Wednesday, December 15, 2010

DDDoS: a Diverse Distributed Denial of Service. A 3DoS.

If Anonymous has taught us anything it’s that the future of information security is in fending off attacks across the breadth and depth of the network stack – and the data center architecture – at the same time. Traditionally DDoS attacks are so-named because the clients are distributed; that is they take advantage of appearing to come from a variety of locations as a means to prevent detection and easy prevention. It’s about the massive scale of a single type of attack as launched by a single attacker (individual or group). But the WikiLeaks attacks have not just been distributed in the sense that it is a concerted effort by distributed attacks to take out sites, it’s been distributed in the sense that it spans the network stack from layer 2 through layer 7. It’s not just a DDoS, it’s a DDDoS: a Diverse Distributed Denial of Service. A 3DoS.

The result is a flash-crowd style flood of attacks that overwhelm not only the site, but its infrastructure. Firewalls have become overwhelmed, ISPs have been been flooded, services have been disrupted. All because the attacks are not a single concerted effort to disrupt service but a dizzying array of SYN flood, TCP connection flooding, pings of death, excessive HTTP headers and SlowLoris, and good old fashioned HTTP GETs flooding. These attacks are happening simultaneously, directed at the same service, and they’re doing a good job in many cases of achieving its goals: service outages. That’s because defeating an attack is infinitely easier than detecting it in the first place, particularly at the application layer. It’s nearly impossible for traditional security measures to detect because many of the attacks perpetrated at the application layer appear to be completely legitimate requests; there’s just a lot more of them.

Traditional solutions aren’t working. Blocking the attack at the ISP has proven to be too slow and unable to defend against the (new) distributed nature of these attacks. Firewalls have buckled under pressure, unable to handle the load, and been yanked out of the line of fire, being replaced with other technology more capable of fending off attacks across the entire network stack. And now it’s been reported that a Java Script DDoS is in the works, aimed again at MasterCard.


What this means is organizations need to be thinking of security as spanning all attack vectors at the same time. It is imperative that organizations protect critical applications against both traditional attack vectors as well as those at the application layer disguised as image_thumb_2[1] legitimate requests. Organizations need to evaluate their security posture and ensure that every infrastructure component through which a request flows can handle the load in the event of a massive “3DoS”. It’s not enough to ensure that there’s capacity in the application infrastructure if an upstream network component may buckle under the load.

And it’s costly to leverage virtualization and cloud computing as a means to automatically scale to keep ahead of the attack. The price of uptime may, for some organizations, become overwhelming in the face of a targeted 3DoS as more and more capacity is provisioned to (hopefully) handle the load.

Organizations should look for strategic points of control within their architectures and leverage capabilities to detect and prevent attacks from compromising availability. In every data center architecture there are aggregation points. These are points (one or more components) through which all traffic is forced to flow, for one reason or another.

For example, the most obvious strategic point of control within a data center is at its perimeter – the router and firewalls that control inbound access to resources and in some cases control outbound access as well. All data flows through this strategic point of control and because it’s at the perimeter of the data center it makes sense to implement broad resource access policies at this point. Similarly, strategic points of control occur internal to the data center at several “tiers” within the architecture. For web applications, that strategic point of control is generally the application delivery controller (load balancer for you old skool architects). Its position in the network affords it the ability to intercept, inspect, and manipulate if necessary the communications occurring between clients and web applications.

These points of control are strategic precisely because their topological location within the architecture provides the visibility necessary to recognize an attack at all layers of the network stack and apply the proper security policies to protect resources downstream that are not imbued with a holistic view of application usage and therefore cannot accurately determine what is legitimate versus what is an attack.

Old notions of “security” have to evolve, especially as the application itself becomes an attack vector. The traditional method of deploying individual point solutions, each addressing a specific type or class of attack, is failing to mitigate these highly distributed and context_2[1] diverse attacks. It’s not just the cost and complexity of such a chained security architecture (though that is certainly a negative) it’s that these solutions are either application or network focused, but almost never both. Such solutions cannot individually recognize and thus address 3DoS attacks because they lack the context necessary to “see” an attack that spans the entire network stack – from top to bottom.

An integrated, unified application delivery platform has the context and the visibility across not only the entire network stack but all users – legitimate or miscreant – accessing the applications it delivers. Such a platform is capable of detecting and subsequently addressing a 3DoS in a much more successful manner than traditional solutions. And it’s much less complex and costly to deploy and manage than its predecessors.

The success of Anonymous in leveraging 3DoS attacks to disrupt services across a variety of high-profile sites will only serve to encourage others to leverage similar methods to launch attacks on other targets. As the new year approaches, it’s a good time to make an organizational resolution to re-evaluate the data center’s security strategy and, if necessary, take action to redress architectures incapable of mitigating such an attack.

Wikileaks movie....what all the fuss is about!

We have reverse engineered the opt in bot net malware (LOIC)

We have reverse engineered the opt in bot net malware (LOIC) and have been briefing our large global online presences on this particular threat as we provide ongoing threat alerts and briefings as part of our service.

As as sign of good will and information sharing, we are available to brief you as well - perhaps there will be some valuable data that could be of use to your organisation.

Feel free to get in touch to arrange a date and time.

How was it that a loosely-coupled group of cyber-protestors could launch -- with varying degrees of success -- targeted distributed denial-of-service (DDoS) attacks against sites such as MasterCard, PayPal, PostFinance, and the website belonging to a Swedish prosecutor?
Turns out it's quite simple. All an attacker need do is download the open source network stress testing tool known as LOIC (the Low Orbit Ion Cannon) that is widely available. Launching an attack with LOIC is mind-numbingly easy: just point and shoot. LOIC will then flood the target with HTTP requests, UDP and TCP packets.

Those participating in the pro-Wikileaks riots could operate on their own, or choose to connect their system to the "LOIC Hivemind" voluntary botnet that is centrally controlled by those behind Operation Payback.
Since the launch of the attacks, LOIC has been downloaded nearly 70,000 times.
Cyber protestors engaging in digital rioting such as web-site defacements, and denial-of-service attacks, and even inserting messages in malware have existed for some time. Such attacks being highly connected isn't new, either. They have been socializing on message boards and instantly communicating in Internet Relay Chat for many years.
What is new is the ease of which a tool such as LOIC can be put into action. "LOIC is extremely easy to use. It is designed so someone with little or no technical knowledge can quickly download and install it, and participate in DDoS activities," said Alex Cox, principal analyst at security firm NetWitness. "It also has the ability to be remotely controlled by a central IRC server, so that more technically competent operators can direct attacks en masse at targets, regardless of the participant's technical knowledge."
"There is a false belief that we are fending off casual attackers," said Joshua Corman, research director, enterprise security at the 451 Group. "However, I don't think the casual attacker exists any more. Just consider how powerful tools like Metasploit have become. There's also the malware kits that make obfuscating malware or building botnets trivial. You don't need to know anything to launch a successful attack anymore," said Corman.
Anyone on the receiving end of a LOIC packet burst would be sure to agree, and how technically savvy the attacker happens to be is made mute by the ease and power of the attack.
Cox agrees: "The attacker landscape is moving more toward "point-and-click" attack and exploitation tools. This is reflected in the many crimeware systems available in the underground, which includes DDOS, do-it-yourself botnet kits (Zeus, Spyeye, and many others) as well as exploit kits," he said. "In the past you had to have a certain amount of technical skill to participate, but now anyone can."
For security practitioners the big story within the pro-Wikileak and LOIC attacks may not have much to do about Wikileaks and the legalities or the politics of it all -- and everything to do about how swiftly, and easily, online attackers can be called into action against any target they wish.

Monday, December 13, 2010

Friday, December 10, 2010

Police arrest boy of 16 over WikiLeaks attacks

Twitter and Facebook have also deleted accounts believed to be affiliated with Anonymous

Dutch authorities have arrested a 16-year-old boy in relation to the cyberattacks against Visa, MasterCard and PayPal, which were aimed at punishing those companies for cutting off services to WikiLeaks.
The boy was arrested in The Hague, and he will be arraigned before a judge on Friday in Rotterdam, according to a press release from the Netherlands' Public Prosecution Service. The boy, whose computer equipment was seized, has allegedly confessed to taking part in the attacks.
The Public Prosecution Service said he is likely part of a larger group of hackers.
The arrest follows a series of distributed denial-of-service (DDOS) attacks aimed at websites that have been critical of WikiLeaks, which has been releasing portions of 250,000 secret US diplomatic cables since late last month. The attacks seek to overwhelm websites and services by sending streams of meaningless traffic.
Part of the attacks originated in the Netherlands and the main site coordinating the attacks,, was hosted in a Dutch data center in Haarlem. The site is down since police actions Wednesday.
Right after the police found out that there were cyberattacks coming from the Netherlands, the Team High Tech Crime started an investigation, the Dutch attorney general reported.
The attorney general also noted that "probably thousands of computers" took part in the attacks. The police are still investigating and will probably arrest more people.
Since the release of the documents began, several companies have decided to cut WikiLeaks off from their services, including PayPal, MasterCard, Visa and the Swiss payment transaction firm PostFinance, where WikiLeaks founder Julian Assange held an account.
In response, a loose affiliation of hackers called Anonymous have orchestrated DDoS attacks against those websites over the past two days or so, knocking many of the sites offline. The group has dubbed that effort "Operation: Payback." Other websites that have been attacked include those of vocal critics of WikiLeaks, including US Senator Joseph Lieberman and former Alaska Governor and vice presidential candidate Sarah Palin.
Twitter and Facebook have also deleted accounts believed to be affiliated with Anonymous.
On Thursday, BBC Radio 4  broadcast an interview with a 22-year-old who goes by the nickname "Cold Blood" and claims he is part of Anonymous. Cold Blood, who appeared in the BBC's studios, said that more people were downloading a botnet tool that enables them to perform a DDoS attack.
The campaign is aimed at companies that have decided not to deal with WikiLeaks, Cold Blood said, and is also a protest against what Anonymous believes is increasing control over the Internet by governments and the European Union.
"We are trying to keep the Internet open and free for everyone," said Cold Blood, who described himself as a software engineer.
WikiLeaks and its founder and editor Assange have come under fierce criticism from U.S. government officials and politicians for releasing the information, which is believed to have been leaked to the site by US Army Private Bradley E. Manning.
Manning has been charged with mishandling and transferring classified information in connection with the cables and a video of an Apache helicopter shooting civilians in Iraq.

New "Darkness" Botnet as Ominous as It Sounds

Security researchers are in a tizzy over a new botnet they’re calling “Darkness,” or if you want the full name, “Destination Darkness Outlaw System” (D.D.O.S.), ComputerWorld reports.
Here’s the sales pitch — for just $50, Darkness operators promise their clients they’ll be able to flummox large sites with an army of just 1,000 bots, and security experts don’t doubt that claim.
“Upon testing, it was observed that the throughput of the attack traffic directed simultaneously at multiple sites was quite impressive,” said the Shadowserver Foundation. “As with BlackEnergy, ‘Darkness’ is easy to purchase, easy to deploy, and is very effective and efficient in what it does.”
Darkness botnet operators advertise a laundry list of devious features, including the ability to choose and pick several URLs for each site, the ability to overwhelm an average site with just 30 bots, it can run as a Windows service, the inclusion of both an English and Russian GUI, and much more.
“It now appears that ‘Darkness’ is overtaking BlackEnergy as the DDoS bot of choice,” Shadowserver Foundation notes. “There also appear to be no shortage of buyers looking to add ‘Darkness’ to their botnet arsenal.”

Operation Leakspin....

If this image is to be believed—and I have no reason not to, other than that I found it on the internet—the rebel squadrons behind Anonymous (attn. "news" hacks - that would be an entirely different group from Wikileaks and/or Wikipedia) are about to change their approach. So far, as we've witnessed, they have been launching point-and-click distributed denial of service (DDoS) attacks at companies perceived as the enemies of Wikileaks. Those targets included Mastercard, Paypal, and Visa (companies that froze donation funding), and Amazon (which denied hosting services). The new approach suggests more sophisticated thinking. This new mission, apparently, is to actually read the cables Wikileaks has published and find the most interesting bits that haven't been publicized yet, then publicize them.
In my opinion, this action would have far more positive impact. Anonymous often repeats the Orwell quote, "In a time of universal deceit, telling the truth becomes a revolutionary act." Looks like they decided to take those words to heart.

Wednesday, December 8, 2010

Wikileaks a stirring pot...!

DDoS Wars ...and now Mastercard!

Online hacktivist collective Anonymous, operating under the banners Operation:Payback and "Operation Avenge Assange" have launched a series of DDoS attacks against organisations and people seen as being opposed to Wikileaks and its spokesman Julian Assange.
Meanwhile, Operation:Payback itself has been subjected to counter-DDoS attacks thought to originate with US "patriotic" contra-hacktivistas.
Sites attacked by the Anonymous group have included, belonging to the Swiss bank which recently froze an account controlled by Assange, and also - the main blog operated by PayPal, targeted for refusing to process Wikileaks contributions. DNS outfit EveryDNS has also come into the Operation:Payback gunsights for cutting off Wikileaks' DNS service, saying that online attacks targeted at the leak site were crippling its other customers.
Over the last couple of days, other sites have been DDoS'd for various reasons by the Anonymous group, including the Swedish lawyers representing the women Assange is alleged to have committed sexual offences against. Charges made by Swedish prosecutors have since resulted in the issue of a European arrest warrant and Assange was yesterday cuffed in London: British judges have elected to refuse bail and the colourful Wikileaks impresario is now in jail pending an extradition hearing.
This process has angered the members of Operation:Payback sufficiently that they have also elected to mount strikes against the website of the Swedish prosecutors' office and briefly, according to anonymous* claims received by the Reg, against Interpol. (Interpol did issue a "Red Notice" calling for Assange's arrest at the behest of Swedish authorities, but in fact this has no relevance for British police dealing with a request from another EU nation: in such cases a European warrant is required for the UK cops to act.)
Yesterday, the Anonymous hacktivists decided to attack the site of US Senator Joe Lieberman as well, presumably as a result of remarks he has made describing Wikileaks operations as crimes violating the US Espionage Act - and hinting that Wikileaks' mainstream-media partners, collaborating on trawling and redacting files prior to public release, have violated the law also.
Some Operation:Payback members also elected to attack the site of former Alaska governor and vice-presidential candidate Sarah Palin for suggesting that Assange should be hunted down like a terrorist.
The Anonymous attacks have been run on through a chatroom, with users attaching their computers to a voluntary botnet for use in the DDoS strikes. Panda Security reported that as the Lieberman attacks began there were almost 1,000 users in the chatroom and nearly 600 machines in the botnet.
Naturally enough Operation:Payback itself has been subject to counter-DDoS efforts of varying strength almost since it began, but following the decision to attack Lieberman's official US government site the Anonymous operation began to be hit much harder and suffered dozens of outages itself, one lasting almost two hours. Panda Security analysts assessed that the intensified counter-DDoS attacks were coming from self-described American "patriot" hackers - playing contra to the Anonymous hacktivistas, perhaps.
Meanwhile US Army private soldier Bradley Manning, believed to have supplied not only the vast stash of diplomatic cables now being drip-fed by Wikileaks but most of its previous significant material as well (the Baghdad gunship videos, Iraq and Afghanistan "war logs" etc) remains in military prison charged with an array of security violations. His name is seldom mentioned any more in the ongoing saga of Wikileaks, Assange and the online scufflers aligned with and against them.
Operation:Payback uses a banner quote from John Perry Barlow, a founder of the Electronic Frontier Foundation:

Friday, December 3, 2010

“Mega-D” botnet taken down

Federal investigators have identified a 23-year-old Russian man as the mastermind behind the notorious “Mega-D” botnet, a network of spam-spewing PCs that once accounted for roughly a third of all spam sent worldwide.
According to public court documents related to an ongoing investigation, a grand jury probe has indicted Moscow resident Oleg Nikolaenko as the author and operator of the Mega-D botnet.
Federal agents settled on Nikolaenko thanks to information provided by Lance Atkinson, an Australian man named as a co-conspirator in the “Affking” e-mail marketing and counterfeiting operation that was shuttered in 2008 after investigations by the FBI, the Federal Trade Commission and international law enforcement authorities. The Affking program generated revenues of $500,000 a month using spam to promote counterfeit Rolexes, herbal “male enhancement” pills and generic prescription drugs.
As part of his guilty plea to spam violations, Atkinson provided investigators information on the top spammers who helped to promote the Affking products. Among them was an affiliate who used the online nickname “Docent,” who earned nearly $467,000 in commissions over a six month period in 2007.
Atkinson told investigators that Docent’s commissions were sent to an ePassporte account, under the name “Genbucks_dcent,” that was tied to the e-mail address “” Records subpoenaed by the grand jury found that the ePassporte account was registered in Nikolaenko’s name to an address in Moscow.
According to court documents, investigators found numerous executable files in Docent’s Gmail inbox. Those files were analyzed by researchers at SecureWorks, an Atlanta based security firm, which found them to be samples of the Mega-D malware.
Update: [Nikolaenko was reportedly arrested in the United States recently. See update at the end, after the jump.]

But U.S. investigators missed at least two chances to apprehend Nikolaenko: The grand jury said a review of U.S. State Department records indicate that Nikolaenko entered the United States in Los Angeles on July 17, 2009, and left the country ten days later. He returned to the U.S. on Oct. 29, 2009, entering from New York and visiting Las Vegas before exiting the country on Nov. 9 from Los Angeles.
Investigators say Nikolaenko was supposed to leave Los Angeles on Nov. 11, but cut his trip short by two days. They concluded that the 23-year-old left early because he wanted to get home to repair damage that security experts had inflicted on his botnet. On Nov. 4, 2009, researchers from Milpitas, Calif. based FireEye executed a “stun” attack on Mega-D by seizing control over the botnet’s control networks.
“Based on the timing of the Fireeye attack on the Mega-D botnet, I believe that Nikolaenko left the U.S. early to repair damage caused by Fireeye,” wrote Special Agent Brett E. Banner, in the government’s complaint against Nikolaenko.
After the FireEye takedown, spam from Mega-D all but disappeared. But in the days following his return to Moscow, the botnet recovered gradually, and by Nov. 22, spam from Mega-D was back to pre-takedown activity levels. By Dec. 13, Mega-D was responsible for sending nearly 17 percent of spam worldwide, according to security vendor M86 Security.
Joe Stewart, a senior security researcher at SecureWorks, said that at the beginning of Nov. 2009, there were at least 120,000 computers infected with Mega-D that were relaying spam, but Stewart said he hasn’t seen any signs of activity from Mega-D over the past several months.
While Mega-D may be dead, information obtained by suggests that Nikolaenko has nonetheless continued spamming, and that, until at least June 2010, he was a top-earning affiliate for Prior to its closure at the end of Sept. 2010 — Spamit was the world’s most active affiliate program for promoting knockoff prescription drugs.
A Spamit affiliate using the same “” address made nearly $81,000 in the first five months of 2010 promoting online pharmacies for Spamit. The earnings were deposited into the same “Genbucks_dcent” ePassporte account named in the criminal complaint against Nikolaenko. It’s not clear whether Nikolaenko was able to enjoy all of those earnings: ePassporte also went belly-up in September, leaving thousands of customers without access to millions of dollars in funds.
Update, Dec. 2, 5:40 p.m. ET: The Milwaukee-Wisconsin Journal Sentinel reports that Nikolaenko was arrested after entering the United States to attend a car show in Las Vegas. He is is scheduled to make his initial court appearance in Milwaukee on Friday.

Wikileaks Domainless

The DNS of and have been erased in a move that may torpedo efforts to access the websites.
Amazon has terminated its cloud services relationship with the whistleblower site after pressure from a US government committee, according to a US senator

The websites can still be accessed via their IP addresses - and, respectively, according to a Wikileaks list of IP address mirrors. Alternatives are also on the mirror site.
However, the DNS registration that allows a user to enter an alphabetical web address, such as, no longer exists. Users attempting to type in the address will be served a blank page.
Wikileaks' DNS provider pulled the DNS registration at 10pm EST (3am GMT) after the site suffered a massive distributed denial-of-service (DDoS) attack. said in a post on its site that it had done so because the DoS contravened acceptable use policy.