Showing posts with label DDoS. Show all posts
Appreciate my rhetoric. In this post I'll provide actionable intelligence on a key DDoS for hire service that was primarily used in the Russia vs Georgia Cyber Attacks circa 2009 including the DDoS attack against Bobbear.co.uk.Related actionable intelligence on the campaign:
hxxp://setx.in - Email: info@antiddos.eu - setx.mail@gmail.com - hxxp://httpdoc.info - hxxp://fakamaza.info. The last one with the email address "team@russia-vs-georgia.org" in the WHOIS info.
Related malicious URLs known to have participated in the campaign:
hxxp://cxim.inattack.ru/www7/www/auth.php
Related malicious URLs known to have participated in the campaign:
hxxp://h278666y.net/main/load.exe
hxxp://h278666y.net/www/auth.php
MD5: 34413180d372a9e66d0d59baf0244b8f
MD5: 42e4bbd47d322ec563c86c636c3f10b9
MD5: ed36b42fac65236a868e707ee540c015
MD5: c9fa1c95ab4ec1c1d46abe5445fb41e4
hxxp://cxim.inattack.ru/www3/www/
hxxp://i.clusteron.ru/bstatus.php
Related malicious URLs known to have participated in the campaign:
hxxp://svdrom.cn
Related malicious URLs known to have participated in the campaign:
hxxp://203.117.111.52/www7/www/getcfg.php
Related malicious domains known to have participated in the campaign:
hxxp://cxim.inattack.ru/www2/www/stat.php
hxxp://cxim.inattack.ru/www3/www/stat.php
hxxp://cxim.inattack.ru/www4/www/stat.php
hxxp://cxim.inattack.ru/www5/www/stat.php
hxxp://cxim.inattack.ru/www6/www/stat.php
hxxp://finito.fi.funpic.org/black/stat.php
hxxp://logartos.org/forum/stat.php - 195.24.78.242
hxxp://weberror.cn/be1/stat.php
hxxp://prosto.pizdos.net/_lol/stat.php
hxxp://h278666y.net/www/stat.php - 72.233.60.254 Continue reading →
How come? In this post I'll provide actionable intelligence on what appears to be a currently active Brazilian supporter of the Cyber Attacks that took place circa 2009 with the idea to discuss in-depth the tools and motivation for launching the campaign of the cybercriminals behind it.
Sample malicious URL known to have participated in the campaign:
hxxp://geocities.ws/thezart/
It's 2010 and I'm coming across to a malicious and fraudulent file repository that can be best described as a key actor that managed to participate perhaps even orchestrate the Russia vs Georgia cyber attacks circa 2009. Who is this individual? How did he manage to contribute to the Russian vs Georgia cyber attacks? Did he rely on active outsourcing or was he hired to perform the orchestrated DDoS for hire attacks that took place back then? Keep reading.
It appears that a Brazilian user known as The Zart managed to participated in the Russia vs Georgia cyber attacks circa 2009 relying on a variety of tools and techniques known as:
- Web Site Defacement Tools
- Targeted Spreading of Vulnerable Legitimate Web Sites
- Automated Web-Site Exploitation - Long Tail of The Malicious Web
which basically resulted in a self-mobilized militia that actually participated and launched the Russia vs Georgia cyber attacks circa 2009.
Related posts:
The Russia vs Georgia Cyber Attack
Who's Behind the Georgia Cyber Attacks?
DDoS Attack Graphs from Russia vs Georgia's Cyberattacks
Real-Time OSINT vs Historical OSINT in Russia/Georgia Cyberattacks Continue reading →
Last month's lone gunman DDoS attack against Georgia President's web site seemed like a signal shot for the cyber siege to come a week later. Here's the complete coverage of the coordination phrase, the execution and the actual impact of the cyber attack so far - "Coordinated Russia vs Georgia cyber attack in progress" : "Who’s behind it? The infamous Russian Business Network, or literally every Russian supporting Russia’s actions? How coordinated and planned the cyber attack is, and do we actually have a relatively decent example of cyber warfare combining PSYOPs (psychological operations), and self-mobilization of the local Internet users by spreading “For our motherland, brothers!” or “Your country is calling you!” hacktivist messages across web forums. Let’s find out, in-depth. With the attacks originally starting to take place several weeks before the actual “intervention” with Georgia President’s web site coming under DDoS attack from Russian hackers in July, followed by active discussions across the Russian web on whether or not DDoS attacks and web site defacements should in fact be taking place, which would inevitably come as a handy tool to be used against Russian from Western or Pro-Western journalists, the peak of DDoS attack and the actual defacements started taking place as of Friday."
Some of the tactics used :
distributing a static list of targets, eliminate centralized coordination of the attack, engaging the average internet users, empower them with DoS tools; distributing lists of remotely SQL injectable Georgian sites; abusing public lists of email addresses of Georgian politicians for spamming and targeted attacks; destroy the adversary’s ability to communicate using the usual channels -- Georgia's most popular hacking portal is under DDoS attack from Russian hackers.
Some of the parked domains acting as command and control servers for one of the botnets at 79.135.167.22 :
emultrix .orgyandexshit .com
ad.yandexshit .com
a-nahui-vse-zaebalo-v-pizdu .com
killgay .com
ns1.guagaga .net
ns2.guagaga .net
ohueli .net
pizdos .net
googlecomaolcomyahoocomaboutcom.net
Actual command and control locations :
a-nahui-vse-zaebalo-v-pizdu .com/a/nahui/vse/zaebalo/v/pizdu/
prosto.pizdos .net/_lol/
Consider going through the complete coverage of what's been happening during the weeked. Considering the combination of tactics used, unless the conflict gets solved, more attacks will definitely take place during the week. Continue reading →
With more crowdsourced intelligence on "Operation Ababil" published in the recent weeks, it's time to revisit the campaign's core strategy for harnessing enough bandwidth to successfully take down major U.S financial institutions.
As you can remember, in Part One of the OSINT analysis for "Operation Ababil" I emphasized on the crowdsourcing campaign launched by Izz ad-Din al-Qassam a.k.a Qassam Cyber Fighters, which led to the successful DDoS attack against these institutions. It appears that this is just one of the many stages of the campaign.
According to security researchers from Proxelic, the attackers also relied on a PHP based DDoS attack script known as "itsoknoproblembro" that was installed on servers susceptible to exploitation through the Bluestork Joomla template. By combining crowdsourced bandwidth and bandwidth from the compromised servers, the attackers managed to successfully achieve their objectives.
The DDoS script in question,"itsoknoproblembro", has been publicly available as a download for months before the attacks started, indicating that it was not on purposely coded to be used in the campaign against major U.S financial institutions.
Detection rate: PHP_DDoS.html - MD5: 9ebab9f37f2b17529ccbcdf9209891be - detected by 9 out of 44 antivirus scanners as PHP/Obfuscated.F; Heuristic.BehavesLike.JS.Suspicious.A
Next to Prolexic's claims, th3j35t3r also published an analysis of the situation that's primarily relying on wishful thinking and social engineering, claiming that Anonymous supplied the operators of "Operation Ababil" with DDoS bandwidth by using a service called Multiboot.me - 108.162.193.85; 108.162.193.185, AS13335.
Sample screenshots of the Multiboom.me's GUI:
With "Operation Ababil" continuing to fuel political tensions between the U.S and Iran, which is blamed for organizing the launching these attacks, it's worth emphasizing on the basics of 'false-flag' cyber operations, and "aggregate-and-forget" type of botnets.
When was the first time you heard of Izz ad-Din al-Qassam a.k.a Qassam Cyber Fighters? Appreciate my rhetoric - right after they started their crowdsourcing campaign. With the group lacking any significant digital fingerprint prior to these attacks, virtually anyone can localize their objectives with a little twist of politics and propaganda, and easily set the foundations for what is now perceived as an Iranian cyber operation.
Moreover, their bandwidth acquisition techniques clearly indicate that the attackers are aware of the dynamics of modern cyber operations in general, and by doing so, chose to acquire bandwidth without outsourcing their needs to ubiquitous and sophisticated Russian DDoS on demand services, which could have led to the easy identification of the service in question, next to the cybercriminals behind it.
Updates will be posted as soon as new intel becomes available.
This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →
As you can remember, in Part One of the OSINT analysis for "Operation Ababil" I emphasized on the crowdsourcing campaign launched by Izz ad-Din al-Qassam a.k.a Qassam Cyber Fighters, which led to the successful DDoS attack against these institutions. It appears that this is just one of the many stages of the campaign.
According to security researchers from Proxelic, the attackers also relied on a PHP based DDoS attack script known as "itsoknoproblembro" that was installed on servers susceptible to exploitation through the Bluestork Joomla template. By combining crowdsourced bandwidth and bandwidth from the compromised servers, the attackers managed to successfully achieve their objectives.
The DDoS script in question,"itsoknoproblembro", has been publicly available as a download for months before the attacks started, indicating that it was not on purposely coded to be used in the campaign against major U.S financial institutions.
Detection rate: PHP_DDoS.html - MD5: 9ebab9f37f2b17529ccbcdf9209891be - detected by 9 out of 44 antivirus scanners as PHP/Obfuscated.F; Heuristic.BehavesLike.JS.Suspicious.A
Next to Prolexic's claims, th3j35t3r also published an analysis of the situation that's primarily relying on wishful thinking and social engineering, claiming that Anonymous supplied the operators of "Operation Ababil" with DDoS bandwidth by using a service called Multiboot.me - 108.162.193.85; 108.162.193.185, AS13335.
Sample screenshots of the Multiboom.me's GUI:
With "Operation Ababil" continuing to fuel political tensions between the U.S and Iran, which is blamed for organizing the launching these attacks, it's worth emphasizing on the basics of 'false-flag' cyber operations, and "aggregate-and-forget" type of botnets.
When was the first time you heard of Izz ad-Din al-Qassam a.k.a Qassam Cyber Fighters? Appreciate my rhetoric - right after they started their crowdsourcing campaign. With the group lacking any significant digital fingerprint prior to these attacks, virtually anyone can localize their objectives with a little twist of politics and propaganda, and easily set the foundations for what is now perceived as an Iranian cyber operation.
Moreover, their bandwidth acquisition techniques clearly indicate that the attackers are aware of the dynamics of modern cyber operations in general, and by doing so, chose to acquire bandwidth without outsourcing their needs to ubiquitous and sophisticated Russian DDoS on demand services, which could have led to the easy identification of the service in question, next to the cybercriminals behind it.
Updates will be posted as soon as new intel becomes available.
This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →
Provoked by a questionable online video posted on YouTube, Muslims from the around the world united in an apparent opt-in botnet crowdsourcing campaign aiming to launch a DDoS (denial of service attack) against YouTube for keeping the video online, and against several major U.S banks and financial institutions.
Dubbed "Operation Ababil", and operated by the Izz ad-Din al-Qassam a.k.a Qassam Cyber Fighters , the campaign appear to have had a limited, but highly visible impact on the targeted web sites. Just like in every other crowdsourced opt-in botnet campaign such as the "Coordinated Russia vs Georgia cyber attack in progress", the "Iranian opposition launches organized cyber attack against pro-Ahmadinejad sites", the "Electronic Jihad v3.0 - What Cyber Jihad Isn't" campaign, and the "The DDoS Attack Against CNN.com" campaign, political sentiments over the attribution element seem to have orbited around the notion that it was nation-sponsored by the Iranian government.
What's so special about this attack? Did the individuals behind it poses sophisticated hacking or coding abilities? Was the work of hacktivists crowdsourcing bandwidth, or was it actually sponsored by the Iranian government? Can we even talk about attack attribution given that the group claiming responsibility for the attacks doesn't have a strong digital fingerprint?
In this post, I'll perform an OSINT (open source intelligence) analysis aiming to expose one of the individuals part of the group that organized the campaign, spread their propaganda message to as many Muslim Facebook groups as possible, and actually claim responsibility for the attacks once they took place.
The campaign originally began with a message left on Pastebin.com by the Qassam Cyber Fighters group announcing "Operation Ababil":
The original message left is as follows:
"Operation Ababil, The second weekIn the previous announcements we stated that we will not tolerate insulting exalted character of the prophet of mercy and kindness. Due to the insult, we planned and accomplished a series of cyber operations against the insulting country's credit and financial centers.Some U.S. officials tried to divert people's attention from the subject and claimed that the main aim of the operation was not deal to insults but it had other intentions.
The officials claimed that certain countries have taken these measures to solve their internal problems.We strongly reject the American officials' insidious attempts to deceive public opinion. We declare that the kindness and love of Muslims and free-minded people of the world to the great prophet of Islam is much more than their violent anger be deflected and controlled by such deceptive tricks.Insult to a prophet is not acceptable especially when it is the Last prophet Muhammad (Peace Be upon Him).
So as we promised before, the attack will be continued until the removal of that sacrilegious movie from the Internet.Therefore, we suggest a Timetable for this week attacks. Knowing which times the banks and other targets are out of service, the customers of targeted sites also can manage to do their jobs as well and have a rest while the specific organization is under attack.We shall attack for 8 hours daily, starting at 2:30 PM GMT, every day.
We repeat again the attacks will continue for sure till the removal of that sacrilegious movie.We invite all cyberspace workers to join us in this Proper Act. If America's arrogant government do not submit, the attack will be large and larger and will include other evil countries like Israel, French and U.Kingdom indeed.Tuesday 9/25/2012 : attack to Wells Fargo site, www.wellsfargo.comWednesday 9/26/2012 : attack to U.S. Bank site, www.usbank.comThursday 9/27/2012 : attack to PNC site, www.pnc.com Weekends: planning for the next week' attacks.Mrt. Izz ad-Din al-Qassam Cyber Fighters"
Periodically, the group also released update notes for the campaigns currently taking place:
The original message published is as follows:
"Operation Ababil" started over BoA :http://pastebin.com/mCHia4W5 http://pastebin.com/wMma9zyGIn the second step we attacked the largest bank of the united states, the "chase" bank. These series of attacks will continue untill the Erasing of that nasty movie from the Internet.The site "www.chase.com" is down and also Online banking at "chaseonline.chase.com" is being decided to be Offline !Down with modern infidels.### Cyber fighters of Izz ad-din Al qassam ###"
Second statement released by the group:
The original message published is as follows:
"Dear Muslim youths, Muslims Nations and are noblemenWhen Arab nations rose against their corrupt regimes (those who support Zionist regime) at the other hand when, Crucify infidels are terrified and they are no more supporting human rights. United States of America with the help of Zionist Regime made a Sacrilegious movie insulting all the religions not only Islam.All the Muslims worldwide must unify and Stand against the action, Muslims must do whatever is necessary to stop spreading this movie.
We will attack them for this insult with all we have.All the Muslim youths who are active in the Cyber world will attack to American and Zionist Web bases as much as needed such that they say that they are sorry about that insult.We, Cyber fighters of Izz ad-din Al qassam will attack the Bank of America and New York Stock Exchange for the first step. These Targets are properties of American-Zionist Capitalists. This attack will be started today at 2 pm. GMT. This attack will continue till the Erasing of that nasty movie. Beware this attack can vary in type. Down with modern infidels."
Clearly, the group behind the campaigns aimed to deliver concise propaganda to prospective Internet connected users who would later on be instructed on how to participate in the DDoS attacks. Let's assess the potential of the distributed DDoS tool that was used in the campaign.
Sample screenshot of the DDoS script in Arabic:
Inside the .html file, we can see that there are only three web addresses that will be targeted in their campaign:
Detection rate for the DDoS script:
youtube.html - MD5: c3fd7601b4aefe70e4a8f6d73bf5c997
Detected by 6 out of 43 antivirus scanners as HTool-Loic; Hacktool.Generic; TROJ_GEN.F47V0924
Originally, the attack relied on a static recruitment message which included links to the DIY DDoS script located on 4shared.com and Mediafire.com. What's particularly interesting is the fact that the files were uploaded by a user going under the handle of "Marzi Mahdavi II". It's important to point out that these static links were distributed as part of the recruitment campaign across multiple Muslim-friendly Facebook groups.
Thanks to this fact, we could easily identify the user's Facebook account, and actually spot the original message seeking participation in the upcoming attacks.
Marzi Mahdavi II's Facebook account:
Sample shared Wall post seeking participation in the upcoming DDoS campaign:
Sample blog post enticing users to participate:
Marzi Mahdavi II has once referenced a link pointing to the same blog, clearly indicating that he's following the ongoing recruitment campaigns across multiple Web sites:
Second blog post enticing users to participate in the DDoS campaign:
This very latest example of Iran's hacktivist community understanding of the cyber operations, once again lead me to the conclusion that what we've got here is either the fact that Iran's hacktivist community is lacking behind with years compared to sophisticated Eastern European hacking teams and cybercrime-friendly communities, or that Iran is on purposely demonstrating low cyber operation capabilities in an attempt to trick the Western world into thinking that it's still in a "catch up mode" with the rest of the world when it comes to offensive cyber operations.
Did these coordinated DDoS campaigns actually had any impact on the targered web sites? According to data from the Host-Tracker, they seem to have achieved limited, but visible results, a rather surprising fact given the low profile DDoS script released by the campaigners.
Sample Host-Tracker report for a targeted web site during the campaign:
Second Host-Tracker report for a targeted web site during the campaign:
Third Host-Tracker report for a targeted web site during the campaign:
Fourth Host-Tracker report for a targeted web site during the campaign:
Fifth Host-Tracker report for a targeted web site during the campaign:
Is the Iranian government really behind this campaign, or was it actually the work of amateurs with outdated and virtually irrelevant technical skills? Taking into consideration the previous DDoS campaign launched by Iranian hacktivists in 2009, in this very latest one we once again see a rather limited understanding of cyber operations taking into consideration the centralized nature of the chain of command in this group.
What's also worth pointing out is the fact that this is the first public appearance of the group that claims responsibility for these attacks. Considering this and the lack of a strong digital fingerprint for the group in question, virtually anyone on the Internet can engineer cyber warfare tensions between Iran and the U.S, by basically impersonating a what's believed to be an Iranian group.
This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →
Dubbed "Operation Ababil", and operated by the Izz ad-Din al-Qassam a.k.a Qassam Cyber Fighters , the campaign appear to have had a limited, but highly visible impact on the targeted web sites. Just like in every other crowdsourced opt-in botnet campaign such as the "Coordinated Russia vs Georgia cyber attack in progress", the "Iranian opposition launches organized cyber attack against pro-Ahmadinejad sites", the "Electronic Jihad v3.0 - What Cyber Jihad Isn't" campaign, and the "The DDoS Attack Against CNN.com" campaign, political sentiments over the attribution element seem to have orbited around the notion that it was nation-sponsored by the Iranian government.
What's so special about this attack? Did the individuals behind it poses sophisticated hacking or coding abilities? Was the work of hacktivists crowdsourcing bandwidth, or was it actually sponsored by the Iranian government? Can we even talk about attack attribution given that the group claiming responsibility for the attacks doesn't have a strong digital fingerprint?
In this post, I'll perform an OSINT (open source intelligence) analysis aiming to expose one of the individuals part of the group that organized the campaign, spread their propaganda message to as many Muslim Facebook groups as possible, and actually claim responsibility for the attacks once they took place.
The campaign originally began with a message left on Pastebin.com by the Qassam Cyber Fighters group announcing "Operation Ababil":
The original message left is as follows:
"Operation Ababil, The second weekIn the previous announcements we stated that we will not tolerate insulting exalted character of the prophet of mercy and kindness. Due to the insult, we planned and accomplished a series of cyber operations against the insulting country's credit and financial centers.Some U.S. officials tried to divert people's attention from the subject and claimed that the main aim of the operation was not deal to insults but it had other intentions.
The officials claimed that certain countries have taken these measures to solve their internal problems.We strongly reject the American officials' insidious attempts to deceive public opinion. We declare that the kindness and love of Muslims and free-minded people of the world to the great prophet of Islam is much more than their violent anger be deflected and controlled by such deceptive tricks.Insult to a prophet is not acceptable especially when it is the Last prophet Muhammad (Peace Be upon Him).
So as we promised before, the attack will be continued until the removal of that sacrilegious movie from the Internet.Therefore, we suggest a Timetable for this week attacks. Knowing which times the banks and other targets are out of service, the customers of targeted sites also can manage to do their jobs as well and have a rest while the specific organization is under attack.We shall attack for 8 hours daily, starting at 2:30 PM GMT, every day.
We repeat again the attacks will continue for sure till the removal of that sacrilegious movie.We invite all cyberspace workers to join us in this Proper Act. If America's arrogant government do not submit, the attack will be large and larger and will include other evil countries like Israel, French and U.Kingdom indeed.Tuesday 9/25/2012 : attack to Wells Fargo site, www.wellsfargo.comWednesday 9/26/2012 : attack to U.S. Bank site, www.usbank.comThursday 9/27/2012 : attack to PNC site, www.pnc.com Weekends: planning for the next week' attacks.Mrt. Izz ad-Din al-Qassam Cyber Fighters"
Periodically, the group also released update notes for the campaigns currently taking place:
The original message published is as follows:
"Operation Ababil" started over BoA :http://pastebin.com/mCHia4W5 http://pastebin.com/wMma9zyGIn the second step we attacked the largest bank of the united states, the "chase" bank. These series of attacks will continue untill the Erasing of that nasty movie from the Internet.The site "www.chase.com" is down and also Online banking at "chaseonline.chase.com" is being decided to be Offline !Down with modern infidels.### Cyber fighters of Izz ad-din Al qassam ###"
Second statement released by the group:
The original message published is as follows:
"Dear Muslim youths, Muslims Nations and are noblemenWhen Arab nations rose against their corrupt regimes (those who support Zionist regime) at the other hand when, Crucify infidels are terrified and they are no more supporting human rights. United States of America with the help of Zionist Regime made a Sacrilegious movie insulting all the religions not only Islam.All the Muslims worldwide must unify and Stand against the action, Muslims must do whatever is necessary to stop spreading this movie.
We will attack them for this insult with all we have.All the Muslim youths who are active in the Cyber world will attack to American and Zionist Web bases as much as needed such that they say that they are sorry about that insult.We, Cyber fighters of Izz ad-din Al qassam will attack the Bank of America and New York Stock Exchange for the first step. These Targets are properties of American-Zionist Capitalists. This attack will be started today at 2 pm. GMT. This attack will continue till the Erasing of that nasty movie. Beware this attack can vary in type. Down with modern infidels."
Clearly, the group behind the campaigns aimed to deliver concise propaganda to prospective Internet connected users who would later on be instructed on how to participate in the DDoS attacks. Let's assess the potential of the distributed DDoS tool that was used in the campaign.
Sample screenshot of the DDoS script in Arabic:
Inside the .html file, we can see that there are only three web addresses that will be targeted in their campaign:
Detection rate for the DDoS script:
youtube.html - MD5: c3fd7601b4aefe70e4a8f6d73bf5c997
Detected by 6 out of 43 antivirus scanners as HTool-Loic; Hacktool.Generic; TROJ_GEN.F47V0924
Originally, the attack relied on a static recruitment message which included links to the DIY DDoS script located on 4shared.com and Mediafire.com. What's particularly interesting is the fact that the files were uploaded by a user going under the handle of "Marzi Mahdavi II". It's important to point out that these static links were distributed as part of the recruitment campaign across multiple Muslim-friendly Facebook groups.
Thanks to this fact, we could easily identify the user's Facebook account, and actually spot the original message seeking participation in the upcoming attacks.
Marzi Mahdavi II's Facebook account:
Sample shared Wall post seeking participation in the upcoming DDoS campaign:
Sample blog post enticing users to participate:
Marzi Mahdavi II has once referenced a link pointing to the same blog, clearly indicating that he's following the ongoing recruitment campaigns across multiple Web sites:
Second blog post enticing users to participate in the DDoS campaign:
This very latest example of Iran's hacktivist community understanding of the cyber operations, once again lead me to the conclusion that what we've got here is either the fact that Iran's hacktivist community is lacking behind with years compared to sophisticated Eastern European hacking teams and cybercrime-friendly communities, or that Iran is on purposely demonstrating low cyber operation capabilities in an attempt to trick the Western world into thinking that it's still in a "catch up mode" with the rest of the world when it comes to offensive cyber operations.
Did these coordinated DDoS campaigns actually had any impact on the targered web sites? According to data from the Host-Tracker, they seem to have achieved limited, but visible results, a rather surprising fact given the low profile DDoS script released by the campaigners.
Sample Host-Tracker report for a targeted web site during the campaign:
Second Host-Tracker report for a targeted web site during the campaign:
Third Host-Tracker report for a targeted web site during the campaign:
Fourth Host-Tracker report for a targeted web site during the campaign:
Fifth Host-Tracker report for a targeted web site during the campaign:
Is the Iranian government really behind this campaign, or was it actually the work of amateurs with outdated and virtually irrelevant technical skills? Taking into consideration the previous DDoS campaign launched by Iranian hacktivists in 2009, in this very latest one we once again see a rather limited understanding of cyber operations taking into consideration the centralized nature of the chain of command in this group.
What's also worth pointing out is the fact that this is the first public appearance of the group that claims responsibility for these attacks. Considering this and the lack of a strong digital fingerprint for the group in question, virtually anyone on the Internet can engineer cyber warfare tensions between Iran and the U.S, by basically impersonating a what's believed to be an Iranian group.
This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →
Among the most popular stereotypes related to Cyberterrorism, is that of terrorists shutting down the Internet, or to put it in another way, denying access to the desperse and decentralized Internet infrastructure by attacking the Internet's root servers the way it happened back in 2002 -- knowing Slashdot's IP in such a situation will come as a handy nerd's habit for sure. Outages like these would eventually result in a butterfly effect, such as direct monetary losses and confidence in the today's E-commerce world.
In my previous "How to secure the Internet" I commented on the U.S's National Strategy to Security Cyberspace, moreover, I pointed out some issues to consider in respect to the monoculture that's affecting the entire population. While today's threatscape is constantly changing, it still points out key points points such as :
- Improve the Security and Resilience of Key Internet Protocols
"The Internet is currently based on Internet Protocol version 4 (IPv4). Some organizations and countries are moving to an updated version of the protocol, version 6 (IPv6). IPv6 offers several advantages over IPv4. In addition to offering a vast amount of addresses, it provides for improved security features, including attribution and native IP security (IPSEC), as well as enabling new applications and capabilities. Some countries are moving aggressively to adopt IPv6. Japan has committed to a fully IPv6 based infrastructure by 2005. The European Union has initiated steps to move to IPv6. China is also considering early adoption of the protocol."
In my previous "The current state of IP Spoofing" post, I mentioned that if you can spoof there's no accoutability, and you can even get DDoSed by gary7.nsa.gov. But until then we would have to live with the current situation, or keep building awareness on the issue of course.
- Secure the Domain Name System
"DNS serves as the central database that helps route information throughout the Internet. The ability to route information can be disrupted when the databases cannot be accessed or updated or when they have been corrupted. Attackers can disrupt the DNS by flooding the system with information or requests or by gaining access to the system and corrupting or destroying the information that it contains."
During March, Randal Vaughn and Gadi Evron released a practical study entitled "DNS Amplification Attacks" pointing out that :
"Our study is based on packet captures and logs from attacks reported to have a volume of 2.8Gbps. We study this data in order to further understand the basics of the reported recursive name server amplification attacks which are also known as DNS amplification or DNS reflector attacks. One of the networks under attack, Sharktech, indicated some attacks have reached as high as 10Gbps and used as many as 140,000 exploited name servers. In addition to the increase in the response packet size, the large UDP packets create IP protocol fragments. Several other responses also contribute to the overall effectiveness of these attacks."
It feels like a deja vu moment compared to Mixter's release of his award-winning "Protecting against the unknown" research and the emergence of DDoS attacks(read the complete story, and keep in mind that it's wasn't iDefense, but PacketStormSecurity offering $10k rewards back in 2000). VeriSign indeed detailed massive denial-of service attack, and Slashdot also picked up the story. Most importantly, the event also attracted the U.S government's attention, but what you should also keep in mind is that :
"In order to create an 8Gbps attack using carefully crafted zones, you need no more than 200 home PCs on basic DSL lines," Joffe said. That math assumes about 200 bots eating up a full 512Kbps connection with lots of 60-byte DNS queries, each of which is amplified 70x into a 4,200-byte reply against the attacker's target. To put that in perspective, Russian hacking crews advertise that they will place the malware of your choice on 1,000 bots for a mere $25, according to the Internet Storm Center."
No 0day necessary, but DDoS on demand/hire, and renting botnets are the practices worth mentioning the way I pointed them out in my Future trends of malware research.
-Border Gateway Protocol
"Of the many routing protocols in use within the Internet, the Border Gateway Protocol (BGP) is at greatest risk of being the target of attacks designed to disrupt or degrade service on a large scale. BGP is used to interconnect the thousands of networks that make up the Internet. It allows routing information to be exchanged between networks that may have separate administrators, administrative policies, or protocols."
Interdomain routing communications are like empowering assembly line workers with the ability to stop the line at anytime, or have a claim on it, a tricky option sometimes. A recently released research(2005) "A Survey of BGP Security" points out the bottom line these days :
"We centrally note that no current solution has yet found an adequate balance between comprehensive security and deployment cost." Still, IETF's Routing Protocol Security Requirements (rpsec) are worth the read.
What I truly hope, is that any of these guidelines wouldn't end up on a paper tiger's desk for years to come, namely they would eventually get implemented and Internet2 would end up dealing with a more advanced set of security problems compared to the current ones.
My point is that, while only the paranoid survive, seeing ghosts here and there is like totally missing the big picture -- Richard Clarke for instance once said that "If there's a major devastating cyberspace security attack, the Congress will slam regulation on the industry faster than anything you can imagine. So, it's in the industry's best interest to get the job done right before something happens." But when, and how it would affect the commercial side of the question, that is how visionary are the vendors themselves to anticipate the future in here?
No one would want to shut down the Internet as terrorists are actively using it for propaganda, communication, and open source intelligence. Still, the deceptive PSYOPS initiated by terrorist sympathizers or wannabe such is what will continue to hit the deadlines -- just don't miss the big picture!
UPDATE : The post just appeared at LinuxSecurity.com "On the Insecurities of the Internet"
Technorati tags:
Security, Information Security, Internet, Internet2, DDoS, Networking, IPv6, VeriSign Continue reading →
In my previous "How to secure the Internet" I commented on the U.S's National Strategy to Security Cyberspace, moreover, I pointed out some issues to consider in respect to the monoculture that's affecting the entire population. While today's threatscape is constantly changing, it still points out key points points such as :
- Improve the Security and Resilience of Key Internet Protocols
"The Internet is currently based on Internet Protocol version 4 (IPv4). Some organizations and countries are moving to an updated version of the protocol, version 6 (IPv6). IPv6 offers several advantages over IPv4. In addition to offering a vast amount of addresses, it provides for improved security features, including attribution and native IP security (IPSEC), as well as enabling new applications and capabilities. Some countries are moving aggressively to adopt IPv6. Japan has committed to a fully IPv6 based infrastructure by 2005. The European Union has initiated steps to move to IPv6. China is also considering early adoption of the protocol."
In my previous "The current state of IP Spoofing" post, I mentioned that if you can spoof there's no accoutability, and you can even get DDoSed by gary7.nsa.gov. But until then we would have to live with the current situation, or keep building awareness on the issue of course.
- Secure the Domain Name System
"DNS serves as the central database that helps route information throughout the Internet. The ability to route information can be disrupted when the databases cannot be accessed or updated or when they have been corrupted. Attackers can disrupt the DNS by flooding the system with information or requests or by gaining access to the system and corrupting or destroying the information that it contains."
During March, Randal Vaughn and Gadi Evron released a practical study entitled "DNS Amplification Attacks" pointing out that :
"Our study is based on packet captures and logs from attacks reported to have a volume of 2.8Gbps. We study this data in order to further understand the basics of the reported recursive name server amplification attacks which are also known as DNS amplification or DNS reflector attacks. One of the networks under attack, Sharktech, indicated some attacks have reached as high as 10Gbps and used as many as 140,000 exploited name servers. In addition to the increase in the response packet size, the large UDP packets create IP protocol fragments. Several other responses also contribute to the overall effectiveness of these attacks."
It feels like a deja vu moment compared to Mixter's release of his award-winning "Protecting against the unknown" research and the emergence of DDoS attacks(read the complete story, and keep in mind that it's wasn't iDefense, but PacketStormSecurity offering $10k rewards back in 2000). VeriSign indeed detailed massive denial-of service attack, and Slashdot also picked up the story. Most importantly, the event also attracted the U.S government's attention, but what you should also keep in mind is that :
"In order to create an 8Gbps attack using carefully crafted zones, you need no more than 200 home PCs on basic DSL lines," Joffe said. That math assumes about 200 bots eating up a full 512Kbps connection with lots of 60-byte DNS queries, each of which is amplified 70x into a 4,200-byte reply against the attacker's target. To put that in perspective, Russian hacking crews advertise that they will place the malware of your choice on 1,000 bots for a mere $25, according to the Internet Storm Center."
No 0day necessary, but DDoS on demand/hire, and renting botnets are the practices worth mentioning the way I pointed them out in my Future trends of malware research.
-Border Gateway Protocol
"Of the many routing protocols in use within the Internet, the Border Gateway Protocol (BGP) is at greatest risk of being the target of attacks designed to disrupt or degrade service on a large scale. BGP is used to interconnect the thousands of networks that make up the Internet. It allows routing information to be exchanged between networks that may have separate administrators, administrative policies, or protocols."
Interdomain routing communications are like empowering assembly line workers with the ability to stop the line at anytime, or have a claim on it, a tricky option sometimes. A recently released research(2005) "A Survey of BGP Security" points out the bottom line these days :
"We centrally note that no current solution has yet found an adequate balance between comprehensive security and deployment cost." Still, IETF's Routing Protocol Security Requirements (rpsec) are worth the read.
What I truly hope, is that any of these guidelines wouldn't end up on a paper tiger's desk for years to come, namely they would eventually get implemented and Internet2 would end up dealing with a more advanced set of security problems compared to the current ones.
My point is that, while only the paranoid survive, seeing ghosts here and there is like totally missing the big picture -- Richard Clarke for instance once said that "If there's a major devastating cyberspace security attack, the Congress will slam regulation on the industry faster than anything you can imagine. So, it's in the industry's best interest to get the job done right before something happens." But when, and how it would affect the commercial side of the question, that is how visionary are the vendors themselves to anticipate the future in here?
No one would want to shut down the Internet as terrorists are actively using it for propaganda, communication, and open source intelligence. Still, the deceptive PSYOPS initiated by terrorist sympathizers or wannabe such is what will continue to hit the deadlines -- just don't miss the big picture!
UPDATE : The post just appeared at LinuxSecurity.com "On the Insecurities of the Internet"
Technorati tags:
Security, Information Security, Internet, Internet2, DDoS, Networking, IPv6, VeriSign Continue reading →
In one of my previous posts talking about botnet herders I pointed out how experiments tend to dominate, and while botnets
protection is still a buzz word, major security vendors are actively
working on product line extensions. DDoS attacks are the result of
successful botnet, and so are the root of the problem besides the distributed concept. Techworld is reporting that McAfee is launching a "bot-killing system", from the article :
The best thing is that it's free, the bad thing is that it may give their customers a "false sense of security", that is, while the company is actively working on retaining its current customers, I feel "SYN cookies" and their concept has been around for years. Moreover, using a service provided by a company whose core competencies have nothing to do with DDoS defense can be tricky. Companies worth mentioning are Arbor Networks, and Cisco's solutions, besides the many other alternative and flexible ways of dealing with DDoS attacks.
In my research research on the Future trends of Malware, I pointed out some of the trends related to botnets and DDoS attacks, namely, DDoS extortion, DDoS on demand/hire, and with the first legally prosecuted case of offering botnet access on demand, it's a clear indication that of where things are going. Defense against frontal attacks isn't cost-effective given that at the bottom line the costs to maintain the site outpace the revenues generated for the time, hard dollars disappear, soft ones as reputation remain the same.
"Unlike
conventional DDoS detection systems based on the statistical analysis
of traffic, the first layer of the new Advanced Botnet Protection (ABP)
intrusion prevention system (IPS) uses a proxy to pass or block packet
traffic dependent on whether or not it is “complete”. "
The best thing is that it's free, the bad thing is that it may give their customers a "false sense of security", that is, while the company is actively working on retaining its current customers, I feel "SYN cookies" and their concept has been around for years. Moreover, using a service provided by a company whose core competencies have nothing to do with DDoS defense can be tricky. Companies worth mentioning are Arbor Networks, and Cisco's solutions, besides the many other alternative and flexible ways of dealing with DDoS attacks.
In my research research on the Future trends of Malware, I pointed out some of the trends related to botnets and DDoS attacks, namely, DDoS extortion, DDoS on demand/hire, and with the first legally prosecuted case of offering botnet access on demand, it's a clear indication that of where things are going. Defense against frontal attacks isn't cost-effective given that at the bottom line the costs to maintain the site outpace the revenues generated for the time, hard dollars disappear, soft ones as reputation remain the same.
My
advice is to take into consideration the possibility to outsource your
problem, and stay away from product line extensions, and I think it's
that very simple. A differentiated service on fighting infected nodes is
being offered by Sophos, namely the Zombie Alert,
which makes me wonder why the majority of AV vendors besides them
haven't come up with an alternative given the data their sensor networks
are able to collect? Moreover, should such as service be free, would it
end up as a licensed extensions to be included within the majority of
security solutions, and can a motivated system administrators
successfully detect, block, and isolate zombie traffic going out of the
network(I think yes!)?
As far as botnets are concerned, there were even
speculations on using "Skype to control botnets",
now who would want to do that, and under what reason given the current
approaches for controlling botnets, isn't the use of cryptography or
security through obscurity("talkative bots", stripping IRCds) the
logical "evolution" in here?
Something else worth mentioning is the trend of how DoS
attacks got totally replaced by DDoS ones, my point is that the first
can be a much more sneaky one and easily go beneath the radar, compared
to a large scale DDoS attack. A single packet can be worth more than an
entire botnets population, isn't it?
How do you
think DDoS attacks should be prevented, active defense such as the
solutions mentioned, or proactive solutions? What do you think?
You can also go though other resources dealing with DDoS attacks and possible solutions to the problem :
Technorati tags :
security, information security, malware, botnets, DDoS, McAfee, Sophos, AntiVirus
Continue reading →
Tomorrow is the day when the worm should originally start deleting all all *.doc, *.xls, *.mdb, *.mde, *.ppt, *.pps, *.zip, *.rar, *.pdf, *.psd and *.dmp on an infected PC's, supposedly network drives as well, what I also expect is more devastation on the 3rd of March given the same happens every month. And while I doubt there's still someone out there unaware of this, perhaps, released under "revenge mode" malware, check out Internet Storm Center's summary, and know know your enemy, hopefully not until next month again! UPDATE : You can actually go through another post in order to update yourself with some recent malware developments.
Subscribe to:
Comments (Atom)
RSS Feed