Category Archives: DDoS Criminals

The Changing Trends of DDoS Attacks

Distributed denial-of-service (DDoS) attacks certainly aren’t new. I’ve been talking about them for years. However, they have been changing. The traditional style of attack, the flood-the-target type that crashes a website, is still going strong. But now we are seeing an increase in application-layer attacks that have the same goal: Systems go down, resources are unavailable and the victim is scrambling to fix everything. Recently, Vann Abernethy, senior product manager for NSFOCUS, talked to me about the changing DDoS landscape. Something he has noticed is how DDoS attacks are being used as smokescreens to cover up other criminal activity. He said: In fact, the FBI warned of one such attack type back in November of 2011, which relies upon the insertion of some form of malware. When the attacker is ready to activate the malware, a DDoS attack is launched to occupy defenders. In this case, the DDoS attack is really nothing more than a smokescreen used to confuse the defenses and allow the real attack to go unnoticed – at least initially. Considering that most malware goes undetected for long periods of time, even a small DDoS attack should be a huge red flag that something else may be going on. Abernethy adds that another trend he’s seeing is that the DDoS attack itself may be a bit more sinister. For example, a DDoS attack could be masking a simultaneous attack that is probing for vulnerabilities. He said: It’s like a recon team sent to look at an enemy’s position while they’re under some sort of long-range barrage. In general, basic probing will likely be caught if the victim has even modest security protections. But while under the duress of a DDoS attack, the very systems charged with either blocking or alerting suspicious activity might be under too much strain. Abernethy provides several solutions to protect against these emerging DDoS attack styles. One way is to have multiple teams set up to respond to DDoS attacks. One team would work on the DDoS attacks themselves; another team would be responsible for searching for other possible, hidden attacks. For the trend that involves probing, IT and security departments may want to deploy application security testing, and all applications used by the company should be subjected to the testing. DDoS attacks can be devastating to a company , interrupting vital customer interactions and ruining company reputations. The more we know about them, the better chance we have at protecting the company from any serious damage, if not preventing them altogether. Source: http://www.itbusinessedge.com/blogs/data-security/the-changing-trends-of-ddos-attacks.html

DDoS trojan ferrets SMB data

A new distributed-denial-of-service (DDoS) bot has been discovered targeting real estate companies and other small and medium-sized businesses. Arbor Networks researcher Dennis Schwarz found the malware after receiving a tip-off from a Twitter user. A relatively small number of unique samples and command and control servers were uncovered, making it difficult to judge just how dangerous the new threat could be. These samples are written in the Delphi programming language but most likely originate from Russia, said Schwarz, who added that the bot’s self-preservation tools include UPX packing, string obfuscation, anti-virtual machine, anti-bugging measures, self-modifying code and process hollowing. Command and control is done over HTTP. The analyst firm has a ‘fairly complete picture’ of what the bot represents, but admitted concerns on how Trojan.Ferret is being distributed. “Trojan.Ferret is a new Russian DDoS bot. It stood out to me due to the silly ferret theme and that we have a fairly complete picture of it,” said Schwarz, adding that the company had tracked a sample of bot, the C&C panel view and live C&C traffic. “It is a traditional DDoS bot focusing on the ‘core’ set of DDoS attacks, such as HTTP, UDP and TCP. It lacks the common application layer attacks such as Slowloris, Apache Killer, and RUDY. “A major missing component that we’re unsure of is how this particular Trojan is being distributed–whether by exploit kit, malware-laced spam, or via one of the many ‘dropper/downloader’ networks.” Schwarz said that the Trojan is targeting the UK, the US, Germany, Russia and the Netherlands, as well as Kazakhstan, and said that attacks have hit property companies, an electronics shop, a wedding dress shop and even a politician in Panama. Malwarebytes malware intelligence analyst Adam Kujawa said the information security industry is still coming to grips with the threat posed by the new DDoS bot. “It is likely of Russian origin, uses an array of specialised malware tricks to hide it from detection and of course is used as a DDOS bot,” said Kujawa. “Ferret will infect as many systems as it can to recruit them into the Botnet and then use each of those systems to attack a single server at the same time,” he added, commenting, “A single system cannot perform a successful DDOS attack but a botnet of thousands can.” Source: http://www.scmagazine.com.au/News/368168,ddos-trojan-ferrets-smb-data.aspx

Continue Reading:
DDoS trojan ferrets SMB data

ZeroAccess botnet down for good?

When Microsoft and various law enforcement agencies around the world disrupted the ZeroAccess botnet at the beginning of December, they did not expect to fully eliminate it. After all, the botnet …

Visit site:
ZeroAccess botnet down for good?

Casino DDoS duo caged for five years after blackmail buyout threat

Polish crims demanded 50% of gambling biz, on pain of firm-killing cyber attacks A pair of cyber-extortionists who attempted to blackmail a Manchester-based online casino with threats of unleashing a debilitating denial of service attack have been jailed for five years and four months.…

See more here:
Casino DDoS duo caged for five years after blackmail buyout threat

China’s central bank hit by DDoS after Bitcoin blitz

Reports claim revenge attack after digi-currency restrictions Angry Bitcoin users are suspected of DDoS-ing the website of China’s central bank following tough new restrictions it levied this week which appear to have forced the world’s biggest Bitcoin exchange into meltdown.…

See the original article here:
China’s central bank hit by DDoS after Bitcoin blitz

7 Security Trends to Expect in 2014

Computer systems, in many peoples’ eyes, are there to be hacked — and that means fraudsters are always working on new ways to exploit vulnerabilities. So what does 2014 have in store? Here are seven security predictions for the New Year. DDoS Attacks Get Sneaky DDoS attackers will go from simple volumetric attacks to ones which take advantage of a site’s specific performance characteristics. That’s the prediction of security researchers at Neohapsis, a security and risk management consulting company. DDoS attacks that intelligently target bottlenecks in performance, such as pages with a high server load (like database writes) or specific network bottlenecks (like login and session management), can magnify the impact over attacks which are simply volume-based and request the homepage of a site. So it’s likely that we will begin to see the spread of tools which profile specific targets. The result? DDoS attacks that have more impact, and involve less network traffic, than the ones enterprises have become accustomed to mitigating against. Insider Threats Remain Major Security Problem According to a CyberSecurity Watch survey insiders were found to be the cause in 21 percent of security breaches, and a further 21 percent may have been due to the actions of insiders. More than half of respondents to another recent survey said it’s more difficult today to detect and prevent insider attacks than it was in 2011, and 53 percent were increasing their security budgets in response to insider threats. While a significant number of breaches are caused by malicious or disgruntled employees – or former employees – many are caused by well-meaning employees who are simply trying to do their job. BYOD programs and file sharing and collaboration services like Dropbox mean that it will be harder than ever to keep corporate data under corporate control in the face of these well-meaning but irresponsible employees. Defending against insider threats requires a multi-layered use of technological controls, including system-wide use of data encryption and establishment of policies stressing prevention of data loss. Security Worries Drive Cloud Consolidation Organizations will look to buy more solutions from a single vendor and demand greater integration between solutions to automate security, according to Eric Chiu, president of HyTrust, a cloud security company. The fact that securing cloud environments is very different from securing traditional physical environments will drive greater consolidation in the market, he says. Legacy Systems Cause More Security Headaches The spate of IT failures in banks and other high profile companies highlights a simple fact: Many of them are running legacy systems which are so old and out of date that they are becoming almost impossible to maintain. That’s because there are few people with the skills and expert knowledge that would be needed to run them securely – even if they were updated to eliminate know vulnerabilities, which they frequently are not. They often aren’t updated because no-one knows what impact that would have. It’s inevitable that we’ll see hackers going after such systems, exploiting vulnerabilities that can’t easily be fixed. Encryption Will Be Revisited In the wake of revelations about the NSA, many companies are realizing that encryption many be the only thing that is protecting their data, and it may not be as strong as they imagined. What’s more, if hackers are led to believe there is a weakness in a particular system – either accidental or intentional – they will pound on it until they find it. As a result, many companies will look to improve the way they use encryption. Look for particular attention to be paid to cryptographic block modes like CBC and OFB, and authenticated modes like EAX, CCM and GCM, advise the experts at Neohapsis. In addition to the encryption methods themselves, look for insights and innovations around key management and forward security. ‘Stuxnets’ Become More Common State-sponsored malware like Stuxnet – which is widely attributed to the United States, Israel or both – has proved to be far more sophisticated and effective than anything that a couple of hackers can develop. Expect more of this type of malware from the likes of China, Russia, Iran, India, Brazil and Pakistan. It’s probably already out there, even if it hasn’t yet been detected. 2014 could be the year that its prevalence becomes apparent. Bitcoin Drives New Malware The Bitcoin virtual currency is growing in popularity with legitimate businesses, and that’s likely to continue. That’s because Bitcoin payments offer significant attractions: They are quick and cheap, and there is no possibility of a chargeback. But Bitcoin wallets make attractive targets for criminals, because stolen coins can be cashed out instantly, without a middleman or launderer taking a cut. And many Bitcoin users are relatively unsophisticated, protecting their wallets with very little security. So expect Trojans and other malware that specifically look for and target Bitcoin stashes, as well as ransomware that demands Bitcoins in return for decrypting data. Source: http://www.esecurityplanet.com/network-security/7-security-trends-to-expect-in-2014.html

View article:
7 Security Trends to Expect in 2014

New DDoS malware targets Linux and Windows systems

Attackers are compromising Linux and Windows systems to install a new malware program designed for launching distributed denial-of-service (DDoS) attacks, according to researchers from the Polish Computer Emergency Response Team (CERT Polska). Attackers are compromising Linux and Windows systems to install a new malware program designed for launching distributed denial-of-service (DDoS) attacks, according to researchers from the Polish Computer Emergency Response Team (CERT Polska). The malware was found by the Polish CERT at the beginning of December and the Linux version is being deployed following successful dictionary-based password guessing attacks against the SSH (Secure Shell) service. This means only systems that allow remote SSH access from the Internet and have accounts with weak passwords are at risk of being compromised by attackers distributing this malware. “We were able to obtain a 32-bit, statically linked, ELF file,” the Polish CERT researchers said Monday in a blog post. The executable runs in daemon mode and connects to a command-and-control (C&C) server using a hard-coded IP (Internet Protocol) address and port, they said. When first run, the malware sends operating system information — the output of the uname command — back to the C&C server and waits for instructions. “From the analysis we were able to determine that there are four types of attack possible, each of them a DDoS attack on the defined target,” the researchers said. “One of the possibilities is the DNS Amplification attack, in which a request, containing 256 random or previously defined queries, is sent to a DNS server. There are also other, unimplemented functions, which probably are meant to utilize the HTTP protocol in order to perform a DDoS attack.” While executing an attack, the malware provides information back to the C&C server about the running task, the CPU speed, system load and network connection speed. A variant of the DDoS malware also exists for Windows systems where it is installed as “C:Program FilesDbProtectSupportsvchost.exe” and is set up to run as a service on system start-up. Unlike the Linux version, the Windows variant connects to the C&C server using a domain name, not an IP address, and communicates on a different port, according to the Polish CERT analysis. However, the same C&C server was used by both the Linux and Windows variants, leading the Polish CERT researchers to conclude that they were created by the same group. Since this malware was designed almost exclusively for DDoS attacks, the attackers behind it are likely interested in compromising computers with significant network bandwidth at their disposal, like servers. “This also probably is the reason why there are two versions of the bot — Linux operating systems are a popular choice for server machines,” the researchers said. However, this is not the only malware program designed for Linux that was identified recently. A security researcher from the George Washington University, Andre DiMino, recently found and analyzed a malicious bot written in Perl after allowing attackers to compromise one of his honeypot Linux systems. The attackers were trying to exploit an old PHP vulnerability, so DiMino intentionally configured his system to be vulnerable so he could track their intentions. The vulnerability is known as CVE-2012-1823 and was patched in PHP 5.4.3 and PHP 5.3.13 in May 2012, suggesting the attack targeted neglected servers whose PHP installations haven’t been updated in a long time. After allowing his honeypot system to be compromised, DiMino saw attackers deploy malware written in Perl that connected to an Internet Relay Chat (IRC) server used by attackers for command and control. The bot then downloaded local privilege escalation exploits and a script used to perform Bitcoin and Primecoin mining — an operation that uses computing power to generate virtual currency. “Most servers that are injected with these various scripts are then used for a variety of tasks, including DDoS, vulnerability scanning, and exploiting,” DiMino said Tuesday in a blog post that provides a detailed analysis of the attack. “The mining of virtual currency is now often seen running in the background during the attacker’s ‘downtime’.” DiMino’s report comes after researchers from security vendor Symantec warned in November that the same PHP vulnerability was being exploited by a new Linux worm. The Symantec researchers found versions of the worm not only for x86 Linux PCs, but also for Linux systems with the ARM, PPC, MIPS and MIPSEL architectures. This led them to conclude that the attackers behind the worm were also targeting home routers, IP cameras, set-top boxes and other embedded systems with Linux-based firmware. Source: http://news.idg.no/cw/art.cfm?id=41695C7E-ED43-55A5-51306549A5A0A129

The Year DDoS Got Real for CUs

Before 2013, Distributed Denial of Service attacks seemed to many credit union executives as something the other guys worried about. The prevailing attitude was: We’re not on anyone’s radar. We aren’t on anyone’s enemies list. Why worry? Then came January 2013 when the $1.6 billion University Federal Credit Union in Austin, Texas, and Patelco, the $4 billion Pleasanton, Calif. credit union, both acknowledged they had been knocked offline for some hours. Many big banks were taken down at the same time, in attacks claimed by al Qassam Cyberfighters, an organization that many allege is sponsored by the Iranian government. A month later, in February, both institutions were taken down another time, again in attacks claimed by al Qassam. Many banks also fell victim a second time. There were also dud DDoS attacks, such as a much-ballyhooed May 7 attack – which saw institutions fearfully running for cover from an attack said to be planned by OpUsa, a hacktivist group affiliated with Anonymous – but it amounted to nothing. As the year progressed, there were more reports of DDoS used as a diversionary tactic by criminals who sought to distract financial institution security staff with website attacks as they busied themselves perpetrating high-value wire thefts. There have been no such cases publicly linked to credit unions, but there are multiple cases linked to banks. How many credit unions have been taken down by DDoS? That number is unknown. Patelco and University were named in Internet postings by al Qassam, thus their attacks became public knowledge. The NCUA, for its part, requires credit unions that have been “significantly affected by DDoS” to notify the NCUA or their state regulators. When asked in October for the number of credit unions that had filed reports, the agency shared data showing two outages. But the regulator did not indicate that it believed that tally to be complete. CUNA Mutual, at the same time, indicated it had no count whatsoever of DDoS outages. No one really knows how many credit unions were attacked by DDoS in the year but one fact did seem to emerge. “DDoS has become a perennial, it is here to stay in the threats universe,” said Charles Burckmyer, president of Sage Data Security, a firm that claims several hundred financial institutions as clients. Just what is DDoS? The question is good, because the answer is tough to give. That’s because the format of DDoS shifted dramatically in 2013, said Rodney Joffe, senior technologist at Neustar, an Internet analytics company that also offers DDoS mitigation services. Early in the year, Joffe recalled, DDoS sought to wipe out victim websites by targeting them with huge volumes of traffic – generally assembled using resources stolen from zombie computer botnets where the machine owners have no clue their devices are digital slaves to criminals. So those targets – such as Patelco and UFCU – went down because they were overwhelmed. But DDoS attacks and mitigation strategies continually evolve, said Joffe. When one side jigs, the other responds. That showed up as many financial institutions signed up with third-party mitigation companies to provide emergency “pipe” – Internet bandwidth – to be able to deflect volume-based attacks. So the attackers switched to hitting victims with an avalanche of requests for services that had the effect of using the target computers to in effect tire themselves, noted Stephen Gates, chief security evangelist of Corero Network Security. A classic, for instance, is hitting a financial institution website with many requests for a password reset, probably for non-existent members, but the institution’s computer still is forced to go through so many motions it may become unavailable to genuine users. Pierluigi Stella, chief technology officer at security company Network Box USA, elaborated: “The (DDoS criminal’s) query is usually less than 100 bytes; the reply can be tens of thousands; so the hacker gets an amplification factor of 100. For each packet of 100 bytes the hacker sends out, you get hit by 10,000 bytes.” Multiply that by maybe several hundred queries per second and it is easy to see why this attack has proven so successful in 2013, suggested Stella. The cure, said experts, is to deploy tools that in effect scrub all data as it comes into the system. Bad data is sidelined, authentic data is passed through, and while that is easier to prescribe than it is to implement in practice, experts agreed that DDoS mitigation companies took large strides in 2013 towards building tools that in fact scrubbed incoming data with high success rates. The bad news: Nobody thinks today’s DDoS format will be tomorrow’s, and no one knows what criminals will unleash in the months ahead. Maybe the jackpot question is, how well protected are credit unions when it comes to fending off DDoS, especially as it morphs into different formats? Have they invested in state-of-the-art protections? Not very many have made those investments, said multiple experts contacted by Credit Union Times. Few credit unions will discuss their DDoS defenses on the record but off the record some have indicated that their defenses are thin. Many hope that their vendors – for Internet banking or their Internet service provider – have adequate protections in place to keep the credit union itself also protected. DDoS will remain part of the threats landscape, said multiple experts, mainly because it is effective, it is inexpensive, and it is increasingly easy to deploy. As long as it gets results, criminals will continue to use it, said Joffe. Nonetheless, he flatly predicted that we will not see more of the al Qassam-style, high-profile attacks that won headlines early in 2013. “Those attacks were politically motivated but they accomplished nothing,” said Joffe. Other experts agreed, pointing to changes in Iranian politics and a recent thawing in relationships with the United States. The upshot is that the al Qassam attacks may in fact be history, meaning there may not be more days when several dozen financial institutions are taken offline in a brazen show of Internet power. “But we will see more DDoS because it works,” said Joffe, and he specifically predicted more use of it as a diversion because if a security staff can be distracted for a half-day, that may be ample time for a wire transfer to move money out of the United States and through several hops into a destination country where funds are unlikely to be returned. Gartner analyst Avivah Litan – one of the experts who first reported the use of DDoS as a diversion – noted in an interview that good policy would be to “slow” wire transfers at times when the institution found itself under a DDoS attack. Her opinion is that simply slowing down transaction speed might sharply reduce losses. At least until the criminals figure out a new strategy – and that is a big takeaway from the 2013 DDoS saga. “This is an arms race that is no different from any other arm’s race,” said Joffe. “As we add defenses, the criminals alter their attacks and so it goes on.” The good guys win, said Joffe, by making it expensive for the criminals, such as disrupting their botnet zombie networks. “If we can make it more expensive for them than the rewards they get from their DDoS, we win,” said Joffe. “This will be survival of the fittest,” he warned. Source: http://www.cutimes.com/2013/12/18/the-year-ddos-got-real-for-cus?ref=hp

More:
The Year DDoS Got Real for CUs

Week in review: Cryptolocker copycat, CyanogenMod's built-in SMS encryption, NSA uses Google cookies to track suspects

Here's an overview of some of last week's most interesting news and articles: The DDoS debate: Multi-layered versus single solution There is a DDoS debate in the cybersecurity industry about whi…

View post:
Week in review: Cryptolocker copycat, CyanogenMod's built-in SMS encryption, NSA uses Google cookies to track suspects

$183,000 fine for man who joined Anonymous attack for ‘one minute’

Authorities in the US have shown their intolerance for so-called ‘hacktivism’ by sentencing a 38-year-old Wisconsin man to two years’ probation and an $183,000 fine for joined an online attack for just a single minute. Eric J. Rosol participated in a Distributed Denial of Service attack (DDoS) against the website for American multinational Koch Industries. DDoS attacks ‘take down’ websites by repeatedly loading them using automatic software. The attack was organised by the hacker group Anonymous and succeed in taking the website offline for only 15 minutes. Rosol pleaded guilty to one misdemeanour count of accessing a protect computer, and although both parties agree that the direct loss to Koch Industries (the second largest privately owned company in the US) was less than $5,000, because the corporation had hired a consulting group to protect its web territory for fees of $183,000 – this was the sum that Rosol must now pay. Koch Industries works in a number of industries including petroleum and manufacturing and reported revenues of $115 billion in 2013. The company is controlled by brothers Charles and David Koch (the world’s sixth and seventh richest men) who inherited it from their deceased father Fred C. Koch, the company’s founder. Koch Industries is often the subject of controversy in the US for its financial support of right-wing Tea Party and its opposition to the green energy industry. The brothers have also donated more than $120m to groups working to discredit climage change science. The DDoS attack which Rosol took part in was organized in opposition to Koch Industries’ reported weakening of trade unions. Source: http://www.independent.co.uk/life-style/gadgets-and-tech/183000-fine-for-man-who-joined-anonymous-attack-for-one-minute-8995609.html

View the original here:
$183,000 fine for man who joined Anonymous attack for ‘one minute’