The DDoS Attack Against CNN.com

The DDoS attack against CNN.com, whether successful or not in terms of the perspective of complete knock-out, which didn't happen, is a perfect and perhaps the most recent example of a full scale people's information warfare in action. Utilizing the bandwidth of the over 200 million nationalism minded Chinese Internet users, can greatly outpace any botnet's capacity if coordinated, or though the use of automated DIY tools, like the ones we've seen released for the purpose of attacking CNN.com

CNN.com was indeed inacessible for a period of three hours according to NetCraft, and literally any web site performance monitoring too with a historical perspective for a host can prove the same :

"The CNN News website has twice been affected since an earlier distributed denial of service attack last Thursday. CNN fixed Thursday's attack by limiting the number of users who could access the site from specific geographical areas. Subsequently, an attack was purportedly organised to start on Saturday 19th April, but cancelled. However, our performance monitoring graph shows CNN's website suffered downtime within a 3 hour period on Sunday morning, followed by other anomalous activity on Monday morning, where response times were greatly inflated. Netcraft is continuing to monitor the CNN News website. Live uptime graphs can be viewed here."

Unrestricted warfare is all about bypassing the most fortified engagement points, and achieving asymmetric dominance by excelling where there are no engagement points, in order for the attacker to enjoy the pioneer advantage. Now that CNN.com was indeed slowed down to a situation where it was unnacessible, what remains to be answered is how was CNN.com DDoS? Throught a botnet, or through the collective bandwidth of virtually recruited Chinese citizens? Despite that the common wisdom in terms of botnets used speaks for itself, this is China hacktivism and therefore common wisdom does not apply in an unrestricted warfare situation, and best of all data speaks for itself.

- Through the use of DIY DDoS Tools

Besides anticnn.exe which I assessed in a previous post, there's also the Supper DDoS tool that as it appears was also getting actively recommended for participating in the attack, courtsy of a Chinese script kiddies group. Some basic info :

Scanners Result: 3/32 (9.38%)
DDoS.Win32.Sdattack.A; DDoS.Trojan
File size: 1510643 bytes
MD5...: ed25e7188e5aa17f6b35496a267be557
SHA1..: 71138f0c0556dde789854398c3c7cde29352662b

For instance, Estonia's DDoS attacks were a combination of botnets and DIY attack tools released in the wild, whereas the attacks on CNN.com were primarily the effect of people's information warfare, a situation where people would on purposely infect themselves with malware released on behalf of Chinese hacktivists to automatically utilize their Internet bandwidth for the purpose of a coordinated attack against a particular site.


- Collectively building bandwidth capacity and mobilizing novice cyber warriors

What if a simple script that is automatically refreshing CNN.com multiple times in several IFRAME windows, gets embedded at thousands of sites, and then promoted at hundreds of forums, with a single line stating that - "If you're a patriot, forward this to all your friends"? Now, what if this gets coordinate to happen at a particular moment in time? This is perhaps the most realistic scenario to what exactly happened with CNN.com, and data speaks for itself, in fact I can easily state that the bandwidth generated by this massive PSYOPs campaign is greater than the one used by a botnet that's also been DDoS-ing CNN.com. All of these sites are basically refreshing CNN.com every couple of seconds, thereby wasting the sites's bandwidth, the only flaw of this attack approach compared to a botnet, is that all the participating hosts are Chinese, and therefore as NetCraft pointed out, CNN blocked access to certain countries, take these countries as China for instance. If it were a botnet used, the diversity of the infected hosts would have required more efforts into dealing with the attack, then again from another perspective regular web traffic compared to network flood is sometimes harder to detect as a DDoS attack.

hackerhf.com/cnn.html
80aft.com/cnn.htm
tom765.cn/cnn.html
ah930.com/cnn.htm
0851qiche.cn/cnn.html
xdadmin.com/cnn.html
ah930.com/cnn.html
s234sdf3.cn.webz.datasir.com/cnn.asp
bbscar.com.cn/cnn
120abc.cn/cnn.html
hospltal.cn/cnn.html
bbs.cityzx.cn/cnn.htm
bestmf.cn/cnn.html
anlycloud.com/cnn/cnn
qibubbs.net/ddoscnn.htm
maje.cn/cnn.html
edu.sina.googlepages.com/FuckCNN.htm
urlonline.com.cn/kaocnn.html
lmpx.net/cnn.htm
ily88.com/cnn.html
zjipc.net/cnn
axlovechina.cn/
idernice.com/cnn.asp
conncn.com/cnn.html
xuanxuanmu.000webhost.com/cnn.html
jianw1.cn/cnn.htm
bjzs114.com/cnn.htm
0851qiche.cn/cnn.html
yaanren.net/cnn.html
todayol.cn/cnn.html
17bnb.com/cnn.htm
hackerhf.com/cnn.html
hnjdbbs.com/cnn.html
sql8.net/cnn
bh125.cn/cnn.html
razorcn.cn/cnn.html
93HR.com/cnn.html
tke08.com/cnn.htm
vipeee.com/cnn.htm

This is also the statement made for the recruiting purpose across the forums, including remarks against France's policy against China :

Anti-CNN Plans v4.19

"Revenge of the flame - we, as the publicity in the network of special groups, we notice as follows: We are still able to recall that the Sino-US hackers exciting war, and that war, what are the reasons? That have taken place in Indonesia because of the large-scale anti-Chinese, the majority of Chinese women were raped, killed, and we Chinese hackers predecessors such unbearable humiliation, and from the other side of the ocean in advance of the attack, losing their right to. " cn "for China's first website launched a large-scale attack, but at that time the Chinese network is not very developed, we use the most immature way to attack, but in any case, we all expressed their intention by everyone, although we on the network do not know each other, but we have a common motherland.

We know that the 2008 Olympic Games will be held in our beloved motherland, which is the dream of the people look forward to for a long time, and we in the passing of the torch in the process of being repeatedly obstructed because we all know that, as an act of Tibetan independence elements each of us Mission hearts have a personal anger. Then we briefly look at the practice of France: France is now the largest in the protection of Tibetan independence, advocates in support of France is in support of splitting China, French President Sarkozy, the country is now the world just for a dare to openly resist Beijing Olympic Games President, the Chinese go-vern-ment has just come to an end with the French Airbus as much as billions of dollars in trade contracts. France on bad faith.

Recently, the United States "cnn" Since, as we said a number of Chinese people can not accept things, is that we are willing to endure, willing to yield? We plan on taking the lead in the 2008.4.19 "cnn" Web site attacks, as a Chinese, please support us.

Plot:
1, first of all, all the conditions for full, I expect four days later, in the - on April 19, 2008, 8:00 p.m., at www.cnn.com against a DDOS attack! More than three hours on the CNN Web site with the assistance of attacks, How DOS attack CNN website? If you are patriotic, please forward!

iframe Id="cnn" width="100%" height="100">
script>
Var e = document.getElementById ( 'cnn');
SetInterval ( "e.src = 'http://www.cnn.com'", 3000);
/ / 1000 said that 1,000 ms, you can modify and transmit

You can also directly open qibubbs.net/ddoscnn.htm open on the trip, you do not affect anything. I have to, I have friends in all of it again, the strong support of friends, and their repercussions great, and to many people, have been transmitted in other friend, a classmate now has begun to link their Web sites the I believe that compatriots in China, in collaboration with CNN article seconds click rate in the second can at least 50 million times, if the 200 million Internet users click on, I believe CNN, will be suspended instantaneous, as our fellow countrymen will be more hackers the chance to win big, exciting good mood now, and looks forward to 8:00 after we are all fellow hackers smoothly, we will sincerely pray that China win. The great motherland is not to take advantage of the separatist elements, all anti-China reunification of the sophistry of speech are all in vain Revenge of the flame - we, as the publicity in the network of special groups, we notice as follows:

We are still able to recall that the Sino-US hackers exciting war, and that war, what are the reasons? That have taken place in Indonesia because of the large-scale anti-Chinese, the majority of Chinese women were raped, killed, and we Chinese hackers predecessors such unbearable humiliation, and from the other side of the ocean in advance of the attack, losing their right to. " cn "for China's first website launched a large-scale attack, but at that time the Chinese network is not very developed, we use the most immature way to attack, but in any case, we all expressed their intention by everyone, although we on the network do not know each other, but we have a common motherland. We know that the 2008 Olympic Games will be held in our beloved motherland, which is the dream of the people look forward to for a long time, and we in the passing of the torch in the process of being repeatedly obstructed because we all know that, as an act of Tibetan independence elements each of us Mission hearts have a personal anger. Then we briefly look at the practice of France: France is now the largest in the protection of Tibetan independence, advocates in support of France is in support of splitting China, French President Sarkozy, the country is now the world just for a dare to openly resist Beijing Olympic Games President, the Chinese go-vern-ment has just come to an end with the French Airbus as much as billions of dollars in trade contracts. "

This particular DDoS people's information warfare attack against CNN.com is also a great example of a psychological operations (PSYOPS) chain-letter. Given China's 3.0 state of social networking, messages forwarding people to sites that would automatically refresh their browsers with CNN.com were distributed at over 5000 web forums, with a bit of propanga taste enticing everyone to forward the message by telling them "If you're a patriot forward this attack link", so if you don't, it means you're not a patriot, another indication of China's understanding of the effectiveness of psychological operations (PSYOPS) online.

Chinese Hacktivists Waging People's Information Warfare Against CNN

Empowering and coordinating script kiddies by releasing DIY DDoS tools (backdoored as well) during the DDoS attacks against Estonia for instance, is exactly what is happening in the time of blogging with a massive forum and IM coordination between Chinese netizens enticed to install a pre-configured to flood CNN.com piece of malware. Both of these coordinated incidents greatly illustrate what people's information warfare, and the malicious culture of participation is all about. The PSYOPS anti-cnn.com initiative is maturing into a central coordination point for recruiting DDoS participants on a nationalism level. Some info on hackcnn.com, the malware, internal commentary on behalf of the hacktivists, and who's behind it :

hackcnn.com (58.49.59.253)
58.48.0.0-58.55.255.255 CHINANET-HB CHINANET Hubei province network China Telecom A12
Xin-Jie-Kou-Wai Street Beijing 100088,
China, Beijing 100000
tel: 101 1010000
fax: 101 1010000
china@hackcnn.com

Upon execution of the tool, 18 TCP Connection Attempts to cnn.com (64.236.91.24:80) start, trying to access the following file at CNN.com :

- Request: GET /aux/con/com1/../../[LAG]../.%./../../../../fakecnn/redflag-stay-here.php.aspx.asp.cfm.jsp
Response: 400 "Bad Request"

antiCnn.exe
Scanner results : 3% Scanner(1/36) found malware!
TROJAN.DOWNLOADER.GEN
File size: 174592 bytes
MD5...: c03abd4d871cd83fe00df38536f26422
SHA1..: 0502c74ee90e110ceed3cbb81b2ee53d26068691
Released by : Red Flag Cyber Operations nixrumor@gmail.com

From a network reconnaissance perspective, the Chinese hacktivists didn't even bother to take care of Apache's /server status, and therefore we're easily able
to obtain such juicy inside information about hackcnn.com such as :

Current Time: Tuesday, 22-Apr-2008 07:00:56
Restart Time: Monday, 21-Apr-2008 15:25:39
Parent Server Generation: 0
Server uptime: 15 hours 35 minutes 17 seconds
Total accesses: 291670 - Total Traffic: 533.8 MB
5.2 requests/sec - 9.7 kB/second - 1918 B/request
4 requests currently being processed, 246 idle workers

Internal commentary excerpts regarding the motivation and their updates on the first DDoS round :

"Our team of non-governmental organisations, We only private network enthusiasts. However, we have a patriotic heart, We will absolutely not permit any person to discredit our motherland under any name, We are committed to attack some spreading false information, and malicious slander, libel, support Tibet independence site."

"User to a black CNN website suffer the same name. Yesterday, some Internet users attacked the domain name contains a "cnn" sports Web site, leaving protest speech, but reporters did not check the site found a relationship with CNN. Yesterday's attack was the website with the domain name sports.si.cnn.com engaged in the work of the network of residents in Urumqi Mr. Chen, at about 2 pm, the attackers up a website hackcnn.com know, the "CNN sub-station" invasion and modify their pages. "Tug-of-war administrator and hackers," Mr. Chen said, after sports.si.cnn.com pages sometimes normal, and sometimes been modified. 16:50, the reporter saw on the pages left in bilingual text and flash animation, stressed that Tibet is a part of China, cnn protest against prejudice and false reports, the title page column was changed to "F * * kCNN!. " A few minutes later, the web site to enter a user ID and password before connecting, "evidently administrator of the authority." Chen analysis. Yesterday, the reporter tried to contact the attack, but received no response. Reporter verify that the contact address sports.si.cnn.com Pennsylvania in the United States, and the sports channel CNN web site is not the same, did not disclose information with the CNN."

DDoS-ing is one thing, defacing is entirely another, try sports.si.cnn.com/test.htm which was last defaced yesterday spreading "We are not against the western media, but against the lies and fabricated stories in the media", "We are not against the western people, but against the prejudice from the western society.!" messages.

According to forum postings however, now that they've sent a signal, the attitude is shifting from attacking CNN to Western media in general. Thankfully, just like the case with the Electronic Jihad program, they did not put a lot of efforts into ensuring the lifecycle of the tool will remain as long as possible, by introducing a way to automatically update the tool with new targets. In fact, in the Electronic Jihad case, the hardcoded update locations were all down priot to releasing the tool, making a bit more efforts cunsuming to finally manage to obtain the targets list.

Ten Signs It's a Slow News Week

You know it's a slow news week when you come across :

1. Articles starting that malware increased 450% during the last quarter - of course it's supposed to increase given the automated polymorphism they've achieved thereby having anti virus vendors spend more money on infrastructure to analyze it

2. Articles starting that spam and malware attacks will increase and get more sophisticated - and the sun too, will continue expanding

3. Articles discussing a new malware spreading around instant messenging networks -- psst they're hundreds of them currently spreading

4. Articles discussing how signature based malware scanning is dead while an anti virus vendor's ad is rotating on the right side of the article - it's not dead it's just getting bypassed as a reactive security measure by the bad guys

5. Articles commenting on an exploit code for a high risk vulnerability made it public -- it's been usually circulating around VIP underground forums weeks before it made to the mainstream media, with script kiddies leaking it to other script kiddies

6. Articles pointing out how phishers started targeting a specific company - they target them all automatically, so don't take it personally if it's your company getting targeted

7. Article emphasizing on how mobile malware will take over the world, despite that there no known outbreaks currently active in the wild - once mobile commerce stars taking place in full scale for sure

8. Articles pointing out that having a firewall and an updated anti virus software is important - in times when client side vulnerabilities are serving a new binary on the fly with quality assurance applied before the campaign is launched to make sure it will bypass the most popular firewalls, things are changing and so must your perspective on what's important

9. Articles discussing which OS is the most secure one - the better configured one in terms of usability vs security, or the one where there're no currently active bounties offered for vulnerabilities within

10. Articles mentioning that China is hosting the most malware in the world - and while China is hosting it, the U.S is operating the most malware C&Cs in the world

Phishing Tactics Evolving

Malware authors, phishers and spammers have been actively consolidating for the past couple of years, and until they figure out to to vertically integrate and limit the participation of other parties in their activities, this development will continue to remain so. Malware infected hosts are not getting used as stepping stones these days, for OSINT or cyber espionage purposes, but also, for sending and hosting phishing pages, a tactic in which I'm seeing an increased interest as of recently. Here are some example of recently spammed phishing campaigns hosting the phishing pages on end user's PCs :

- pool-71-116-244-232.lsanca.dsl-w.verizon.net
- user-142o3ds.cable.mindspring.com/online.lloydstsb.co.uk/customer.ibc/logon.html
- user-142o3ds.cable.mindspring.com/onlineid/cgi-bin/onlineid.bankofamerica/sso.login.controller
- user-142o3ds.cable.mindspring.com/halifax-online.co.uk/_mem_bin/halifax_LogIn/formslogin.aspsource=halifaxcouk
- stolnick-8marta-8b-r1-c1-45.ekb.unitline.ru/halifax-online.co.uk/_mem_bin
- zux006-052-125.adsl.green.ch/onlineid/cgi-bin/onlineid.bankofamerica/sso.login.controller
- rrcs-74-218-5-6.central.biz.rr.com/webview/files//onlineid/cgi-bin/onlineid.bankofamerica/sso.login.controller
- user-0c93qog.cable.mindspring.com/onlineid/cgi-bin/onlineid.bankofamerica/sso.login.controller

The second tactic that I've been researching for a while is that of remotely SQL injecting or remotely file including phishing pages on vulnerable sites, as for instance, someone's actively abusing vulnerable sites, which are apparently noticing this malicious activities and taking care of their web application vulnerabilities. Some recent examples include :

- kclmc.org/components/www.halifax.co.uk/_mem_bin/FormsLogin.aspsource=halifaxcouk/Index.PHP
- citrusfsc.org/templates_c/www.halifax-online.co.uk/_mem_bin/halifax_LogIn/formslogin.aspsource=halifaxcouk/index.html
- agentur-schneckenreither.com/administrator/components/com_joomfish/help/www.halifax.co.uk/_mem_bin/formslogin.asp/index.php
- dziswesele.pl/media/www.halifax.co.uk/_mem_bin/formslogin.asp/

In November, 2007, I started making the connecting between a Turkish defacement group that wasn't just defacing the web sites it was coming across, but was also hosting malware on the vulnerable sites :

"It gets even more interesting, as it appears that a Turkish defacer like the ones I blogged about yesterday is somehow connected with the group behind the recent Possibility Media's Attack, and the Syrian Embassy Hack as some of his IFRAMES are using the exact urls in the previous attacks."

As of recently, I'm starting to see more such activity, with various defacing groups realizing that monetizing their defacements can indeed improve their revenue streams. For instance, findaswap.co.uk/administrator/components/com_extplorer/www.Halifax.co.uk/_mem_bin/formslogin.asp/was serving a phishing page, and was also recently hacked by a Turkish defacement group. Moreover, equidi.com which is currently defaced is also hosting the following phishing pages within its directory structure, namely, equidi.com/New2008/Orange; equidi.com/New2008/www.bankofamerica.com; equidi.com/New2008/www.halifax.co.uk

Why are all of these tactics so smart? Mainly because they forward the responsibility to the infected party, and I can reasonably argue that a phishing page hosted at a .biz or .info tld will get shut down faster than the one hosted at a home user's PC. As for the SQL injections, the RFI, and the consolidation between defacers and phishers if it's not defacers actually phishing for themselves, what we might witness anytime now is a vulnerable financial institutions web sites' hosting phishing page, or its web application vulnerabilities used against itself in a social engineering attempt.

The Rise of Kosovo Defacement Groups

There's no better way to assess the incident that still haven't made it into the mainstream media, but to violate defacement group's OPSEC, by obtaining internal metrics for defaced sites on behalf of a particular group. According to this screenshot, released by one of the members of the Kosovo Hackers Group, a group that's been defacement beneath the radar as of recently, the mass deface included 300 sites, and on the 13th of April, Quebec's Common Ground Alliance site got also defaced by the group. Web application vulnerabilities in a combination with SQL injecting web backdoors is what is greatly contributing to the success of newly born defacement groups. And of course, commercially obtainable tools as you can see one of the bookmarks in the screenshot, indicating the use of such.

The rise of this particular group greatly showcases the cyclical pattern of cyber conflicts as the extensions of propaganda, PSYOPs and demonstration of power online, most interestingly the fact that at the beginning of their capabilities development process, they target everyone, everywhere, to later on move to more targeted attacks to greatly improve the effectiveness of the PSYOPs motives.

China's CERT Annual Security Report - 2007

Every coin has two sides, and while China has long embraced unrestricted warfare and people's information warfare for conducting cyber espionage, China's networked infrastructure is also under attack, and is logically used as stepping stone to hit others country's infrastructures, thereby contributing to the possibility to engineer cyber warfare tensions.

A week ago, China's CERT released their annual security report (in Chinese for the time being), outlining the local threatscape with data indicating the increasing efficiency applied by Turkish web site defacement groups, in between the logical increases in spam/phishing and malware related incidents. Here's an excerpt from the report :

"According CNCERT / CC monitoring found that in 2007 China's mainland are implanted into the host Trojans alarming increase in the number of IP is 22 times last year, the Trojans have become the largest Internet hazards. Underground black mature industrial chain for the production and the large number of Trojans wide dissemination provides a very convenient conditions, Trojan horses on the Internet led to the proliferation of a lot of personal information and the privacy of data theft, to the personal reputation and cause serious economic losses; In addition, the Trojans also increasingly being used to steal state secrets and secrets of the state and enterprises incalculable losses, the Chinese mainland are implanted into the Trojan Horse computer controlled source, the majority in China's Taiwan region, the phenomenon has been brought to the agency's attention. Zombie network is still the basic network attacks platform means and resources. 2007 CNCERT / CC sampling found to be infected with a zombie monitoring procedures inside and outside the mainframe amounted to 6.23 million, of which China's mainland has 3.62 million IP addresses were implanted zombie mainframe procedures, and more than 10,000 outside the control server to China Host mainland control. Zombie networks primarily be used launch denial of service (DdoS) attacks, send spam, spread malicious code, as well as theft of the infected host of sensitive information, issued by the zombie network flow, distributed DDOS attack is recognized in the world problems not only seriously affect the operation of the Internet business, but also a serious threat to China's Internet infrastructure in the safe operation. 2007 China's Internet domain name registration and the use of quantitative rapid growth, reaching 11.93 million, an annual growth rate of 190.4 percent, while hackers use of domain names has become a major tool. Use of domain names, the attackers could be flexible, hidden website linked to the implementation of large-scale horse zombie network control, network malicious activities such as counterfeiting. Fast-Flux domain names, such as dynamic analysis technologies, resulting in accordance with the IP to the attacks more difficult to trace and block; 2007 domain names which has been in use analytical services for the existence of security flaws, the public domain analysis of the server domain hijacking security incidents, a large number of users without knowing the circumstances of their fishing lure to the site or sites containing malicious code, such incidents very great danger. Therefore, the strengthening of the management of domain names and domain names analytic system's security protection is very important."

6.23 million botnet participating hosts according to their stats, where 3.62 million are Chinese IPs is a great example of how the Chinese Internet infrastructure's getting heavily abused by experienced malware and botnet masters, primarily taking advantage of what's old school social engineering, and outdated malware infection techniques, which undoubtedly will work given China's immature and inexperienced from a security perspective emerging Internet generation.

Getting back to the globalization and efficiency of Turkish web site defacement groups' worldwide web application security audit, indicated in the report, according to China's CERT these are the top 10 defacers, where 7 are well known Turkish ones, and 3 are interestingly Chinese :

sinaritx - 1731 defacements

1923turk - 1417 defacements

the freedom - 1156 defacements

aLpTurkTegin - 1052 defacements

Mor0Ccan Islam Defenders Team - 864 defacements

iskorpitx - 761 defacements

lucifercihan - 525 defacements

It's also interesting to see pro-democratic Chinese hackers attacking homeland networks.

Cyber warfare tensions engineering is only starting to take place, and state sponsored or perhaps even tolerated cyber espionage building capabilities in order for the state to later on acquire the already developed resources and capabilities in a cost-effective manner. However, considering the recent cyber attacks against "Free Tibet" movements, as well as the DDoS attack attempts at CNN due to CNN's coverage of Tibet, Chinese cyber warriors continue demonstrating people's information warfare, and Internet PSYOPs by developing an anti-cnn.com (121.52.208.243) community, with some catchy altered images from the originals broadcasted worldwide, and with a special section to improve China's image across the world.

And logically, there's a PSYOPs centered malware released in the wild, a sample of which is basically embedding links to a non-existent domain, descriptive enough to point to TibetIsAPartOFChina.com :

%\CommonDocuments%\My Music\My Playlists\WWW.cgjSFGrz_TibetIsAPartOFChina.COM

%CommonDocuments%\My Music\WWW.bimStzno_TibetIsAPartOFChina.COM

%CommonDocuments%\My Videos\WWW.kUJs_TibetIsAPartOFChina.COM

%CommonPrograms%\Accessories\Accessibility\WWW.RSulr_TibetIsAPartOFChina.COM

%CommonPrograms%\Accessories\System Tools\WWW.aEGXBl_TibetIsAPartOFChina.COM

Now that's effective digital PSYOPs, isn't it? If you're visionary enough to tolerate the development of underground communities, whereas ensuring their nationalism level remain a priority for anything they do, you end up with a powerful cyber army whose every action perfectly fits with your political and military doctrine, without you even bothering to coordinate their efforts, thereby eliminating the need for a command and control structure.

Related posts:

China's Cyber Espionage Ambitions
Chinese Hackers Attacking U.S Department of Defense Networks
Inside the Chinese Underground Economy
China's Cyber Warriors - Video