Last known affiliation: Qihoo 360
Bio: Lingming Tu used to work at KingSoft and Kaspersky as a malware analyst and kernel developer. Now he is a botnet researcher at 360netlab. His work is mainly focused on malware reverse engineering and botnet tracking, with a focus on IoT botnets. In the past years, he has done a lot of research on classic Linux botnets, including Elknot, Gafgyt, Dofloo, and Mirai. During this period, he also discovered some new botnets, including Ngioweb (Linux version), Godlua, Mozi, Specter and Bigviktor.
Lingming Tu 🗣 | Wenji Qu | Ya Liu
Abstract (click to view)
Fodcha is a new DDoS botnet family targeted Linux IoT devices. After it was firstly detected in January 2022, 4 versions of 250+ samples have been observed by us, from which over 140 C&C domains were extracted. Most of the C&C servers have been successfully contacted by our command tracking system, with over 39K unique victims detected from the 114M received attacking commands.
The data we collected includes various interesting information such as botnet scales, operations exploits, and attack methods. Detailed studies have been carried on the collected data in terms of C&C communications, attack methods, and victims. Attempts of estimating the botnet scales were also done by analyzing real attacking traffic from Fodcha. By reading an accidentally obtained copy of Fodcha C&C panel source, we even had the chance to investigate how the botmasters managed their botnets and sold their attacking service to others. We think the analysis we did would help to better detect and mitigate similar threats in the future.