Exploring the Chinese DDoS landscape

Friday 4 October 14:30 - 15:00, Small talks

Nacho Sanmillan (Intezer)

Distributed denial-of-service attacks were on the rise in 2018, ranging from a high volume of Mirai attacks to more sophisticated botnets targeting enterprises. Chinese threat actors in particular have predominantly deployed DDoS attacks in their cyber campaigns, and China has emerged as having one of the highest rates of DDoS attacks.

During this presentation, Intezer researcher Nacho Sanmillan will provide an overview of the Chinese DDoS landscape and discuss the current state of ChinaZ, a threat actor group notorious for targeting Windows and Linux systems with botnets since November 2014. He will also provide context into Nitol, a malware family with alleged Chinese origins and a prominent player in the DDoS ecosystem. Nacho will present the various methods employed to discover ChinaZ and Nitol's servers and analyse code reuse relationships with groups such as MrBlack and Iron Tiger APT.




Nacho Sanmillan

Nacho is a security researcher specializing in reverse engineering and malware analysis. Nacho plays a key role in Intezer's malware hunting and investigation operations, analysing and documenting new undetected threats. Some of his latest research involves detecting new Linux malware and finding links between different threat actors. Nacho is an adept ELF researcher, having written numerous papers and conducted projects implementing state-of-the-art obfuscation and anti-analysis techniques in the ELF file format.


   Read paper    Watch video

Back to VB2019 Programme page

Other VB2019 papers

Exploring the Chinese DDoS landscape

Nacho Sanmillan (Intezer)

King of the hill: nation-state counterintelligence for victim deconfliction

Juan Andres Guerrero-Saade (Chronicle)

A vine climbing over the Great Firewall: a long-term attack against China

Lion Gu (Qi An Xin Threat Intelligence Center)
Bowen Pan (Qi An Xin Threat Intelligence Center)

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.