World Cup DDoS blackmailer sentenced to jail

A court in Düsseldorf, Germany, has convicted a man who extorted money out of online gambling websites in the run-up to the 2010 Football World Cup in South Africa.

The Frankfurt man, who has not been identified, successfully blackmailed three online betting sites (and attempted to extort money from three others) by threatening them with distributed denial-of-service (DDoS) attacks which could have blasted them off the internet.
According to German media reports, the blackmailer hired a botnet for $65 per day and told the betting firms that he would make their websites unavailable during July 2010 - the month of the World Cup - if they did not pay him 2,500 Euros ($3,700). When three of the sites refused to pay any money, the man reduced the ransom to 1,000 Euros.

http://news.hitb.org/content/world-cup-ddos-blackmailer-sentenced-jail

Cybercrooks turn Eve Online into botnet battlefield

Fun-spoiling, DDoSing thieves farm virtual gold to sell for cold hard cash

Crooks using online games to farm virtual currencies that they can sell for real money have turned internet spaceship game Eve Online into a battlefield for botnets.
Eve Online is home to various rival groups who generate in-game currency for gamers who want to join in without spending their time acquiring experience and resources by working their way up from the bottom. Rivals groups from eastern Europe are using botnets to DDoS opponents before taking over their territories. Regular gamers are often caught in the cross-fire of multi-pronged attacks that might occur in game, via DDoS attacks to forums, over VoIP communication systems and late night prank phone calls. Game servers have taken a hit in the process.
Gold farmers are known for using Trojans to gain control of compromised accounts. The Eve Online baddies have taken a different tack through attacks that swamp forums with junk traffic

Chris Boyd, a senior threat researcher at GFI Software and gaming security experts, said that Eve Online's difficulties are a part of wider problems in virtual worlds.
"Gold farmers can cause the price of in-world items to rise, chat channels can be flooded by sale scams, endless bots and automated processes can cause significant server load," Boyd told El Reg. "That's before you get to the problems creating by phishing, hacking and scamming established and profitable accounts."
Boyd (AKA paperghost) agreed that the miscreants on Eve Online are taking it up to 11.
"The idea that there are effectively dead systems filled with nothing but spambots and hostile empires that are happy to do battle outside of their gaming realm by DDoS'ing websites and making prank phonecalls is a fascinating insight into the troubles plaguing virtual worlds, and real world currency having a marked impact on virtual trading makes this a few steps above dedicated DDoS botnets designed for nothing other than kicking console gamers out of Halo 3 sessions."
Various groups rumoured to be working out of Eastern Europe and Russia are said to be offering in-game currency for real money. "Investigations by the owners of the game have caused several leaders of these alliances to be banned in the past," explained Reg reader Patrick, who was the first to tell us of the hive of villainy within Eve Online.

http://www.theregister.co.uk/2011/05/23/eve_online_botnet_mayhem/

The cyberweapon that could take down the internet

A new cyberweapon could take down the entire internet – and there's not much that current defences can do to stop it. So say Max Schuchard at the University of Minnesota in Minneapolis and his colleagues, the masterminds who have created the digital ordnance. But thankfully they have no intention of destroying the net just yet. Instead, they are suggesting improvements to its defences.

Schuchard's new attack pits the structure of the internet against itself. Hundreds of connection points in the net fall offline every minute, but we don't notice because the net routes around them. It can do this because the smaller networks that make up the internet, known as autonomous systems, communicate with each other through routers. When a communication path changes, nearby routers inform their neighbours through a system known as the border gateway protocol (BGP). These routers inform other neighbours in turn, eventually spreading knowledge of the new path throughout the internet.

A previously discovered method of attack, dubbed ZMW – after its three creators Zhang, Mao and Wang, researchers in the US who came up with their version four years ago – disrupts the connection between two routers by interfering with BGP to make it appear that the link is offline. Schuchard and colleagues worked out how to spread this disruption to the entire internet and simulated its effects.

Surgical strike

The attack requires a large botnet – a network of computers infected with software that allows them to be externally controlled: Schuchard reckons 250,000 such machines would be enough to take down the internet. Botnets are often used to perform distributed denial-of-service (DDoS) attacks, which bring web servers down by overloading them with traffic, but this new line of attack is different.

"Normal DDoS is a hammer; this is more of a scalpel," says Schuchard. "If you cut in the wrong places then the attack won't work."

An attacker deploying the Schuchard cyberweapon would send traffic between computers in their botnet to build a map of the paths between them. Then they would identify a link common to many different paths and launch a ZMW attack to bring it down. Neighbouring routers would respond by sending out BGP updates to reroute traffic elsewhere. A short time later, the two sundered routers would reconnect and send out their own BGP updates, upon which attack traffic would start flowing in again, causing them to disconnect once more. This cycle would repeat, with the single breaking and reforming link sending out waves of BGP updates to every router on the internet. Eventually each router in the world would be receiving more updates than it could handle – after 20 minutes of attacking, a queue requiring 100 minutes of processing would have built up.

Clearly, that's a problem. "Routers under extreme computational load tend to do funny things," says Schuchard. With every router in the world preoccupied, natural routing outages wouldn't be fixed, and eventually the internet would be so full of holes that communication would become impossible. Shuchard thinks it would take days to recover.

"Once this attack got launched, it wouldn't be solved by technical means, but by network operators actually talking to each other," he says. Each autonomous system would have to be taken down and rebooted to clear the BGP backlog.

Meltdown not expected

So is internet meltdown now inevitable? Perhaps not. The attack is unlikely to be launched by malicious hackers, because mapping the network to find a target link is a highly technical task, and anyone with a large enough botnet is more likely to be renting it out for a profit.

An alternative scenario would be the nuclear option in a full-blown cyberwar – the last resort in retaliation to other forms of cyberattack. A nation state could pull up the digital drawbridge by adjusting its BGP to disconnect from the internet, just as Egypt did two weeks ago. An agent in another country could then launch the attack, bringing down the internet while preserving the attacking nation's internal network.

Sitting duck

Whoever launched the attack, there's little we could do about it. Schuchard's simulation shows that existing fail-safes built into BGP do little to protect against his attack – they weren't designed to. One solution is to send BGP updates via a separate network from other data, but this is impractical as it would essentially involve building a shadow internet.

Another is to alter the BGP system to assume that links never go down, but this change would have to be made by at least 10 per cent of all autonomous systems on the internet, according to the researchers' model, and would require network operators to monitor the health of connections in other ways. Schuchard says that convincing enough independent operators to make the change could be difficult.

"Nobody knows if it's possible to bring down the global internet routing system," says Mark Handley, an expert in networked systems at University College London. He suggests that the attack could cause "significant disruption" to the internet, with an effect greater than the Slammer worm of 2003, but it is unlikely to bring the whole thing down.

"The simulations in the paper make a lot of simplifying assumptions, which is necessary to simulate on this scale," he explains. "I doubt the internet would behave as described."

http://www.newscientist.com/article/dn20113-the-cyberweapon-that-could-take-down-the-internet.html

We have reverse engineered the opt in bot net malware (LOIC)

We have reverse engineered the opt in bot net malware (LOIC) and have been briefing our large global online presences on this particular threat as we provide ongoing threat alerts and briefings as part of our service.

As as sign of good will and information sharing, we are available to brief you as well - perhaps there will be some valuable data that could be of use to your organisation.

Feel free to get in touch to arrange a date and time.

How was it that a loosely-coupled group of cyber-protestors could launch -- with varying degrees of success -- targeted distributed denial-of-service (DDoS) attacks against sites such as MasterCard, PayPal, PostFinance, and the website belonging to a Swedish prosecutor?
Turns out it's quite simple. All an attacker need do is download the open source network stress testing tool known as LOIC (the Low Orbit Ion Cannon) that is widely available. Launching an attack with LOIC is mind-numbingly easy: just point and shoot. LOIC will then flood the target with HTTP requests, UDP and TCP packets.

Those participating in the pro-Wikileaks riots could operate on their own, or choose to connect their system to the "LOIC Hivemind" voluntary botnet that is centrally controlled by those behind Operation Payback.
Since the launch of the attacks, LOIC has been downloaded nearly 70,000 times.
Cyber protestors engaging in digital rioting such as web-site defacements, and denial-of-service attacks, and even inserting messages in malware have existed for some time. Such attacks being highly connected isn't new, either. They have been socializing on message boards and instantly communicating in Internet Relay Chat for many years.
What is new is the ease of which a tool such as LOIC can be put into action. "LOIC is extremely easy to use. It is designed so someone with little or no technical knowledge can quickly download and install it, and participate in DDoS activities," said Alex Cox, principal analyst at security firm NetWitness. "It also has the ability to be remotely controlled by a central IRC server, so that more technically competent operators can direct attacks en masse at targets, regardless of the participant's technical knowledge."
"There is a false belief that we are fending off casual attackers," said Joshua Corman, research director, enterprise security at the 451 Group. "However, I don't think the casual attacker exists any more. Just consider how powerful tools like Metasploit have become. There's also the malware kits that make obfuscating malware or building botnets trivial. You don't need to know anything to launch a successful attack anymore," said Corman.
Anyone on the receiving end of a LOIC packet burst would be sure to agree, and how technically savvy the attacker happens to be is made mute by the ease and power of the attack.
Cox agrees: "The attacker landscape is moving more toward "point-and-click" attack and exploitation tools. This is reflected in the many crimeware systems available in the underground, which includes DDOS, do-it-yourself botnet kits (Zeus, Spyeye, and many others) as well as exploit kits," he said. "In the past you had to have a certain amount of technical skill to participate, but now anyone can."
For security practitioners the big story within the pro-Wikileak and LOIC attacks may not have much to do about Wikileaks and the legalities or the politics of it all -- and everything to do about how swiftly, and easily, online attackers can be called into action against any target they wish.

http://www.csoonline.com/article/646813/loic-tool-enables-easy-wikileaks-driven-ddos-attacks

New "Darkness" Botnet as Ominous as It Sounds

Security researchers are in a tizzy over a new botnet they’re calling “Darkness,” or if you want the full name, “Destination Darkness Outlaw System” (D.D.O.S.), ComputerWorld reports.
Here’s the sales pitch — for just $50, Darkness operators promise their clients they’ll be able to flummox large sites with an army of just 1,000 bots, and security experts don’t doubt that claim.
“Upon testing, it was observed that the throughput of the attack traffic directed simultaneously at multiple sites was quite impressive,” said the Shadowserver Foundation. “As with BlackEnergy, ‘Darkness’ is easy to purchase, easy to deploy, and is very effective and efficient in what it does.”
Darkness botnet operators advertise a laundry list of devious features, including the ability to choose and pick several URLs for each site, the ability to overwhelm an average site with just 30 bots, it can run as a Windows service, the inclusion of both an English and Russian GUI, and much more.
“It now appears that ‘Darkness’ is overtaking BlackEnergy as the DDoS bot of choice,” Shadowserver Foundation notes. “There also appear to be no shortage of buyers looking to add ‘Darkness’ to their botnet arsenal.”

http://www.cpureview.com/new-darkness-botnet-as-ominous-as-it-sounds.html?goback=.gde_1899252_member_37062320

“Mega-D” botnet taken down

Federal investigators have identified a 23-year-old Russian man as the mastermind behind the notorious “Mega-D” botnet, a network of spam-spewing PCs that once accounted for roughly a third of all spam sent worldwide.
According to public court documents related to an ongoing investigation, a grand jury probe has indicted Moscow resident Oleg Nikolaenko as the author and operator of the Mega-D botnet.
Federal agents settled on Nikolaenko thanks to information provided by Lance Atkinson, an Australian man named as a co-conspirator in the “Affking” e-mail marketing and counterfeiting operation that was shuttered in 2008 after investigations by the FBI, the Federal Trade Commission and international law enforcement authorities. The Affking program generated revenues of $500,000 a month using spam to promote counterfeit Rolexes, herbal “male enhancement” pills and generic prescription drugs.
As part of his guilty plea to spam violations, Atkinson provided investigators information on the top spammers who helped to promote the Affking products. Among them was an affiliate who used the online nickname “Docent,” who earned nearly $467,000 in commissions over a six month period in 2007.
Atkinson told investigators that Docent’s commissions were sent to an ePassporte account, under the name “Genbucks_dcent,” that was tied to the e-mail address “4docent@gmail.com.” Records subpoenaed by the grand jury found that the ePassporte account was registered in Nikolaenko’s name to an address in Moscow.
According to court documents, investigators found numerous executable files in Docent’s Gmail inbox. Those files were analyzed by researchers at SecureWorks, an Atlanta based security firm, which found them to be samples of the Mega-D malware.
Update: [Nikolaenko was reportedly arrested in the United States recently. See update at the end, after the jump.]

But U.S. investigators missed at least two chances to apprehend Nikolaenko: The grand jury said a review of U.S. State Department records indicate that Nikolaenko entered the United States in Los Angeles on July 17, 2009, and left the country ten days later. He returned to the U.S. on Oct. 29, 2009, entering from New York and visiting Las Vegas before exiting the country on Nov. 9 from Los Angeles.
Investigators say Nikolaenko was supposed to leave Los Angeles on Nov. 11, but cut his trip short by two days. They concluded that the 23-year-old left early because he wanted to get home to repair damage that security experts had inflicted on his botnet. On Nov. 4, 2009, researchers from Milpitas, Calif. based FireEye executed a “stun” attack on Mega-D by seizing control over the botnet’s control networks.
“Based on the timing of the Fireeye attack on the Mega-D botnet, I believe that Nikolaenko left the U.S. early to repair damage caused by Fireeye,” wrote Special Agent Brett E. Banner, in the government’s complaint against Nikolaenko.
After the FireEye takedown, spam from Mega-D all but disappeared. But in the days following his return to Moscow, the botnet recovered gradually, and by Nov. 22, spam from Mega-D was back to pre-takedown activity levels. By Dec. 13, Mega-D was responsible for sending nearly 17 percent of spam worldwide, according to security vendor M86 Security.
Joe Stewart, a senior security researcher at SecureWorks, said that at the beginning of Nov. 2009, there were at least 120,000 computers infected with Mega-D that were relaying spam, but Stewart said he hasn’t seen any signs of activity from Mega-D over the past several months.
While Mega-D may be dead, information obtained by KrebsOnSecurity.com suggests that Nikolaenko has nonetheless continued spamming, and that, until at least June 2010, he was a top-earning affiliate for Spamit.com. Prior to its closure at the end of Sept. 2010 — Spamit was the world’s most active affiliate program for promoting knockoff prescription drugs.
A Spamit affiliate using the same “4docent@gmail.com” address made nearly $81,000 in the first five months of 2010 promoting online pharmacies for Spamit. The earnings were deposited into the same “Genbucks_dcent” ePassporte account named in the criminal complaint against Nikolaenko. It’s not clear whether Nikolaenko was able to enjoy all of those earnings: ePassporte also went belly-up in September, leaving thousands of customers without access to millions of dollars in funds.
Update, Dec. 2, 5:40 p.m. ET: The Milwaukee-Wisconsin Journal Sentinel reports that Nikolaenko was arrested after entering the United States to attend a car show in Las Vegas. He is is scheduled to make his initial court appearance in Milwaukee on Friday.
http://krebsonsecurity.com/2010/12/fbi-identifies-russian-mega-d-spam-kingpin/?utm_source=twitterfeed&utm_medium=twitter&utm_campaign=KrebsOnSecurity

The Botnet Threat

 
The challenge for CIOs and law enforcement is countering a very sophisticated threat that is entering a hyper-growth stage. With increased revenue comes increased investment in new tools and better techniques. This blended threat cycle feeds on itself and is growing bigger every day.

One of the main challenges for CIOs is recognizing there is a problem. Unlike standard spyware or adware, a bot's malware infection can install kernel-level rootkits that modify many of the tools and libraries upon which all programs on the system depend and allow it to hide from standard anti-virus, intrusion detection, or anti-spyware applications. CIOs generally become aware of botnet infiltrations through end-user complaints about performance issues, third-party reports of attacks originating from their IP space, victims' reports of DDoS floods, detection of excessive inbound or outbound port scanning, or unusual traffic patterns on the network. In other words, most times, it's difficult to know if a bot or bots have infected the network until it is too late.


As the black market for malicious code and stolen information grows, botnets are quickly becoming the tool of choice for those with malicious intent. Like mainstream service providers, botnets will evolve to reflect the demands of the market. They will add features over time to spread quicker, harvest more specific information, and perpetrate DDoS attacks more efficiently. CIOs can expect to see security vendors roll out new approaches to combat the threat. In the meantime, it is important that they stay vigilant to protect individuals, intellectual property, and their organization's critical infrastructure.
 
http://theusdaily.com/articles/viewarticle.jsp?id=1267466&type=TechnologyInte