Monthly Archives: November 2007

Massive DDoS Attack on its way? – E-Jihad vs. Storm

The countdown to Nov 11th and the most recently rumored “cyber Jihad” against the West has sparked some other questions. One in particular is the comparison of their individual capabilities for possible denial of service (DoS) attacks.

Symantec’s analysis of the purported DoS tool to be used in this “E-Jihad,” known as “E-Jihad 3.0,” has shown it to be crude and unsophisticated. First, it requires a user to manually install it onto a computer. The user must then log into a “cyber-jihadist” Web site through the tool, which sends back attack commands. The Web site in question is currently offline and we believe it may have been since July 2007. Symantec has detection for this tool as Hacktool.Dijah and has set up intrusion prevention system (IPS) blocking.

Since January 2007, Symantec has been tracking the evolution of what is commonly referred to as the “Storm” threat. This term so far has incorporated various malicious online activities like distributed denial of service (DDoS) attacks, spam, pump-and-dump stock emails, and botnets. Symantec has been prompt to add detection and remediation for all these activities under either the Trojan.Peacomm family or Trojan.Packed.13.

The full capabilities and size of the Storm botnet are as-yet unknown. Systems continue to be infected on a daily basis through various techniques, such as spam, social engineering, and browser exploits. The use of the Overnet peer-to-peer protocol, used by many legitimate file-sharing clients like eMule and MLDonkey, also makes it difficult to track and isolate where commands are coming from. It is also constantly evolving with new methods to infect users. The latest techniques discovered have shown that they are now incorporating network encryption, worm-like propagation across drives, and also injecting malicious IFRAME code into .htm, .html and .php files found on compromised computers.

Comparing the E-Jihad and Storm techniques mentioned above clearly shows that the “cyber terrorists” in this case are well behind the cyber criminals. Although it must be noted that at this time it is not clear whether the “E-Jihad 3.0” tool will be used in the rumored E-Jihad on Nov 11th or even if it is all just a pie in the sky.

However, we should not rule out the impact that a basic DoS attack can have. Lessons learned from May 2007 in Estonia have shown us that manually entered DoS commands by individual users on systems can cause an impact if there is enough popular support. If we look at the figures below, we can see just how much bandwidth can be consumed in a simple enough attack.

Magnitude of 25.000 bytes/sec. = 24 KB/sec. = 192 Kbps for each single attacker

Assuming N=100 attackers => 192×100 = 18.7 Mbps denial of service attack

If these figures are exponentially multiplied by the number of attackers, such an attack can have a considerable impact on a target. However, this would require a considerable amount of organization. With the Storm threat this is all simplified because one user can issue commands to unknowingly compromised computers that are hosting the threat’s bots. There is no definitive figure on just how many computers the Storm bots occupy, but various reports suggest anywhere from thousands to millions. With these figures in mind, a DDoS attack from the Storm threat should theoretically outweigh an organized E-Jihad using the “E-Jihad 3.0” tool and poses the greater threat. Yet, with the Storm threat being controlled by cyber criminals who are motivated by money, it is unclear just who or for what they might lease their botnet herds out to. Time will tell.

To minimize the risk of an attack as much as possible, never install an unknown program, keep your antivirus definitions up-to-date, and never open attachments from unknown sources.