Tag Archives: Denial-of-service attacks

Korean Banks

The Washington Post report that it seems the attack on South Korea’s Nonghyup agricultural bank back in April was the work of North Korea. The evidence?

South Korean investigators said they determined that 10 servers used in the bank incident were the same ones used in previous cyberattack operations against South Korea, including one in 2009 and another in March, that they blamed on the North. Investigators say they determined, for instance, that a “command and control” server used in the 2009 operation was registered to a North Korean government agency operating in China.

This is interesting. Command and control servers are compromised computers that are used by bad guys to “run” other computers—zombies—that actually do the grunt work. There’s definitely a common thread between the 2009 and 2011 DDOS attacks, and plenty of circumstan

The Battery DDOS: Tip of An Iceberg

An interesting story brewing about the FBI investigating a DDOS (Distributed Denial of Service) attack on websites selling batteries. But the reporting does not go far enough: In fact, a little research reveals this is part of a much bigger assault on a range of industries.

As a starting point, look at Elinor Mills of the excellent Insecurity Complex at CNET:

U.S. battery firms reportedly targeted in online attack | InSecurity Complex – CNET News: “The FBI is investigating denial-of-service attacks targeting several U.S. battery retail Web sites last year that were traced to computers at Russian domains in what looks like a corporate-sabotage campaign, according to documents published yesterday by The Smoking Gun.”

But a closer look at the source documents suggests this is just the tip of a much bigger iceberg. The Smoking Gun incorrectly reports the email address used by the alleged hacker, a St Petersburg man called Korjov Sergey Mihalivich, as lvf56fre@yahoo.com. In fact, the FBI lists it as lvf56kre@yahoo.com, which yields much more interesting results. Such as this one, from ShadowServer.

ShadowServer shows that the domains under that person’s control, globdomain.ru (not globdomian.ru as reported by the Smoking Gun) and greenter.ru, have been prolific since 2010 in launching DDOS attacks against 14 countries and more than 30 industries and government websites. An update from ShadowServer in January 2011 counted 170 “different victims. Again, these attacks are across many different industries and target some rather high profile sites.” (It doesn’t identify them.)

The DDOS attacks use the BlackEnergy botnet, described by Arbor Networks’ Jose Nazario in a 2007 paper [PDF]. Back then Nazario reported the botnet’s C&C systems were hosted in Malaysia and Russia.

The same email address used for those two domains has registered other domains: trashdomain.ru, which has been recorded as the host for a Trojan dropper called Microjoin.

In other words, this is a lot more than about batteries. This appears to be a DDOS for rent to businesses wanting to take out business rivals in a host of fields. Indeed, the FBI investigation makes this clear, and cites the $600,000 damage caused as included attacks on “a wide range of businesses located in the United States.” (This does not include the dozen other countries affected, hence, presumably, the quite low sum involved.)

The batteries attack took place in October 2010, but the FBI document makes clear that as of May 2011 the attacks were still going on.

At present it’s not clear who is behind these attacks–in other words, who is paying for them. This could be a ransom attack–pay up or we will keep DDOSing–but this doesn’t seem to be the case, as Batteries4less.com Chief Executive Coryon Redd doesn’t mention any such approach in an interview with Mills. He seems to believe that “[t]he competitor is going to be U.S.-based and contracting out with a bad guy in Russia.”

Could be right. In which case the investigation has stumbled on a dark world of business tactics stretching from banking to astrology consultants. More research needed, please.

Did Prolexic Fend Off Anonymous’s Sony Attacks?

Prolexic, a company that defends clients against Distributed Denial of Service (DDoS) attacks, says it has successfully combatted the “Largest Packet-Per-Second DDoS Attack Ever Documented in Asia”:

“Prolexic Technologies, the global leader in Distributed Denial of Service (DDoS) mitigation services, today announced it successfully mitigated another major DDoS attack of unprecedented size in terms of packet-per-second volume. Prolexic cautions that global organizations should consider the attack an early warning of the escalating magnitude of similar DDoS threats that are likely to become more prevalent in the next 6 to 8 months.”

Although it describes the customer only as “an Asian company in a high-risk e-commerce industry” it could well be connected to the recent attacks on Sony by Anonymous. A piece by Sebastian Moss – The Worst Is Yet To Come: Anonymous Talks To PlayStation LifeStyle — in April quoted an alleged member of Anonymous called Takai as reacting to unconfirmed reports that Sony had hired Prolexic to defend itself (Sony Enlists DDoS Defense Firm to Combat Hackers):

“It was expected. We knew sooner or later Sony would enlist outside help”. Pressed on whether Anonymous would take out Prolexic, Takai showed confidence in the ‘hacktavist’s’ upcoming retaliation, stating “well, if I had to put money on it … I’d say, Prolexic is going down like a two dollar wh*** in a Nevada chicken ranch  ”. He did admit that the company “is quite formidable” and congratulated “them for doing so well”, but again he warned “We do however have ways for dealing with the ‘Prolexic’ factor”.

The website also quoted Anonymous members expressing frustration at the new defences, but that they appeared to be confident they would eventually prevail. That doesn’t seem to have happened.

Prolexic’s press release says the attacks had been going on for months before the client approached the company. The size of the attack, the company said, was staggering:

According to Paul Sop, chief technology officer at Prolexic, the volume reached levels of approximately 25 million packets per second, a rate that can overwhelm the routers and DDoS mitigation appliances of an ISP or major carrier. In contrast, most high-end border routers can forward 70,000 packets per second in typical deployments. In addition, Prolexic’s security experts found 176,000 remotely controlled PCs, or bots, in the attacker’s botnet (robot network). This represents a significant threat as typically only 5,000-10,000 bots have been employed in the five previous attacks mitigated by Prolexic.

It does not say why it considers the attack over, now gives any timeline for the attack. But if it is Sony, it presumably means that Anonymous has withdrawn for now or is preoccupied with other things. Prolexic, however, is probably right when it warns this is a harbinger of things to come:

“Prolexic sees this massive attack in Asia with millions of packets per second as an early warning beacon of the increasing magnitude of DDoS attacks that may be on the horizon for Europe and North America in the next 6 to 8 months,” Sop said. “High risk clients, such as those extremely large companies in the gaming and gambling industries in Asia, are usually the first targets of these huge botnets just to see how successful they can be.”

Behind the Akamai DDoS Attack

A bit late (my apologies) but it’s interesting to look at the recent Distributed Denial of Service attack on Akamai, an Internet infrastructure provider.

The attack blocked nearly all access to Apple Computer, Google, Microsoft and Yahoo’s Web sites for two hours on Tuesday by bringing down Akamai’s domain name system, or DNS, servers. These servers translate domain names — www.microsoft.com — into numerical addresses. The attack was made possible by harnessing a bot net — thousands of compromised Internet-connected computers, or zombies, which are instructed to flood the DNS servers with data at the same time. This is called Distributed Denial of Service, of DDoS.

But there’s still something of a mystery here: How was the attacker able to make the DDoS attack so surgical, taking out just the  main Yahoo, Google, Microsoft and Apple sites? As CXOtoday points outAkamai is an obvious target, since “it has created the world’s largest and most widely used distributed computing platform, with more than 14,000 servers in 1,100 networks in 65 countries.”

Indeed, before Akamai admitted the nature and scale of the attack there was some skepticism that this could have been a DDoS: ComputerWorld quoted security expert Bruce Schneier as saying “My guess is that it’s some kind of an internal failure within Akamai, or maybe a targeted attack against them by someone with insider knowledge and access.”

The Ukrainian Computer Crime Research Center says it believes the attack was a demonstration of capabilities by a Russian hacker network. As evidence they point to an earlier posting by Dmitri Kramarenko, which describes a recent offer by a Russian hacker to “pull any website, say Microsoft” for not less than $80,000. The story appeared four days before the DDoS attack.

The Price of Worms

How damaging are worms?

Very, says Sandvine Inc, a Canada based Internet security company. It says that the main damage is on ISPs who lose bandwidth to them, and face daily Denial of Service attacks. “In fact,” Sandvine says in one new report (PDF, registration required), ”Internet worms and the malicious, malformed data traffic they generate are wreaking havoc on European service provider networks of all sizes, degrading the broadband experience for residential subscribers and imposing hundreds of millions in unplanned hard costs directly related to thwarting attacks.”

Worms, Sandvine says, consume “massive amounts of bandwidth as they replicate. And depending on the number of vulnerable hosts in a given network environment, a worm can create hundreds of thousands of copies of itself in a matter of hours.” The company’s research shows that between 2 and 12% of all Internet traffic is malicious. Even on a well-run ISP network, that figure is about 5%. And if that doesn’t sound very much, consider the warped effect worms have on processor power, when they propagate and probe for weak spots.

All this means that residential subscribers are going to feel the hurt, partly because it’s their Internet connections that are being targeted by worms, and partly because their connections are going to slow down with all this extra traffic, Sandvine warns. Then of course there are infections: The dirty secret of worm infections is that if you’ve got one, the only sure way to get rid of it is to reinstall everything.

For now, ISPs keep quiet about these things; they don’t want to scare off subscribers, and they don’t want the bad guys to get any fresh ideas about their vulnerabilities. But it seems to me that worms and bots are a topic that needs to be researched, reported and resolved more than it is.

 

Who Is Behind Bagel, NetSky and MyDoom?

Who is behind this latest crop of viruses, and variants on viruses?
 
Mi2g, a London-based technology security company, reckon that MyDoom and Bagle ”is not the activity of hobbyists but organised criminals” and that Doomjuice.a, which carried the source code of MyDoom.a was “clearly written by the same perpetrators” with the motive of covering their tracks.

 
That said, mi2g reckon the original NetSky author may merely have been “involved in a turf war with MyDoom and then another turf war with Bagel”. (Yes, it does sound like a bad police series). “That,” mi2g says, “suggests the possibility of bragging rights or intellectual challenge as a motive instead of financial gain.” Evidence? ”NetSky.d was released at the beginning of March, and whilst it has its own agenda, it also modifies registry keys to delete the “au.exe” file used by two variants of the Bagle malware.”
 
This large number of variants in such a short timeframe, mi2g say, “is historically unprecedented”. It’s not clear who is behind these, mi2g say, but whoever it is, “the net beneficiary is organised crime as the number of compromised computers or zombies continues to increase”. These slave computers can be used for anything, from spam to phishing scams to DDoS extortions to working as fileservers for illicit or pirated material.
 
My guess? Success breeds copycat attacks, and there are an awful lot of folk out there who have the knowledge and the inclination for this kind of thing. It’s no surprise that these attacks are getting worse, and that there is a clear link between virus writing and scams. Hold onto your hat.

News: Spam Warfare, Dutch Style

If you wonder why people don’t just go after spammers, vigilante-style, here’s why. Three Dutch blogging websites launched an online war against a U.S. spammer, Customerblast.com late last week, and found they’d bitten off more than they could chew. The weblogs, according to The Register, tried to push Customerblast off the web with sustained distributed denial of service (DDOS) attacks (basically trying to overload their system with requests for data).
 
Customerblast fought back. On Friday, all three weblogs were inundated with mail bombs, floods and DDOS attacks, forcing them to go offline temporarily. Late Friday afternoon, the weblogs began a second attack. By Monday the spammer had still not recuperated from the attacks. But there’s been a downside. One of the Dutch attackers says he was cut off by his Internet Service Provider and now faces ?legal action?.

News: The Explanation Behind All Those Attacks?

 It seems that there’s a purpose behind the viruses we’ve all been getting: old-fashioned extortion. Reuters reports that extortionists — many thought to come from eastern Europe — have been targetting casinos and retailers, but one recent high-profile victim was the Port of Houston. The attacks, which can cripple a corporate network with a barrage of bogus data requests, are followed by a demand for money. An effective attack can knock a Web site offline for extended periods.
 
Online casinos appear to be a favorite target as they do brisk business and many are located in the Caribbean where investigators are poorly equipped to tackle such investigations. Police said because of a lack of information from victimized companies, they are unsure whether these are isolated incidents or the start of a new crime wave.
 
Last week, the online payment service WorldPay admitted to suffering a major DDoS attack that lasted three days. WorldPay, owned by the Royal Bank of Scotland, has been fully restored. The NHTCU spokeswoman said the investigation into the WorldPay is ongoing.