Tag Archives: Denial-of-service attack

Behind the Akamai DDoS Attack

A bit late (my apologies) but it’s interesting to look at the recent Distributed Denial of Service attack on Akamai, an Internet infrastructure provider.

The attack blocked nearly all access to Apple Computer, Google, Microsoft and Yahoo’s Web sites for two hours on Tuesday by bringing down Akamai’s domain name system, or DNS, servers. These servers translate domain names — www.microsoft.com — into numerical addresses. The attack was made possible by harnessing a bot net — thousands of compromised Internet-connected computers, or zombies, which are instructed to flood the DNS servers with data at the same time. This is called Distributed Denial of Service, of DDoS.

But there’s still something of a mystery here: How was the attacker able to make the DDoS attack so surgical, taking out just the  main Yahoo, Google, Microsoft and Apple sites? As CXOtoday points outAkamai is an obvious target, since “it has created the world’s largest and most widely used distributed computing platform, with more than 14,000 servers in 1,100 networks in 65 countries.”

Indeed, before Akamai admitted the nature and scale of the attack there was some skepticism that this could have been a DDoS: ComputerWorld quoted security expert Bruce Schneier as saying “My guess is that it’s some kind of an internal failure within Akamai, or maybe a targeted attack against them by someone with insider knowledge and access.”

The Ukrainian Computer Crime Research Center says it believes the attack was a demonstration of capabilities by a Russian hacker network. As evidence they point to an earlier posting by Dmitri Kramarenko, which describes a recent offer by a Russian hacker to “pull any website, say Microsoft” for not less than $80,000. The story appeared four days before the DDoS attack.

The Price of Worms

How damaging are worms?

Very, says Sandvine Inc, a Canada based Internet security company. It says that the main damage is on ISPs who lose bandwidth to them, and face daily Denial of Service attacks. “In fact,” Sandvine says in one new report (PDF, registration required), ”Internet worms and the malicious, malformed data traffic they generate are wreaking havoc on European service provider networks of all sizes, degrading the broadband experience for residential subscribers and imposing hundreds of millions in unplanned hard costs directly related to thwarting attacks.”

Worms, Sandvine says, consume “massive amounts of bandwidth as they replicate. And depending on the number of vulnerable hosts in a given network environment, a worm can create hundreds of thousands of copies of itself in a matter of hours.” The company’s research shows that between 2 and 12% of all Internet traffic is malicious. Even on a well-run ISP network, that figure is about 5%. And if that doesn’t sound very much, consider the warped effect worms have on processor power, when they propagate and probe for weak spots.

All this means that residential subscribers are going to feel the hurt, partly because it’s their Internet connections that are being targeted by worms, and partly because their connections are going to slow down with all this extra traffic, Sandvine warns. Then of course there are infections: The dirty secret of worm infections is that if you’ve got one, the only sure way to get rid of it is to reinstall everything.

For now, ISPs keep quiet about these things; they don’t want to scare off subscribers, and they don’t want the bad guys to get any fresh ideas about their vulnerabilities. But it seems to me that worms and bots are a topic that needs to be researched, reported and resolved more than it is.

 

Who Is Behind Bagel, NetSky and MyDoom?

Who is behind this latest crop of viruses, and variants on viruses?
 
Mi2g, a London-based technology security company, reckon that MyDoom and Bagle ”is not the activity of hobbyists but organised criminals” and that Doomjuice.a, which carried the source code of MyDoom.a was “clearly written by the same perpetrators” with the motive of covering their tracks.

 
That said, mi2g reckon the original NetSky author may merely have been “involved in a turf war with MyDoom and then another turf war with Bagel”. (Yes, it does sound like a bad police series). “That,” mi2g says, “suggests the possibility of bragging rights or intellectual challenge as a motive instead of financial gain.” Evidence? ”NetSky.d was released at the beginning of March, and whilst it has its own agenda, it also modifies registry keys to delete the “au.exe” file used by two variants of the Bagle malware.”
 
This large number of variants in such a short timeframe, mi2g say, “is historically unprecedented”. It’s not clear who is behind these, mi2g say, but whoever it is, “the net beneficiary is organised crime as the number of compromised computers or zombies continues to increase”. These slave computers can be used for anything, from spam to phishing scams to DDoS extortions to working as fileservers for illicit or pirated material.
 
My guess? Success breeds copycat attacks, and there are an awful lot of folk out there who have the knowledge and the inclination for this kind of thing. It’s no surprise that these attacks are getting worse, and that there is a clear link between virus writing and scams. Hold onto your hat.

Viruses And The Russian Connection

As feared, MyDoom seems to come from Russia. Or does it?

The Moscow Times quotes Kaspersky Labs as saying they used location-sensing software to trace the first e-mails infected with MyDoom back to addresses with Russian Internet providers. “It’s scary, but most serious viruses are written in Russia,” said Denis Zenkov, spokesman for Kaspersky, the country’s largest anti-virus software company.

This is not the first. Russians have long been virus writers. Dumaru, Mimail and Stawin may have Russian origins.

But what has changed in the last year or so, it seems, is the commercialisation of Russian virus writing. These viruses are no longer the product of idle, alienated, out-of-work minds, but of folk working for professional spammers and scammers. Another Kaspersky expert, Alexander Gostiyev, is quoted by AFP as saying the creators of MyDoom were not aiming to disrupt Internet traffic but to use infected computers to distribute unsolicited junk mail. The attack “was very well planned and prepared, perhaps for several months, and at least 1,000 computers were infected in advance,” Gostiyev said. “The virus could be of use above all to criminal groups seeking to distribute spam,” he added.

Spam, however, may be the least of it. There’s not much money to be made from spam, whereas there is from theft. Stawin, for example, records keystrokes when infected victims access their bank accounts, and sends the results to a Russian email address. British police are investigating the possibility that a wave of extortion attempts against gambling sites may come from Russia or Eastern Europe, according to Reuters. These attacks are related to the Superbowl: Those who don’t pay up are brought down by massive traffic, called a Distributed Denial of Service attack, or DDOS. A site dedicated to online betting has recorded at least 20 sports betting sites appeared to have been brought down over the weekend. With all the work that went into something like MyDoom, I can’t believe it’s only spam the creators are after.

Of course, this could all be a feint.

Agence France Presse quotes Kaspersky as saying “there is a still a 20-percent chance that this was an attempt to mislead. Virus programmers from other countries could have registered an email address in Russia” as a ruse. And it’s not entirely clear what Kaspersky means by ‘location sensing software’. This could mean more or less anything, and, as some folk have pointed out, the fact that Kaspersky is based in Russia makes it likely they will receive copies of the virus from Russian email addresses.

And it still leaves us with the fact that the virus was in part tooled to launch an attack on the website SCO, a company that has riled the Open Source community by claiming copyright over parts of the Linux operating system. The virus was designed to launch an attack on their website starting February 1: The website is presently down, apparently overwhelmed by traffic.

One final thing: There seems to be some confusion between the first and second MyDoom virus: Variations often follow when folk get inspired by the success of a virus, but that doesn’t mean the same guy, or guys, wrote both viruses. The presence of a note in English inside the second version of the virus, — sync-1.01; andy; I’m just doing my job, nothing personal, sorry — appears to have confused some folk. The source, and purpose, of the first MyDoom remains a mystery.

News: Spam Warfare, Dutch Style

If you wonder why people don’t just go after spammers, vigilante-style, here’s why. Three Dutch blogging websites launched an online war against a U.S. spammer, Customerblast.com late last week, and found they’d bitten off more than they could chew. The weblogs, according to The Register, tried to push Customerblast off the web with sustained distributed denial of service (DDOS) attacks (basically trying to overload their system with requests for data).
 
Customerblast fought back. On Friday, all three weblogs were inundated with mail bombs, floods and DDOS attacks, forcing them to go offline temporarily. Late Friday afternoon, the weblogs began a second attack. By Monday the spammer had still not recuperated from the attacks. But there’s been a downside. One of the Dutch attackers says he was cut off by his Internet Service Provider and now faces ?legal action?.

News: The Explanation Behind All Those Attacks?

 It seems that there’s a purpose behind the viruses we’ve all been getting: old-fashioned extortion. Reuters reports that extortionists — many thought to come from eastern Europe — have been targetting casinos and retailers, but one recent high-profile victim was the Port of Houston. The attacks, which can cripple a corporate network with a barrage of bogus data requests, are followed by a demand for money. An effective attack can knock a Web site offline for extended periods.
 
Online casinos appear to be a favorite target as they do brisk business and many are located in the Caribbean where investigators are poorly equipped to tackle such investigations. Police said because of a lack of information from victimized companies, they are unsure whether these are isolated incidents or the start of a new crime wave.
 
Last week, the online payment service WorldPay admitted to suffering a major DDoS attack that lasted three days. WorldPay, owned by the Royal Bank of Scotland, has been fully restored. The NHTCU spokeswoman said the investigation into the WorldPay is ongoing.

News: Internet Payment Under Attack

 Internet payment system Worldpay is under hack attack from unknown assailants, hitting thousands of online retailers around the world, the BBC reports. The company’s payment and administration networks have been flooded with computer-generated requests, clogging the system and slowing transactions – also known as a “denial-of-service” attack. Worldpay is owned by the Royal Bank of Scotland Group. It has 27,000 clients around the world, ranging from heavyweights like Vodafone and Sony Music Entertainment to numerous small online retailers.

Update: More On The Spiral of Evil

 Spammers may be using viruses to attack their enemies. Further to my column on how virus writers and spammers may be in cahoots to deliver spam, The Register reports that anti-spam activists have produced fresh evidence that recent assaults — called Distributed Denial of Service attacks, or DDoS, — on their websites have been enabled by the infamous Sobig worm.
 
Two anti-spam services, Monkeys.com and the Compu.Net “block list”, have already closed in the past week.
Spamhaus has been under constant “extremely heavy” DDoS attack since early July, and they believe the attack against his site and others originates from Windows machines infected with the Sobig worm, controlled by spammers over IRC networks.
 
What’s interesting is that, if properly investigated, this may help prove the link between (some) spammers and (some) virus writers. And, of course, get them off the streets and in jail.

Update: Sobig’s 9/11

 Here’s some more evidence that the Sobig worms may be part of something more sinister: Central Command, a provider of PC anti-virus software and services, says its latest incarnation, Sobig.F, “is estimated to have infected millions of systems worldwide and may draw on them to be part of a cyber army focusing a digital assault against major online services”.
 
Here’s how it may work: When particular conditions are met, Worm/Sobig.F will attempt to download additional components of the attackers choice. The pre-configured conditions include performing tests to determine if the current day is Friday or Sunday between the hours of 19:00 (7PM) and 22:00 (10PM) UTC time. When these conditions are met, the worm will attempt to retrieve further instructions that may include the downloading and execution a backdoor hacker program. Backdoors can allow someone with malicious intent to gain full control of the infected computer.
 
“The virus author(s) of Sobig have developed a predictable pattern of releasing new variants soon after the current version de-activates itself,” said Steven Sundermeier, VP Products and Services at Central Command, Inc. “If the past repeats itself we could be looking at a newly constructed creation shortly after September 10th. A potential risk is that the massive army created by Worm/Sobig.F could be used to launch an all out attack on large Internet infrastructures, for example, by means of a Distributed Denial of Service attack (DDoS).”
 
This may not happen, like the LovSan worm’s planned attack on Microsoft. But to make sure you’re safe check you’ve not got the Sobig worm aboard and if you have, remove it.