23
Q1 2009 Distributed Denial of Service (DDoS) Report An iDefense Focused Intelligence Report Prepared for VeriSign, Inc. The iDefense® Security Intelligence Team
Q1 2009 Distributed Denial of Service (DDoS) Report
An iDefense Focused Intelligence Report
Prepared for VeriSign, Inc.
The iDefense® Security Intelligence Team
Contents
Q1 2009 DistributeD Denial of serviCe (DDos) report
1 Executive Summary 32 News Items from January 2009 4
2.1 “Fake Obama Website Reportedly Builds Botnet” 42.2 “£10 000 Bounty Placed on DDoS Hackers” 42.3 “Update: Network Solutions DNS” 52.4 “Will EDoS be the next DDoS?” 52.5 “Second Mac Trojan Attacks Pirated PhotoShop CS4” 52.6 “Techwatch weathers DDoS extortion attack” 6
3 News Items from February 2009 73.1 “Russian ‘cybermilitia’ in DDoS Attack on Kyrgyzstan” 73.2 “New DDoS Attack Based on Deluge of Dots” 73.3 “New and Improved Storm Botnet Morphing Valentine's Malware” 83.4 “Crimeware Tracking Service hit by a DDoS Attack” 83.5 “How Metasploit Turned the Tables on Its DDoS Attackers” 93.6 “Confirmed: Time Warner Cable Users Impacted by DDoS Attack” 93.7 “'Phishing' Attack Forces Bank to Shut Down Website” 10
4 News Items from March 2009 114.1 “Denial of Service, The Pirate Bay Is Offline” 114.2 “Conficker Worm Targets Legitimate Travel Site” 114.3 “Member of the Botnet Underground Sentenced to 48 months in Prison” 124.4 “BBC botnet Investigation Turns Hacks into Hackers” 124.5 “Political Cyber Attacks to Militarize the Web” 134.6 “Russia Confirms Involvement with Estonia DDoS Attacks” 134.7 “Geo-Location, Malware Combine in New Attack” 144.8 “Worm Grabs Routers for Botnet” 144.9 “Conficker Worm Authors Could Launch DDoS Attacks” 154.10 “DDoS Attack Affects Half of GoGrid's Customers” 154.11 “Some UltraDNS Customers Knocked Offline by Attack” 164.12 “Attack of the Mini-Botnets” 16
5 Analysis of Q1 Attack Trends 176 Analysis of Q1 Botnet Activity 197 Analysis of Actors and Motives 21
7.1 Actor Attribution 21 7.1.1 John “Acidstorm” Schiefer Receives Four-Year Prison Sentence 21 7.1.2 Russia Admits Involvement in 2007 Cyber Attacks on Estonia 217.2 Analysis of Motives 21
8 Methodology 238.1 Aggregation of Important News Items Pertaining to DDoS Attacks 238.2 Aggregation of Attack Trends 23
Q1 2009 DistributeD Denial of serviCe (DDos) report
3
1 - Executive Summary
Contained within the distributed denial of service (DDoS) report for the first Quarter (Q1) of 2009 are news items regarding noteworthy cyber attacks and botnets, the individuals or organizations responsible for their perpetration, arrests and legal developments stemming from these particular incidents, vulnerabilities and exploits that may enable future denial of service (DoS) and DDoS activity to occur, and intelligence that such attacks are becoming increasingly more sophisticated.
The year kicked off with relatively little DDoS and botnet activity. Section 2.1 highlights a fraudulent website that makes the claim that Barack Obama refused to take office in order to infect users with malicious software and add machines to an existing botnet. Noted security researcher Christofer Hoff proposed a radical new attack vector in January called “Economic Denial of Sustainability” (EDoS), which is a concept in which attackers intentionally inflate the bills of cloud service users until the service is no longer affordable (Section 2.4). Pirated versions of Adobe Photoshop for the Mac are purportedly being targeted by malicious software variants (Section 2.5) and resulting in malicious code being downloaded to infected machines used in DDoS attacks. Three targeted attacks occurred in the month of January: 1) Overclockers.co.uk (Section 2.2), an online seller of computer hardware, 2) Network Solutions (Section 2.3), and 3) Techwatch (Section 2.6), a digital television portal.
The major story of February involved Russian botnets targeting domains in Kyrgyzstan with DDoS attacks (Section 3.1), possibly as a result of Kyrgyz officials allowing American forces in Afghanistan to use an air base for their operations. Further vulnerabilities that may allow for more malicious actors to execute more sophisticated attacks emerged, as research unearthed a DNS flaw initially intended to prevent against such malicious activity that may in fact enable hacking (Section 3.2). The Waledac botnet continued to grow in February as it peddled out malicious software with themes relating to Valentine’s Day (Section 3.3). This report highlights four targeted attacks from February: 1) The Zeus tracker (Section 3.4), a project dedicated to tracking banking malicious code, 2) Metasploit (Section 3.5), a project for white hat hackers, 3) Time Warner Cable (Section 3.6), and 4) Bulletin Bank of the Cascades (Section 3.7).
March eclipsed January and February in terms of relevant DDoS and botnet content. The most noteworthy item coming as Russian government officials confirmed rumors of a pro-Kremlin youth movement’s involvement with the 2007 DDoS attacks on the Web infrastructure of Estonia (Section 4.6). Specific attacks from March targeted The Pirate Bay (Section 4.1), a Swedish file-sharing site, as well as GoGrid (Section 4.10) and NeuStar (Section 4.11), providers of Web hosting and DNS services, respectively. This report also discusses policy, as the BBC came under fire for purchasing a botnet from an underground forum known for fraud (Section 4.4).
Q1 2009 DistributeD Denial of serviCe (DDos) report
4
2 News Items from January 2009
2.1 “Fake Obama Website Reportedly Builds Botnet”
2.2 “£10 000 Bounty Placed on DDoS Hackers”
Jan. 20, 2009By Thomas Claburnhttp://www.informationweek.com/news/security/government/showArticle.jhtml?articleID=212901473
Over the weekend, PandaLabs reported that its researchers had detected a botnet-driven malicious software campaign impersonating then President-elect Obama's website. "The fake Web site looks just like the real thing and attempts to bait viewers into clicking a story entitled, 'Barack Obama has refused to be a president,' " wrote PandaLabs security researcher Sean-Paul Correll in a blog post. "When theuser clicks on the link, the malware (W32\Iksmas.A.worm) begins to download all of the necessary files needed to host the fake site on the victim's computer."
Security researchers at Marshal observed the same scam and attribute it to the Waledac worm, which they say is the successor to the Storm worm. "Waledac first appeared around Christmas time with an ecard theme," the Marshal blog explains. "This is the second campaign by Waledac which is intended to infect more victim machines and grow the botnet."
Jan. 23, 2009By Steve Goldhttp://www.infosecurity-magazine.com/news/090123_10KBountyDdosHackers.html
Overclockers.co.uk (OCUK), an online computer hardware reseller firm, have announced they are placing a bounty of £10 000 on the heads of hackers behind a Distributed Denial of Service (DDoS) attack on their website earlier in the month.
The IT reseller, which was founded ten years ago by Mark Proudfoot and Peter Radford, says its Web portal was hit by a sustained DDoS attack around ten days ago that slowed down and even blocked access to its portal for about a week.
In a forum posting, the company has apologized to its customers for any inconvenience caused by its site being slow or inaccessible, and causing any problems placing an order online.
The 10K reward is conditional on tips being usable by the Serious Organised Crime Agency (SOCA).
Q1 2009 DistributeD Denial of serviCe (DDos) report
5
2.3 “Update: Network Solutions DNS”
2.4 “Will EDoS be the next DDoS?”
2.5 “Second Mac Trojan Attacks Pirated PhotoShop CS4”
Jan. 23, 2009
By Shashi Bellamkondahttp://blog.networksolutions.com/2009/potential-latency-on-network-solutions-dns/
To close the loop on this, here is an update. Network Solutions had traffic spikes in DNS queries lasting two to four hours on Thursday and Friday last week causing intermittent disruption of normal DNS query resolution. Taking steps to mitigate the DDOS attack, Network Solutions Operations Department estimates that 48 percent to 62 percent of the queries were being responded to successfully during thatperiod. Normalcy was restored by about 5 p.m. Friday.
Jan. 25, 2009
By Adam O’Donnellhttp://blogs.zdnet.com/security/?p=2423
A noted security analyst has proposed a new twist on the traditional DoS model where attackers purposefully inflate the bills of cloud service users until they can no longer afford service.
Christofer Hoff, the Chief Security Architect at Unisys, has recently been discussing the concept of an Economic Denial of Sustainability on his blog. Put simply, it is an attack against the billing model that underlies the cost of providing a service with the goal of bankrupting the service itself. Before we go into why EDoS is a threat, and one that is separate from DDoS, we have to understand how companies turndollars into bytes, which they hopefully turn back into dollars.
Jan. 28, 2009
By PCMag.com Staffhttp://www.pcmag.com/article2/0,2817,2339728,00.asp
Security firm Intego said this week that it has discovered a second version of the Trojan hiding within a pirated version of iLife '09. The new variant is being distributed via BitTorrent within Adobe Photoshop CS4 for the Mac.
According to Intego, the new Trojan is named OSX.Trojan.iServices.B. The PhotoShop installer being distributed is clean, Intego said; however, the accompanying serial-number generator contains the Trojan.
Intego noted that the serializer program does work; however, the Trojan installs a back door that allows access to the host machine for remote attacks. Intego reported that the first version of this Trojan horse was seen downloading new code to infected computers, which were then used in a DDoS (distributed denial of service) attack on certain websites.
Q1 2009 DistributeD Denial of serviCe (DDos) report
6
2.6 “Techwatch weathers DDoS extortion attack”
Jan. 30, 2009
By John Leydenhttp://www.theregister.co.uk/2009/01/30/techwatch_ddos/
Techwatch is back online following a sustained DoS attack that left the digital TV news site unavailable for two days earlier this week.
The botnet-powered assault was accompanied by blackmail demands posted on the site's forum through compromised zombie machines. These threatening messages claimed the site was being carpetbombed with spurious traffic generated through a 9,000 strong botnet of compromised machines.
Techwatch was able to restore the site to normal after applying advanced traffic filters.
Q1 2009 DistributeD Denial of serviCe (DDos) report
7
3 News Items from February 2009
3.1 “Russian ‘cybermilitia’ in DDoS Attack on Kyrgyzstan”
3.2 “New DDoS Attack Based on Deluge of Dots”
ARE RUSSiAN NATiONAliST HACKERS iNvOlvED iN YET ANOTHER CYBER WAR?
Cyber attacks crippling the network
infrastructure of Kyrgyzstan in
February that are believed to have
originated from Russians botnets
bear striking resemblance to previous
cyber assaults on Estonia in 2007
and Georgia in 2008. Kyrgyzstan
is only the latest nation that
formerly comprised a portion of the
Soviet Union targeted in a series
of coordinated electronic attacks
in recent years believed to have
originated in Russia.
Feb. 5, 2009
By Drew Wilsonhttp://eetimes.eu/eastern_europe/213201182
BOSTON — Kyrgyzstan has been struggling with cyber attacks that have blocked most net traffic in and out of the country for a week, according to online reports.
The "massive" DDoS attacks, which began last month, bear the signature of pro-Russian nationalists, a "cybermilitia," believed to have launched similar cyber assaults on the republic of Georgia in August, Don Jackson, a researcher with Atlanta-based security provider SecureWorks told Computerworld.
The vast majority of the drones that are bombarding the Kyrgyz targets are located in Russia, Jackson said.
He speculated the attacks are connected to the Kremlin's pressure on Kyrgyzstan to end US access to the Manas Air Base, which the US military uses to support the war in Afghanistan.
Feb. 10, 2009
By Angela Gunnhttp://www.betanews.com/article/New-DDoS-attack-based-on-deluge-of-dots/1234313732
A technique for worsening the effects of a DDoS-type attack uses a feature in the DNS system that was designed to be helpful. Patching it could involve reconfiguring millions of domain-name servers, or even rethinking how the system works.
A DDoS attack, of course, involves bombarding a target site with garbage so no other traffic can get through. Some attackers, especially the ones who do these attacks for a living (think extortion), use amplification techniques that increase the flow of packets while further disguising the true source of the onslaught. One of these, which SecureWorks is currently examining, leverages a feature in the domainname system, making it appear that the victim's computer is lost and in need of a list of all the root domain nameservers. That is a long list, and the forged command is quite short -- in fact, it is a tiny effort on behalf of the attacker, therefore, is leveraged into a significant amount of DDoS distress.
Earlier forms of DNA amplification attacks were the subject of research scrutiny as early as 2006, and there are mitigation techniques that can be deployed by those who take the proper care when configuring their servers. However, those earlier techniques relied on recursivity to function.
Q1 2009 DistributeD Denial of serviCe (DDos) report
8
3.3 “New and improved Storm Botnet Morphing valentine's
Malware”
3.4 “Crimeware Tracking Service hit by a DDoS Attack”
Feb. 11, 2009
By Kelly Jackson Higginshttp://www.darkreading.com/security/attacks/showArticle.jhtml?articleID=213403915
The botnet formerly known as Storm is ramping up its ability to evade detection by automatically generating thousands of different variants of its malicious software each day as it spreads and recruits more bots.
Waledac -- the new and improved Storm -- is using its favorite holiday, Valentine's Day, to spread the love with signature phony greeting cards and romance-themed e-mail that Storm so infamously spread in the past. "Over the last 24 hours, we've seen over 1,000 new variants [of Waledac code]," says Pierre-Marc Bureau, a senior researcher with Eset, which expects Waledac to eventually pump out thousands ofvariants a day. "It was a bit lower than what we are expecting. It may not have reached many of our clients yet." That said, it is still a big jump from the 10 new versions a day Eset had seen the botnet creating, he adds.
Feb. 17, 2009
By Dancho Danchevhttp://blogs.zdnet.com/security/?p=2596
A week after a newly launched crimeware tracking service went public, cyber criminals did not hesitate to prove its usefulness by launching a DDoS attack against it. According to the Swiss security blog, the Zeus tracker came under attack from a previously known source that also attacked abuse.ch over a year ago taking advantage of a well-known do-it-yourself DDoS malware.
Just like November 2008’s DDoS attack against the anti-fraud site Bobbear.co.uk — with evidence that the attack was commissioned provided by Zero Day back then — the single most evident proof of the usefulness of your cyber crime tracking service always comes in the form of a direct attack against its availability.
Q1 2009 DistributeD Denial of serviCe (DDos) report
9
3.5 “How Metasploit Turned the Tables on its DDoS Attackers”
3.6 “Confirmed: Time Warner Cable Users impacted by DDoS Attack”
Feb. 26, 2009
By Scott M. Fulton, IIIhttp://www.betanews.com/article/Confirmed-Time-Warner-Cable-users-impacted-by-DDoS-attack/1235686812
When users of Time Warner Cable systems report issues concerning slow broadband performance affecting a wide region, they have been happy to see prompt responses from JeffTWC -- one Jeff Simmermon, who is the company's New York-based Director of Digital Communication. In recent days, though, Simmermon's Twitter feed has been exploding with complaints.
As it turns out, there is a serious reason for concern, as Simmermon explained in a longer-than-Twitter post late yesterday: Time Warner Cable systems are the apparent target of an orchestrated DoS attack.
"Over the past 7 days, hackers have launched a series of DOS attacks on Time Warner Cable's DNS servers, affecting customer experience in our Southern California and National regions," reads the statement served by A Long Reply. "Subscribers in those areas would have seen intermittent 'page cannot be displayed' errors as their DNS queries timed out. The outage did not result in DNS services being 100% unavailable; the outage was limited to sporadic timeouts which appeared to be random events."
Simmermon authenticated his comments to Betanews this afternoon (his name actually had not appeared in the actual reply, so we were the first to validate it, he told us). He was unable to provide specifics at the time about the nature of the attack, which is disabling some but not all DNS requests, in what appears to be a random pattern.
Feb.18, 2009
http://www.darkreading.com/security/attacks/showArticle.jhtml?articleID=214501208
At one point during the recent weeklong round of DDoS attacks on whitehat hacker site Metasploit, an anonymous hacker sent a blackmail message to Metasploit creator HD Moore.
"Some random guy [said], "Give me all of your source codes,'" says Moore, who employed various counter-attacks to the series of DDoS assaults, which he describes as more annoying than destructive.
Although, after stringing the purported blackmailer along for a while in order to trace him, Moore discovered the e-mail message had come from one of the bots in a botnet army that was flooding the Metasploit site. Moore says the e-mail may have been from someone other than the DDoS attackers; either way, Moore had no intention of falling for the blackmail.
The DDoS attacks began around Feb. 6 against security sites Metasploit, Immunity, Milw0rm, and Packet Storm, when a botnet flooded the sites' domains with HTTP requests. After a few days, the attacks focused entirely on Metasploit. Moore says the DDoS' incoming connection exceeded 15 Mbps with SYN packets sent to the www.metasploit.com and metasploit.com domains.
"They would follow over to the new IPs I had made," Moore says of his attempts to change DNSes and evade the attackers.
Q1 2009 DistributeD Denial of serviCe (DDos) report
10
3.7 “'Phishing' Attack Forces Bank to Shut Down Website”
Feb. 26, 2009
By TMCNet.comhttp://www.tmcnet.com/usubmit/2009/02/26/4017403.htm
The Bulletin Bank of the Cascades' main Internet portal -- www.botc.com -- has been down since Monday in what bank officials believe is a targeted attack by hackers trying to set up a "phishing" operation.
"We have become the target of what we call a distributed denial of service attack," said Debbie Amerongen, an executive vice president of the bank.
Amerongen cautioned that the bank has not been hacked into nor has any consumer data been compromised. It is routing customers to its main Internet banking site -- www.netteller.com/botc -- which has not been targeted. The site allows customers full access to the bank's online banking and billpay features.
Q1 2009 DistributeD Denial of serviCe (DDos) report
11
4 - News Items from March 2009
4.1 “Denial of Service, The Pirate Bay is Offline”
4.2 “Conficker Worm Targets legitimate Travel Site”
March 3, 2009
By Chuck Millerhttp://www.securecomputing.net.au/News/138707,conficker-worm-targets-legitimatetravel-site.aspx
The website for Southwest Airlines, along with a number of other legitimate sites, could face downtime due to the Conficker worm, according to a researcher.
Conficker (a.k.a. Downadup) infected some 10 million computers worldwide and joined into a botnet. Each zombie machine is programmed to check in with approximately 250 URLs each day for more instructions, although there have yet to be any.
A few of these domains -- including a site that redirects to the official website of Southwest Airlines -- actually are legitimate Web destinations, researcher Mike Wood wrote in a post on the SophosLabs blog. That means that certain URLs could be overwhelmed by queries. In the case of Southwest, the compromised machines were set to contact the site on March 13.
March 2, 2009
By Reuven Cohenhttp://search.sys-con.com/node/860302
I guess my timing on my previous Hacking the Cloud post could not have been better. I just got word that "someone" is currently DDoS'ing the thepiratebay.org. Even more interesting, it may be a hijacked botnet causing the problem. More details as they come in.
According to the TorrentFreak website:
“A few hours ago The Pirate Bay website started to slow down, and eventually it became completely unresponsive. With the trial going on, the downtime instantly led to all kinds of rumors. However, there is nothing to worry about, the downtime is not related to the trial and people are on their way to bring the site back up.
At the moment, there is no estimate for when the site will return. The problem can’t be fixed remotely we were told. However, people are on their way to the ’secret’ location where the Pirate Bay hardware is located to find out what the problem is.
When we receive additional information, we’ll post an update here. The Pirate Bay’s trackers are still up so all the torrents that are downloaded already should work just fine.”
Q1 2009 DistributeD Denial of serviCe (DDos) report
12
4.3 “Member of the Botnet Underground Sentenced to 48 months
in Prison”
4.4 “BBC botnet investigation Turns Hacks into Hackers”
lANDMARK CONviCTiON iN THE CASE OF JOHN SCHiEFER
The first ever conviction stemming
from the commission of a crime
utilizing a botnet took place in March.
John “Acidstorm” Schiefer, of Los
Angeles, received a four-year prison
sentence for comprising an army
of infected computers to illegally
obtain personal and financial data.
BBC iN CRiTiCizED FOR QUESTiONABlE PURCHASE OF UNDERgROUND BOTNET
The British Broadcasting Corporation
(BBC) came under public scrutiny
for purchasing a botnet consisting
of 22,000 computers from an
underground community to
demonstrate DoS capabilities.
March 9, 2009
By Help Net Securityhttp://www.net-security.org/secworld.php?id=7142
Concluding the first prosecution of its kind in the nation, a man associated with the “botnet underground” received a sentence of 48 months in federal prison for using his “botnets” – armies of compromised computers – to steal the identities of victims throughout the country by extracting information from their personal computers and wiretapping their communications.
John Schiefer, 27, of Los Angeles, who used the online handle “acidstorm,” pleaded guilty last year to accessing protected computers to conduct fraud, disclosing illegally intercepted electronic communications, wire fraud and bank fraud. Schiefer was sentenced by United States District Judge A. Howard Matz, who also ordered the defendant to pay a $2,500 fine.
When he pleaded guilty, Schiefer admitted that he illegally accessed hundreds of thousands of computers in the US and that he remotely controlled these compromised machines through computer servers. Once in control of the “zombie” computers, Schiefer used his botnets to search for vulnerabilities in other computers, intercept electronic communications and engage in identity theft.
March 12, 2009
By John Leydenhttp://www.theregister.co.uk/2009/03/12/bbc_botnet_probe/
An investigation by the BBC into cyber crime may have broken UK computer crime law.
BBC Click got its hands on a botnet of 22,000 compromised PCs from an underground forum. It used these machines to send spam to two accounts it had established with Gmail and Hotmail. The program also used these zombie machines to show how they might be used in a DoS attack.
After getting permission from security firm Prevx, which commented on camera but did not otherwise participate in the investigation, BBC Click used the compromised machines to flood a backup site run by the security firm with junk traffic.
BBC Click found that only 60 compromised machines were needed to render Prevx's site inaccessible.
The broadcaster then warned the owners of the infected computers that their machines were compromised and advised on how to clean them by changing their screensaver.
BBC Click claimed that "If the exercise had been done with criminal intent it would be breaking the law."
Q1 2009 DistributeD Denial of serviCe (DDos) report
13
4.5 “Political Cyber Attacks to Militarize the Web”
4.6 “Russia Confirms involvement with Estonia DDoS Attacks”RUSSiAN OFFiCiAlS CONFiRM RUMORS REgARDiNg ATTACKS ON ESTONiA
Sergei Markov, a Russian State Duma
Deputy, confirmed speculation that
Nashi, a pro-Russian youth
movement was in fact behind
the 2007 attacks on the Internet
infrastructure of Estonia. Nashi
members were able to launch
targeted attacks on more than 130
Estonian domains via botnets and
ping flooding scripts.
March 12, 2009
By Fred O’Connorhttp://www.networkworld.com/news/2009/031209-political-cyberattacks-to-militarizethe.html
Governments looking to silence critics and stymie opposition have added DDoS attacks to their censoring methods, according to a security expert speaking at the Source Boston Security Showcase.
As the use of DDoS for political gains increases, expect the Internet to become more militarized, said Jose Nazario, Senior Security Researcher at Arbor Networks Inc., in an address on Wednesday.
"I don't think anyone is going to die because of these attacks, or a phone won't work, but it is early," he said, noting that other weapons have evolved from less harmful initial forms.
In DDoS attacks, botnets, or a group of compromised computers used for malicious purposes, attempt to connect en masse to a victim's website. The server hosting the site is unable to respond to the abundance of communication requests and shuts down or returns pages so slowly that the site is essentially inaccessible.
March 13, 2009
By Chuck Millerhttp://www.scmagazineus.com/Russia-confirms-involvement-with-Estonia-DDoSattacks/article/128737/
The long-rumored perpetrators of DDoS attacks during the 2007 conflict between Russia and Estonia were members of a youth group with ties to the Kremlin, a Russian State Duma deputy, Sergei Markov, confirmed to a number of news outlets.
The DDoS claim was made by an activist Konstantin Goloskokov, a member of Russia's Nashi youth group, according to Radio Free Europe. He said his action was independent of the state – he received no help from Nashi or Russian officials.
In 2007, Russian hackers were blamed for a politically motivated cyber attack on Estonian infrastructure. There were nearly 130 unique DDoS attacks on Estonian websites. Two kinds occurred – from botnets and from ping flood scripts passed around on forums. The attacks may have been prompted by the decision of Estonian officials to relocate a Russian World War II memorial.
Q1 2009 DistributeD Denial of serviCe (DDos) report
14
4.7 “geo-location, Malware Combine in New Attack”
4.8 “Worm grabs Routers for Botnet”WORM TARgETS liNUx ROUTERS TO ASSEMBlE BOTNET
A worm tabbed “Psyb0t” began
targeting modems and routers
operating on Linux Mipsel to
assemble an ever-increasing botnet
and subsequently execute DDoS
attacks. As of late March, more than
100,000 computers were supposedly
infected, and speculation exists that
Psyb0t-infected computers may be
utilized as a vector to obtain personal
and financial data.
March 18, 2009
By Brian Princehttp://www.publish.com/c/a/Online-Media/GeoLocation-Malware-Combine-in-New-Attack/
The Waledac botnet is luring victims to a fake Reuters site with stories about terrorist attacks. In a twist, the rogue site uses the geo-location of the victim to customize the story to make it appear as though the attack is happening locally.
The minds behind the Waledac botnet are using the physical location of victims’ machines in a scheme to lure them with false news reports.
The e-mails, which have subject lines like "Why did it happen in your city?” claim that 18 people have been killed in an explosion and link to what appears to be a Reuters-related news site. Those who click on the link, however, end up on a malicious site that attempts to trick people into clicking on a video that appears to be breaking news about a terrorist attack.
In an interesting twist, the website does a GEO-IP lookup on the victim’s whereabouts and customizes the story to appear as though it relates to the victim’s location.
March 25, 2009
By Newsdeskhttp://www.server-management.co.uk/news.php?t=965
Psyb0t worm has already infected 100,000 hosts
Routers and modems that use Linux Mipsel are being attacked by the psyb0t worm and assembled into a botnet that is being used for DDoS attacks.
Routers are vulnerable if in addition to being based on Linux Mipsel they have telnet, SSH or Web-based interfaces available to the WAN, use a weak password for accessing their administration interface. The infection blocks ports 22, 23 and 80. If these ports are blocked, you should perform a hard reset on your device, change the administrative passwords, and update to the latest firmware. These steps will remove the rootkit and ensure that your device is not reinfected.
The researchers who found the problem are based at DroneBL, and the full details of the exploit are available here. They commented, "This technique is one to be extremely concerned about because most end users will not know their network has been hacked, or that their router is exploited. This means that in the future, this could be an attack vector for the theft of personally identifying information."
Q1 2009 DistributeD Denial of serviCe (DDos) report
15
4.9 “Conficker Worm Authors Could launch DDoS Attacks”
4.10 “DDoS Attack Affects Half of gogrid's Customers”
March 27, 2009
By Dan Raywoodhttp://www.scmagazineuk.com/Conficker-worm-authors-could-launch-DDoSattacks/article/129541/
Prolexic Technologies has enhanced its global network defense systems to protect against possible Conficker DDoS attacks.
Prolexic's Chief Technology Officer Paul Sop claimed that the general approach to Conficker, and other viruses designed to wreak havoc on compromised PCs, has been to address these at the source by updating virus scanning and PC protection software in order to disinfect compromised PCs.
However, he claimed that there is a threat to externally targeted businesses and networks, and attacks can be launched simultaneously from millions of PCs, similar to a DDoS attack.
March 31, 2009
By Dawn Kawamotohttp://news.cnet.com/8301-1009_3-10208732-83.html
Hosting company GoGrid suffered a DDoS attack Monday afternoon that affected approximately half of its thousands of customers, co-founder David Hecht said on Tuesday.
The DDoS attack hit Monday afternoon, slowing customers' websites, creating latency issues, and making clients' websites inaccessible, Hecht said.
Although GoGrid was able to stabilize the situation by late Monday afternoon, getting most of its customers' sites back online, the company faced a decision whether to stay on course with a scheduled maintenance later that night or reschedule for another date.
The maintenance, which required GoGrid to take its portal down and troubleshoot support queries over the phone, was designed to expand its capacity, deploy minor bug fixes, and add additional improvements to the service.
Q1 2009 DistributeD Denial of serviCe (DDos) report
16
4.11 “Some UltraDNS Customers Knocked Offline by Attack”
4.12 “Attack of the Mini-Botnets”
March 31, 2009
By Kelly Jackson Higginshttp://www.darkreading.com/security/attacks/showArticle.jhtml?articleID=216402026
Big-name botnets like Kraken/Bobax, Srizbi, Rustock, the former Storm -- and even the possible botnetin- waiting, Conficker -- have gained plenty of notoriety, but the smaller, less conspicuous ones are doing the most damage in the enterprise.
These mini-botnets range in size from tens to thousands versus the hundreds of thousands, or even millions, of bots that the biggest botnets deploy. They are typically specialized and built to target an organization or person, stealing corporate and personal information, often without a trace. They do not attract the attention of the big spamming botnets that cast a wide net and generate lots of traffic; instead they strike quietly, under the radar.
"There's definitely specialization [in botnets] these days," says Joe Stewart, senior director of malicious software research for SecureWorks. "There are botnets designed for fraud, and they have been around for a while and don't seem to cross over [with the bigger spamming botnets]," he says.
These mini-botnets specialize in identity theft, fraud, and stealing corporate information, and are much more difficult to spot and infiltrate than a big spamming botnet. "We have to rely on the few anecdotal instances, where we've managed to get a look at the back-end," Stewart says.
March 31, 2009
By Carolyn Duffy Marsanhttp://www.networkworld.com/news/2009/033109-ultradns-service-attacked.html
NeuStar confirmed that some of its UltraDNS managed DNS service customers were knocked offline for several hours Tuesday morning by a DDoS attack.
"Early this morning, our monitoring systems detected a significant denial of service attack, which affected a small subset of our customers, in some cases for as long as a few hours," the Reston, Va. company said in a statement. "While we continue to investigate the cause, the extent, and the duration of the attack, service was completely restored by 10 a.m. EST."
NeuStar is a leading provider of high-availability DNS services to e-retailers including J.Jill and Diamond.com and high-tech companies, such as Oracle and Juniper.
Competitor Dynamic Network Services blogged about the UltraDNS outage earlier today, asserting that it affected Amazon.com, SalesForce.com, advertising.com and Petco.com.
Q1 2009 DistributeD Denial of serviCe (DDos) report
17
5 - Analysis of Q1 Attack Trends
The first quarter of 2009 began with a fairly consistent diet of DDoS activity, peaking no higher than 500 detected attacks in a 24-hour span and never falling below 200 for approximately the first 50-60 days of the first quarter, as shown in Exhibit 5-1. February and early March saw a drastic increase in cyber attacks came, topping out at slightly more than 750. Before this spike and over a period of several days, the number of detected attacks bottomed out at fewer than 100 in a given day.
Exhibit 5-1: Q1 2009 DDoS Activity1
Exhibit 5-2: DDoS Trends over the Past 12 Months2
1 http://www.shadowserver.org/wiki/pmwiki.php/Stats/DDoSCharts
2 Ibid
Q1 2009 DistributeD Denial of serviCe (DDos) report
18
When observing DDoS activity from the previous 12 months, 2009 Q1 pales in comparison, as depicted above in Exhibit 5-2. Since as far back as December 2008, the number of recorded attacks has remained steady.
Recent DDoS activity has primarily originated from host servers in Central Europe, Russia and China, as depicted in the in Exhibit 5-3. Targeted domains and computers are mainly located in the UK and Russia. This data differs very little from that observed in 2008 Q4.
Exhibit 5-3: Origins and Destinations of Recent DDoS Activity3
3 http://www.shadowserver.org/wiki/pmwiki.php/Stats/DDoSMaps
Q1 2009 DistributeD Denial of serviCe (DDos) report
19
6 - Analysis of Q1 Botnet Activity
The number of command and control (C&C) servers, machines remotely maintaining control over scores of computers infected with malicious code, monitored by the Shadowserver Foundation in the first quarter have increased gradually since mid-January in an upward slope, as seen in Exhibit 6-1. At any period during the first quarter, the minimum number of monitored C&C servers was slightly less than 2,400 while this figure peaked in early March at more than 3,300.
Exhibit 6-1: Q1 2009 Botnet Activity4
Exhibit 6-2: Botnet Activity within the Last 12 Months5
4 http://www.shadowserver.org/wiki/pmwiki.php/Stats/BotnetCharts
5 Ibid
Q1 2009 DistributeD Denial of serviCe (DDos) report
20
Exhibit 6-2 displays C&C server trends from the 12-month period beginning in April 2008 and extending to early April of this year. The first quarter is unique in that both the minimum and maximum number of C&C servers for the aforementioned 12 months are on record within this period.
Recently monitored C&C servers are most densely concentrated within the US and Europe (see Exhibit 6-3). These regions are often associated with containing the largest number of computers infected with malicious code, as many of the most industrialized nations reside within these regions, which possibly explains the dense concentration of bots. The proximity of many of these host servers to Russia, a nation synonymous with activities such as DDoS attacks, spamming, electronic fraud and the production of malicious code, may also provide the reasoning for the highest concentration existing in Central and Eastern Europe.
Exhibit 6-3: Recent C&C Activity6
6 http://www.shadowserver.org/wiki/pmwiki.php/Stats/BotnetMaps
Q1 2009 DistributeD Denial of serviCe (DDos) report
21
7 - Analysis of Actors and Motives
7.1 Actor Attribution
7.1.1 John “Acidstorm” Schiefer Receives Four-Year Prison SentenceIn a landmark decision, John Kenneth Schiefer (aka “acidstorm”), received a four-year prison sentence in early March for using botnets to steal personal and financial data from American citizens to commit fraud. The successful prosecution of Schiefer marks the first conviction of an individual using botnets to commit a crime in the US. In 2008, Schiefer pleaded guilty to accessing protected computers to conduct fraud, disclosing illegally intercepted electronic communications, wire fraud and bank fraud, after his apprehension as a part of “Operation Bot Roast,” an effort coordinated by the US Federal Bureau of Investigation in 2007 to identify infected computers used to comprise various botnets.
7.1.2 Russia Admits Involvement in 2007 Cyber Attacks on EstoniaIn March, Russian State Duma Deputy Sergei Markov (see Exhibit 7-1) publicly confirmed to a number of media outlets rumors considered true for some time: “Nashi,” a pro-Russian youth movement with ties to the Kremlin, had carried out a number of the DDoS attacks that crippled the Internet infrastructure of Estonia in 2007. A prominent member of Nashi named Konstantin Goloskokov (see Exhibit 7-1) previously claimed public responsibility for the attacks on behalf of Nashi. According to SCMagazine, “nearly 130 unique DDoS attacks on Estonian websites” occurred “from botnets and from ping flood scripts passed around on forums.”9
7.2 Analysis of MotivesThere are primarily four driving forces for malicious actions: political, financial, revenge and sheer enjoyment. In any given quarter, each specific incident may be categorized as having been committed for achieving one of these driving factors. Below are the categorizations of specific cyber incidents from the first quarter of 2009 with a brief explanation of each.
A. Political:
1) Section 3.1: Ongoing DDoS attacks targeting Kyrgyzstan and purportedly originating in Russia may have occurred because Kyrgyzstan allowed American forces in Afghanistan to use a Kyrgyz air base for their operations.
2) Section 4.6: Russian State Duma Deputy Sergei Markov publicly confirms rumors that a pro-Kremlin youth movement played a vital role in the 2007 DDoS attacks on the Internet infrastructure of Estonia.
B. Financial:
1) Section 2.6: A botnet consisting of approximately 9,000 computers launched a wave of extortion DDoS attacks on Techwatch, a digital television portal. The perpetrators purportedly demanded monetary funds or else Techwatch risked being taken offline.
2) Section 3.7: A DDoS attack targeting the home page of the Bulletin Bank of the Cascades knocked the site offline as a cover for setting up a phishing operation.
3) Section 4-3: John Schiefer, a member of the “botnet underground,” received a fouryear prison sentence stemming from the use of infected computers to steal a variety of personal and financial data.
ExHiBiT 7-1: SERgEi MARKOv7
ExHiBiT 7-2: KONSTANTiNgOlOSKOKOv8
7 http://www.hamovhotov.com/timeline/?p=995
8 http://www.postimees.ee/120208/esileht/valisuudised/311431.php
9 Miller, Chuck. “Russia confirms involvement with Estonia DDoS attacks,” SCMagazine, http://www.scmagazineus.com/Russiaconfirms-involvement-with-Estonia-DDoS-attacks/article/128737/, March 12, 2009.
Q1 2009 DistributeD Denial of serviCe (DDos) report
22
C. Revenge
1) Section 3.4: The Zeus tracker, a project that monitors domains hosting banking malicious code, came under attack less than a week after coming online. Sources state that the perpetrators are likely those responsible for attacking abuse.ch, a Swiss security site, in 2008.
2) Section 3.5: Metasploit, a resource for whitehat hackers, became the target of a series of DDoS attacks from a botnet beginning in early February. The creator of Metasploit, HD Moore, received an e-mail message demanding the source code for the tool or else risked blackmail. Through a bit of detective work, Moore conversed with the hacker and managed to trace the e-mail to its origin.
D. Undetermined
1) Section 2.1: A Web page pretending to belong to Barack Obama attempted to entice Internet users into clicking a news story stating that Obama refused to take office; however, clicking the story would infect a computer with malicious code and add it to an existing botnet.
2) Section 2.3: Network Solutions, a Web hosting company, become the target of an unexplained DDoS attack that resulted in disruption of DNS query resolution.
3) Section 2.5: A Trojan embedded in Photoshop for Mac computers, OSX.Trojan.iServices.B, is currently circulating. The first version of this Trojan downloads malicious code for carrying out DDoS attacks on targeted Web pages.
4) Section 3.6: Attackers targeted Time Warner Cable systems over a period of at least one week in a series of attacks resulting in connection time-outs.
5) Section 4.1: File-sharing giant, The Pirate Bay, hosted in Sweden, fell victim to a DDoS attack reportedly from a botnet as the trial of the site founders took place.
6) Section 4.8: Routers and modems operating on Linux Mipsel became the target of a worm known as “psyb0t” and were assembled into a botnet said to be executing DDoS attacks.
7) Section 4.10: GoGrid, a hosting company, came under attack, which resulted in client websites becoming inaccessible.
8) Section 4.11: A targeted DDoS attack knocked UltraDNS customers of a Virginia-based provider of DNS services, NeuStar, offline.
Q1 2009 DistributeD Denial of serviCe (DDos) report
23
8 - Methodology
8.1 Aggregation of important News items Pertaining to DDoS
AttacksThe iDefense Threat Intelligence Team generates a focused compilation of news items pertaining to prolific and large-scale DDoS attacks that occur within a given quarter of the business year. The team analyzes an array of items using various search techniques, which include the use of news aggregators such as Lexis-Nexis, Google Reader, keyword searches via Google and scanning through iDefense publications. Relevant news items include DDoS attacks that have taken place during the timeframe for the given report and those pertaining to new developments that surface concerning past incidents that occurred outside the timeframe of a given quarter. iDefense then aggregates and categorizes the relevant items under the month of the given period in which they are dated and brands them with the unique title of the news article. For further clarification, each item contains a date and a link to the original Web posting and the credentials of the author when applicable.
8.2 Aggregation of Attack TrendsTo provide a clear picture of the number of cyber attacks that take place during a given quarter, the iDefense Threat Intelligence Team uses free data provided by The Shadowserver Foundation, a Webbased organization comprised of volunteer security professionals with the goal of providing insight regarding the “darker side of the Internet.” The Shadowserver data includes:
1. The trends and fluctuations pertaining to DDoS attacks and botnet activity within past 90 days.
2. The trends and fluctuations pertaining to DDoS attacks and botnet activity within the past 12 months.
3. Geographical data pertaining to the origins and targets of the recent DDoS attacks.
4. In-depth geographical data pertaining to the size and locations of C&C servers hosting such attacks.
The ultimate goal of providing such data is to paint a clear picture as to where the majority of these DDoS attacks originate and the attack paths, not only for a given quarter, but to provide further insight for future reports.
© 2009 VeriSign, Inc. All rights reserved. VeriSign, the VeriSign logo, the checkmark circle, iDefense and other trademarks, service marks, and designs are registered or unregistered trademarks of VeriSign, Inc. and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for iDefense customers and personnel only. The reproduction and distribution of this material is forbidden without express written permission from iDefense.
