is generated and data is encrypted in the \u201cencryption_routine\u201d function seen above.<\/p>\n<p>The preceding encryption algorithm can be translated as follows:<br \/>\n<strong>Encrypted Byte = (Original Byte ^ XOR Key) + XOR Key<\/strong><br \/>\nAnd hence the decryption algorithm is:<br \/>\n<strong>Original Byte = (Encrypted Byte \u2013 XOR Key) ^ XOR Key<\/strong><\/p>\n<p>Applying this decryption algorithm on the encrypted packet results in the following:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/?attachment_id=15379\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-medium wp-image-15379\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2012\/04\/decrypted_packet-300x135.png\" alt=\"\" width=\"300\" height=\"135\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2012\/04\/decrypted_packet-300x135.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2012\/04\/decrypted_packet.png 631w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>Here\u2019s an analysis of the Darkshell control structure of 228 bytes:<\/p>\n<p><strong>struct {<\/strong><\/p>\n<p style=\"padding-left: 30px;\"><strong>char Processor[127]; \/\/ Processor information<\/strong><br \/>\n<strong> char Memory[31]; \/\/ Memory information<\/strong><br \/>\n<strong>char OS[31]; \/\/ Operating System information<\/strong><br \/>\n<strong> char Version[31]; \/\/ Bot version information<\/strong><\/p>\n<p><strong>};<\/strong><\/p>\n<p>As we see above, the bot sends processor, memory, and operating system information along with its version, \u201cVIP0410\u201d in this sample. Once the control server receives this information, it replies with 124 bytes of data that contain the victim\u2019s address and method for launching the DDOS attack. The response packet is not encrypted, as we see below:<br \/>\n<a href=\"https:\/\/securingtomorrow.mcafee.com\/?attachment_id=15380\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-medium wp-image-15380\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2012\/04\/cnc_reply-300x95.png\" alt=\"\" width=\"300\" height=\"95\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2012\/04\/cnc_reply-300x95.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2012\/04\/cnc_reply.png 592w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>The first 4 bytes describe the type of attack. In the preceding case the value \u201c0x00000400\u201d launches an HTTP GET request with a small-header DDOS attack on the victim, using port number 80. The port value is specified at offset \u201c0x009E,\u201d which is 50 (or 80 in decimal).<\/p>\n<p>The response attack structure of the 124 bytes:<\/p>\n<p><strong>struct {<\/strong><\/p>\n<p style=\"padding-left: 30px;\"><strong>DWORD dwCode; \/\/ attack method<\/strong><br \/>\n<strong>char Target[99]; \/\/ URL of target, NULL-terminated\/extended<\/strong><br \/>\n<strong>DWORD Port \/\/ Port to attack<\/strong><br \/>\n<strong>DWORD ThreadCount \/\/ number of threads to create<\/strong><br \/>\n<strong>DWORD dwMilliseconds \/\/ Sleep (in milliseconds)<\/strong><br \/>\n<strong>DWORD socketCounter1 \/\/ Counter to create sockets<\/strong><br \/>\n<strong>DWORD socketCounter2 \/\/ Counter to create sockets<\/strong><\/p>\n<p><strong>};<\/strong><\/p>\n<p>Once the bot receives the response, it parses the attack method and creates multiple threads with attack methods on the infected machine, according to the thread count. The bot supports multiple attack methods, including SYN flood, UDP flood, ICMP flood, SuperSYN flood, GET requests flood, etc. The bot can also download and execute malicious binaries from the control servers.<\/p>\n<p>An HTTP GET requests attack with a small header looks like this:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/?attachment_id=15381\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-medium wp-image-15381\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2012\/04\/flood-300x167.png\" alt=\"\" width=\"300\" height=\"167\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2012\/04\/flood-300x167.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2012\/04\/flood.png 812w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<h2>Here are a few of the control domains we identified:<\/h2>\n<ul>\n<li>hh6002.sxzyong.com<\/li>\n<li>9527idc.vicp.net<\/li>\n<li>hwtt.3322.org<\/li>\n<li>805.sxzyong.com<\/li>\n<li>801.sxzyong.com<\/li>\n<li>sdqd666.3322.org<\/li>\n<li>802.sxzyong.com<\/li>\n<li>806.sxzyong.com<\/li>\n<\/ul>\n<p>Further investigation revealed that the Darkshell botnet source code is available online. We found the <a href=\"http:\/\/www.darkshellnew.com\/\">www.darkshellnew.com<\/a> domain, which calls itself the official Darkshell website. It hosts various versions of Darkshell botnet builder that can be downloaded free with source code. Here is a screenshot of the homepage (when converted from Chinese to English):<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/?attachment_id=15382\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-medium wp-image-15382\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2012\/04\/homepage-300x161.png\" alt=\"\" width=\"300\" height=\"161\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2012\/04\/homepage-300x161.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2012\/04\/homepage-1024x552.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2012\/04\/homepage.png 1189w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>Here are the different versions of Darkshell botnet builders available to download:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/?attachment_id=15383\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-medium wp-image-15383\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2012\/04\/versions-300x227.png\" alt=\"\" width=\"300\" height=\"227\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2012\/04\/versions-300x227.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2012\/04\/versions.png 711w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>Our research shows that variants of the Darkshell botnet are still evolving, with features such as antidebugging and antidisassembly techniques to make reverse engineering more time consuming. The botnet can launch DDOS attacks using different methods and can flood websites. Further, the presence of free Darkshell builders with source code on the Internet opens up the evolution of other variants with other mechanisms.<\/p>\n<p>I would like to thank my colleague Amit Malik for contributing to this botnet research.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Darkshell is a distributed denial of service (DDoS) botnet targeting Chinese websites. It was found in 2011 and was first&#8230;<\/p>\n","protected":false},"author":674,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[49,18],"coauthors":[3973],"class_list":["post-15368","post","type-post","status-publish","format-standard","hentry","category-mcafee-labs","tag-botnet","tag-network-security"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Darkshell DDOS Botnet Evolves With Variants | McAfee Blog<\/title>\n<meta name=\"description\" content=\"Darkshell is a distributed denial of service (DDoS) botnet targeting Chinese websites. It was found in 2011 and was first analyzed by Arbor Networks.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Darkshell DDOS Botnet Evolves With Variants | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"Darkshell is a distributed denial of service (DDoS) botnet targeting Chinese websites. It was found in 2011 and was first analyzed by Arbor Networks.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/darkshell-ddos-botnet-evolves-with-variants\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2012-04-05T17:00:53+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-05-29T10:20:53+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2012\/04\/peb_heap.png\" \/>\n\t<meta property=\"og:image:width\" content=\"693\" \/>\n\t<meta property=\"og:image:height\" content=\"73\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"McAfee\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@McAfee\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"McAfee\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/darkshell-ddos-botnet-evolves-with-variants\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/darkshell-ddos-botnet-evolves-with-variants\/\"},\"author\":{\"name\":\"McAfee\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/47851fdb92fad9456152405839c92efa\"},\"headline\":\"Darkshell DDOS Botnet Evolves With Variants\",\"datePublished\":\"2012-04-05T17:00:53+00:00\",\"dateModified\":\"2025-05-29T10:20:53+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/darkshell-ddos-botnet-evolves-with-variants\/\"},\"wordCount\":1146,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/darkshell-ddos-botnet-evolves-with-variants\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2012\/04\/peb_heap-300x31.png\",\"keywords\":[\"botnet\",\"network security\"],\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/darkshell-ddos-botnet-evolves-with-variants\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/darkshell-ddos-botnet-evolves-with-variants\/\",\"name\":\"Darkshell DDOS Botnet Evolves With Variants | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/darkshell-ddos-botnet-evolves-with-variants\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/darkshell-ddos-botnet-evolves-with-variants\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2012\/04\/peb_heap-300x31.png\",\"datePublished\":\"2012-04-05T17:00:53+00:00\",\"dateModified\":\"2025-05-29T10:20:53+00:00\",\"description\":\"Darkshell is a distributed denial of service (DDoS) botnet targeting Chinese websites. It was found in 2011 and was first analyzed by Arbor Networks.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/darkshell-ddos-botnet-evolves-with-variants\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/darkshell-ddos-botnet-evolves-with-variants\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/darkshell-ddos-botnet-evolves-with-variants\/#primaryimage\",\"url\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2012\/04\/peb_heap-300x31.png\",\"contentUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2012\/04\/peb_heap-300x31.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/darkshell-ddos-botnet-evolves-with-variants\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Darkshell DDOS Botnet Evolves With Variants\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/47851fdb92fad9456152405839c92efa\",\"name\":\"McAfee\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/1ffadfeeda1f4f9e7891a81f27a9ecf4\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/08\/Original-Logo-96x96.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/08\/Original-Logo-96x96.png\",\"caption\":\"McAfee\"},\"description\":\"We're here to make life online safe and enjoyable for everyone.\",\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/x.com\/McAfee\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/mcafee\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Darkshell DDOS Botnet Evolves With Variants | McAfee Blog","description":"Darkshell is a distributed denial of service (DDoS) botnet targeting Chinese websites. It was found in 2011 and was first analyzed by Arbor Networks.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"Darkshell DDOS Botnet Evolves With Variants | McAfee Blog","og_description":"Darkshell is a distributed denial of service (DDoS) botnet targeting Chinese websites. It was found in 2011 and was first analyzed by Arbor Networks.","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/darkshell-ddos-botnet-evolves-with-variants\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_author":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2012-04-05T17:00:53+00:00","article_modified_time":"2025-05-29T10:20:53+00:00","og_image":[{"width":693,"height":73,"url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2012\/04\/peb_heap.png","type":"image\/png"}],"author":"McAfee","twitter_card":"summary_large_image","twitter_creator":"@McAfee","twitter_site":"@McAfee","twitter_misc":{"Written by":"McAfee","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/darkshell-ddos-botnet-evolves-with-variants\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/darkshell-ddos-botnet-evolves-with-variants\/"},"author":{"name":"McAfee","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/47851fdb92fad9456152405839c92efa"},"headline":"Darkshell DDOS Botnet Evolves With Variants","datePublished":"2012-04-05T17:00:53+00:00","dateModified":"2025-05-29T10:20:53+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/darkshell-ddos-botnet-evolves-with-variants\/"},"wordCount":1146,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/darkshell-ddos-botnet-evolves-with-variants\/#primaryimage"},"thumbnailUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2012\/04\/peb_heap-300x31.png","keywords":["botnet","network security"],"articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/darkshell-ddos-botnet-evolves-with-variants\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/darkshell-ddos-botnet-evolves-with-variants\/","name":"Darkshell DDOS Botnet Evolves With Variants | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/darkshell-ddos-botnet-evolves-with-variants\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/darkshell-ddos-botnet-evolves-with-variants\/#primaryimage"},"thumbnailUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2012\/04\/peb_heap-300x31.png","datePublished":"2012-04-05T17:00:53+00:00","dateModified":"2025-05-29T10:20:53+00:00","description":"Darkshell is a distributed denial of service (DDoS) botnet targeting Chinese websites. It was found in 2011 and was first analyzed by Arbor Networks.","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/darkshell-ddos-botnet-evolves-with-variants\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/darkshell-ddos-botnet-evolves-with-variants\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/darkshell-ddos-botnet-evolves-with-variants\/#primaryimage","url":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2012\/04\/peb_heap-300x31.png","contentUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2012\/04\/peb_heap-300x31.png"},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/darkshell-ddos-botnet-evolves-with-variants\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"Darkshell DDOS Botnet Evolves With Variants"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/47851fdb92fad9456152405839c92efa","name":"McAfee","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/1ffadfeeda1f4f9e7891a81f27a9ecf4","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/08\/Original-Logo-96x96.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/08\/Original-Logo-96x96.png","caption":"McAfee"},"description":"We're here to make life online safe and enjoyable for everyone.","sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/x.com\/McAfee"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/mcafee\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/15368","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/674"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=15368"}],"version-history":[{"count":2,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/15368\/revisions"}],"predecessor-version":[{"id":214707,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/15368\/revisions\/214707"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=15368"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=15368"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=15368"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=15368"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}