Political motivated DoS attacks
Denial of service attacks continue to be used in order to deny access to web sites at critical times. While the attacks by Anonymous in support of Wikileaks (see Arbor’s analysis here and here) have received much media attention, the website of Wikileaks was attacked just prior to the release of leaked diplomatic cables. However, as the Berkman Center has documented, (distributed) denial of service attacks against non-governmental and independent media continue with an alarming frequency. These attacks are aimed at disabling access to key information resources at specific points in time.

My colleagues Deibert and Rohozinski argue that “[d]isabling or attacking critical information assets at key moments in time—during elections or public demonstrations, for example—may be the most effective tool for influencing political outcomes in cyberspace.” In order to achieve this level of “on demand” disruption, those behind the attacks often outsource these types of attacks to botnets for hire thus blurring the boundaries between cybercrime and politically motivated attacks. We can expect to see a continuation of politically motivated DoS attacks in 2011.

Cyber-espionage
The year of 2010 began with the attacks on Google, dubbed Operation Aurora, which dramatically increased awareness of targeted malware attacks and signified that it is acceptable, and even prudent, that companies disclose such attacks. In fact, some companies began including warnings about such attacks in their SEC filings. However, it is not just companies that are the targets of such attacks, human rights organizations and government systems are compromised as well. In April 2010, the Information Warfare Monitor and the Shadowserver Foundation released a report “Shadows in the Cloud: An investigation into cyber espionage 2.0” in which we document a targeted malware network that extracted secret, confidential and restricted documents from the Indian government and military. (While this report was a follow-up to our previous report on cyber-espionage, “Tracking GhostNet” the networks are quite separate.)

While responsibility for such attacks are often attributed to state entities, 2010 also saw a series of attacks linked to the Zeus malware that appeared a lot more like espionage than crime. After Netwitness released a report on the Kneber botnet, a Zeus-based botnet with domain names registered to hilarykneber@yahoo.com, I focused on the connections between that botnet and a series of attacks against .mil and .gov email addresses using social engineering techniques. Have criminals determined that there is a market for sensitive data? It sure seems that way to me.

Abusing the Cloud
In “Shadows in the Cloud: An investigation into cyber espionage 2.0” my co-authors and I analyzed the command and control infrastructure of a network that used a complex and tiered command and control infrastructure that leveraged Twitter, Google Groups, Blogspot, Baidu Blogs, blog.com and Yahoo! Mail in order to maintain persistent control over the compromised computers. Of course, such techniques are not new, in 2009, researchers found that Twitter, Jaiku, Tumblr, Google Groups, Google AppEngine and Facebook had all been used as the command and control structure for malware. In 2010, Sunbelt found a Twitter botnet creator and Trend Micro reports that the “Here You Have” worm used GMail accounts.

During my analysis of malware posted on the Contagio blog, I noticed that the malware used an encrypted connection to Gmail as a means of command and control. (It also used cloud storage at drivehq.com in order to have the compromised computers download additional malware components). As network defenses continue to include traffic analysis, I believe that we will continue to see a move toward using popular services, especially web mail as command and control elements. Unlike connections to well-known dynamic DNS services, connections to Gmail and other popular services do not necessarily stand out and are encrypted.

Big Money
Although there are interesting target malware attacks that appear to have political motives, money continues to be the driving force behind the bulk of malware encountered by most Internet users. Cybercrime is profitable. In 2010, the Information Warfare Monitor released a report that documented the inner workings of Koobface. Koobface is a notorious botnet that leverages social networking platforms to propagate. The operators of Koobface have been able to successfully monetize their operations. Through the use of pay-per-click and pay-per-install affiliate programs, Koobface was able to earn over US$2 million between June 2009 and June 2010 by forcing compromised computers to install fake antivirus software and engage in click fraud. (BlackHat SEO operators monetize their operations in a similar way., see here and here.)

However, more traditional heists based on stolen banking and credit card credentials continue thanks to malware such as Zeus and SpyEye. This year, law enforcement were able to arrest individuals that used the Zeus malware to steal $70 million dollars. Often, these operations recruit money mules and pack mules to relay stolen money and goods bought with stolen credit cards. This makes it difficult to apprehend those behind these operations.

The forum at darkcc.com is a location where buyers and sellers of stolen credit card information conduct exchanges. There are many forums like this that are part of the thriving market that sustain the “botnet ecosystem.” The servers that host these types of forums are typically involved in a variety of nefarious activities. This one hosts a variety of malicious software:

www.sokam .info /admnew2/Dr.exe (VT: 33/40 (82.50%)
infoshok .info /exe.php?606717496665bcba (VT: 20/40 (50.00%))
superhomelawn .com /per4d/load/load.exe (VT: 5/41 (12.20%))
senders2010 .com /sites/up.bin (zbot/zeus)
keroholek .net /tt/stat/index.php (zbot/zeus)
newdaypeace .org /npd2e/bb.php?… (oficla/sasfis)

The sites are hosted on 121.101.216.195 – SUNINFO-MDC which is located in China.

One “trusted” seller (meaning that the forum administrator had vouched for him/her) known as mrdump caught my attention. mrdump’s minimum order is now $1000 USD. In addition to advertising his/her services on the forum, mrdump included his/her website, mrdump.biz.

The site is hosted on 121.101.216.205 – SUNINFO-MDC in China and, as usual, these a fair amount of nasty stuff, mostly zeus/zbot (heroladaaw.biz, ddkom.biz, herakert.net) hosted on the same server. Another zeus/zbot command and control server found on the same server is: www.kalekets.net/tt/cfg/config.bin

There is also a BlackEnergy command and control server hosted on the same server: sinergy-dl.com. It was a fairly small botnet (total bot’s: 171, bot’s per hour: 213, bot’s per day:437, bot’s for all time:1816) and was issuing the following command “flood http kirbyservice.ru” — instructing the bots to DDoS kirbyservice.ru. Recently, the command has been changed to “die”.

One interesting find pertains to the rivalry between Zeus and SpyEye. The same server hosts www.coolparts31.tw which is a known zeus/zbot command and control server. Well it turns out that it is also a Spy Eye command and control server:

www.coolparts31.tw/S_main/bin/upload/build.exe (27/41 (65.85%))
www.coolparts31.tw/S_main/bin/upload/33.exe (VT: 10/41 (24.4%))
www.coolparts31.tw/S_main/bin/upload/server.exe (VT: 35/41 (85.37%))
www.coolparts31.tw/S_main/bin/upload/server12.exe (VT: 35/40 (87.5%))
www.coolparts31.tw/S_main/bin/upload/xServer.exe (VT: 8/40 (20%))

I recall someone (I am pretty sure it was Dancho Danchev — UPDATE: and it was here and here (thx @danchodanchev)) — reacting to this rivalry by saying that the criminals don’t really care, they’ll use any malware kit that works.

Or something like that.

Sometimes, we get sidetracked by the tools, but it’s the crime that pays.

One of the themes that informed the “Shadows in the Cloud” report was the (potential) relationship between crimeware networks and cyber-espionage. The boundaries between the two appear to be blurring making issues of attribution increasingly more complex. It may also indicate that there is an emerging market for sensitive information and/or politically motivated attacks as crimeware networks seek to monetize such information and capabilities.

I explored this theme in a report on a case related to Kneber botnet documented by NetWitness in which a known ZeuS-based botnet, typically used to steal banking information and other credentials, was specifically targeting .mil and .gov email addresses with spearphishing attacks and then dropping a second piece of malware, an infostealer, on the compromised systems that uploaded sensitive documents to a drop zones in Belarus and Russia. This botnet was engaged in all sorts of other malicious activity associated with cybercrime.

When it comes to DDoS attacks a similar pattern is observed. Jose Nazario of Arbor Networks wrote a very interesting paper that analyzed politically motivated DDoS attacks (and is basically the inspiration for this blog post). The numerous DDoS attacks described in this paper are very interesting, some are punitive attacks others appear to be an effort to censor political speech (something I worked on at ONI in the past with Kyrgyzstan in 2005 and Belarus in 2006). In the paper Nazario dicusses the role that well known BlackEnergy-based botnets played in the DDoS attacks on Georgian websites during the Russia-Georgia conflict in 2008. In a really amazing presentation Jose Nazario and Andre DiMino of Shadowserver document the attacks on Georgia. But what is most interesting, in this context, are the other unrelated targets that the same botnets also attacked. The RU-GE case is a great example of the blurring boundaries between crimeware networks, politically motivated attacks a censorship.

On a much smaller scale, I observed some recent attacks in which a BlackEnergy-based botnet attacked a variety of unrelated targets but eventually attacked political websites. The botnet was discovered while analyzing data captured from the computer of a Tibetan political figure. Due to the character of the network Greg Walton and I concluded that the attack was not targeted and was not related to the Tibet or to the political activities of the individual who was compromised. However, I continued to monitor the botnet.

The botnet had two command and control domain names 091809.ru and sexiland.ru both hosted on the same IP address (210.51.166.238, China Netcom). The command and control interface was not password protected and I was able to access it and determine the size of the botnet. According to the statistics in the interface, 091809.ru had 2044 active bots, an average of 2418 per hour and 8105 per day. In total the 091809.ru recorded 64346 infections. According to the statistics in the interface, sexiland.ru (210.51.166.238) had 3623 active bots, an average of 4869 per hour and 12749 per day. In total the sexiland.ru recorded 51813 infections. This is not a particularly large botnet at all, but the attackers could access at least 6000 bots at any given time.

This botnet attacked a variety of websites, however, four of them caught my attention.

1. bachuna.net

2009-12-15 05:00:01
flood http bachuna.net

The attackers began flooding bachuna.net on 2009-12-15. The attacks appear to relate to Ukrainian news stories (here, here, here and here) which broke around the same time as the attacks started involving a judge named Oleg Bachun and two competing websites bachuna.net and bachun.net. While the former was supportive of the judge the latter implicated him in illegal activities. Since I am relying on Google Translate it would be great of some Russia and Ukrainian speakers could provide a more in-depth assessment of what happened in the case as well as to the domain names involved as it appears from the reports that bachun.net was transfered to the owner of bachuna.net.

2. ingushetiyaru.org

2010-01-16 18:00:01 – 2010-01-20 06:00:02
flood http www.ingushetiyaru.org

Rights in Russia reported that “a website run by an opposition group in Ingushetia, Ingushetiyaru.org, suffered a DDoS attack after publishing comments critical of the region’s authorities.” Ingushetia is located near Chechnya and is a politically sensitive area. Ingushetiyaru.org reported the DDoS on their livejournal site and the broader implications in this article. This is not the first time there have DDoS attacks related to this region. Jeff Carr reported on another DDoS attack and implicated the RBN in the attack.

3. angusht.com

2010-01-22 12:00:01 – 2010-01-26 15:00:02
flood http angusht.com

This website, angusht.com, is also related to Ingushetia and reported DDoS attacks (here too) earlier this year. Several other related sites were also reported to be inacessible. The timing of the inaccessibility of the sites and the DDoS attacks on angusht.com and ingushetiyaru.org also correlate with reports of an explosion of a gas pipeline in Ingushetia.

4. kadyrov2012.com

2010-01-25 08:00:02 – 2010-01-27 02:00:01
flood http kadyrov2012.com

The website kadyrov2012.com was a satirical website claiming that the Russian-backed Chechen leader Ramzan Kadyrov was going to run in for president in Russia’s elections. Reuters reported the story on January 24 which correlate with the timing of the DDoS attacks.

These attacks are fairly small when compared with others and fly under the radar screen of most. They show that small scale attacks designed to censor opposing views occur with frequency against key websites and during critical time periods. It is clear that those engaged in political activities and those who vocally oppose repressive policies such as censorship may be subjected to a complex set of threats from targeted malware through to DDoS and not simply censorship in the form of Internet filtering. Finally, these attacks demonstrate that botnets involved with criminal activity are being used to conduct both political and apolitical DDoS attacks

Sites DDoS’d by this botnet:

flood http 195.216.243.39
flood http 208.64.123.225
flood http 213.155.12.120
flood http 217.107.35.35
flood http 217.17.158.55
flood http 217.20.163.4
flood http 62.149.24.2
flood http 72.20.34.140
flood http 80.93.54.57
flood http 82.146.43.3
flood http 89.108.126.2
flood http 94.198.51.216
flood http angusht.com
flood http angusht.com index.php
flood http angusht.com personal subscribe subscr_edit.php
flood http antiddos.org
flood http asterios.tm
flood http asterios.tm index.php
flood http asteriys.com index.php?f=stat&act=online&server=0
flood http attackers.ru
flood http bachuna.net
flood http bankunet.com
flood http barbars.ru
flood http blud.net
flood http carderfix.ru
flood http carder.info
flood http carder.info index.php
flood http carder.info,l2.theonline.ru
flood http carder.su
flood http carder.su showgroups.php
flood http ddef.ru
flood http do-finance.com
flood http fan-age.ru,l2.exsade.com,forum.exsade.com,final-zone.ru
flood http filebase.to
flood http forum.notebook812.ru
flood http forum.timesgame.ru,timesgame.ru
flood http internet-guard.net index.php
flood http kadyrov2012.com
flood http kadyrov2012.com
flood http kadyrov2012.com index
flood http karyatour.com.ua
flood http l2jfree.com
flood http la2.100nt.ru
flood http la2.timesgame.ru
flood http lineage.cn.km.ua
flood http ll2.su
flood http meridian-express.ru
flood http modcam.ru
flood http notebook812.ru
flood http notebook812.ru
flood http ohah.ru
flood http ohah.ru index.php
flood http planety-hackeram.ru
flood http portal27.ru
flood http pupsa.net
flood http rodi.ru
flood http rosban.su
flood http sever.ru
flood http slineage.ru
flood http smsdeal.ru index.php
flood http takwap.ru
flood http takwap.ru 111 XXX_DETKA
flood http takwap.ru 157 xxx ohah.ru
flood http teamsteam.ru
flood http vpotoke.com
flood http wapfan.org index.php
flood http wow.cln.ru
flood http www.2simtv.ru index.php
flood http www.angusht.com index.php
flood http www.art-taxi.ru
flood http www.glazey.ru
flood http www.ingushetiyaru.org
flood http www.notebook812.ru
flood http www.prado-club.su
flood http www.prado-club.su forum
flood http www.ripoffreport.com
flood http xaknet.ru
flood icmp forum.antichat.ru
flood syn www.ripoffreport.com 80

There are a number of reports on the Ru-Ge incident. While some are very well done, noticeably absent from these reports are attempts to provide and explore alternative explanations. Since attribution in these type of attacks is difficult (to put it mildly) analysis is often infused with a predisposition toward a certain conclusion and all evidence is interpreted in only one direction. (Morozov’s “10 easy steps to writing the scariest cyberwarfare article ever” is applicable to most of them.)

Since there is basically no “smoking gun” in cyberspace the credibility of one’s claims depends on how well one explores alternative explanations.

One of the Ru-Ge issues I have been thinking about concerns timing. In the US-CCU report summary the issue of timing is raised. The US-CCU concludes:

The organizers of the cyber attacks had advance notice of Russian military intentions, and they were tipped off about the timing of the Russian military operations while these operations were being carried out.

Why? Because they “had” to be.

Many of the cyber attacks were so close in time to the corresponding military operations that there had to be close cooperation between people in the Russian military and the civilian cyber attackers.

Maybe, but are there other possible explanations?

First, the timing of the war itself is unclear. The NY Times reports that Georgia believes that the Russians had crossed the Roki Tunnel by 3.41 a.m on August 7, 2008. The Russians say it was not until 2:30 p.m. on August 8, 2008 after Georgia had begun shelling Tskhinvali at 11:30 pm August 7, 2008. The NYT reports that “Western intelligence” indicates that the Russians “may have moved to secure the entire tunnel either on the night of Aug. 7 or early in the morning of Aug. 8.”

Second, the timing if the internet-based attacks is unclear. The CCD COE report cites a STRATFOR report which claims:

“Russia’s offensive against Georgia began not with tanks or fighter jets, but in cyberspace. STRATFOR knows firsthand that Georgian government and media Web sites began to crash the night of Aug. 7 — well before Russian troops emerged on the south side of the Roki Tunnel in the breakaway republic of South Ossetia the following morning.”

Shadowserver, a trustworthy and awesome group, documented DDOS attacks begining on August 8, 2008. The attacks were from known C&C’s some of which have been around for more than a year and have attacked unrelated sites. In fact, the same C&C’s attacked www.president.gov.ge on July 20, 2008.

Dancho Danchev wrote an informative post in which he stated that following the July attack there had been discussions on DDOS and defacements and the use should it be needed:

The attacks originally starting to take place several weeks before the actual “intervention” with Georgia President’s web site coming under DDoS attack from Russian hackers in July, followed by active discussions across the Russian web on whether or not DDoS attacks and web site defacements should in fact be taking place, which would inevitably come as a handy tool to be used against Russian from Western or Pro-Western journalists. The peak of DDoS attack and the actual defacements started taking place as of Friday

US-CCU says that because the attacks materialised so quickly in connection with the Russian kinetic attacks the internet-based attacks must have been prepared in advanced and that “the signal to go ahead also had to have been sent before the news media and general public were aware of what was happening militarily.” Well, we already know that there was a DDOS in July by the same C&C’s that attacked in August. Also, there had been “active discussions across the Russian web” after the July attacks on DDOS and defacement of Georgian and related targets. And from limited logs that I’ve seen there were a variety of attacks, including SQL injection, occuring over this period.

Moreover, some of the web sites that were defaced had been previously defaced. mfa.gov.ge was defaced 2008/04/17 (and three times in 2000, suggesting it has a history of insecurity) and parliament.ge was defaced on 2008/03/14. (Zone-H’s gov.ge defacement archive).

News media had been consistently reporting on the ongoing conflict in the region. For example, CNN reported on August 7, 2008 that Georgia had accused Russia of bombing Georgian territory. And the Russian incursion into Georgian was widely reported on August 8, 2008.

It is unclear if the attacks began before the Russian kinetic attack, or afterward. Part of the reason is that when the Russian kinetic attack began is unclear. This makes the correlation of the internet and kinetic attacks unwieldy.

The botnets were in place (busily attacking unrelated targets), had been used previously against www.president.gov.ge, and could be issued commands at any time. The web sites that were defaced had been previously defaced and mfa.gov.ge had a long history of insecurity. The global news coverage of the crises indicated that the crises was escalating and that a Russian bombing campaign may have started on August 7th.

In my view there is an alternative explanation that deserves to be explored: potential attackers who had been discussing potential attacks since July 20, 2008 and following the events could have been ready to respond as the crises predictably escalated without advance knowledge of the Russian attack or any explicit coordination with the Russian military.

The attackers who participate by loading these pages and going off to dinner, sleep, or on with their days open themselves up to attacks back through drive-by attacks. Imagine a simple scenario: the victims modify their sites to include some code like LuckySploit that commits a simple set of attacks. The attacker’s machine reloads the page (this is, after all, part of the attack). Hit a browser or accessory bug and bam, the attacker has been attacked. Now you’ve got a foothold on the attacker’s machine and, if you’re a sophisticated cyberwar player, you can use this to further understand your adversary. This is a dangerous strategy. If you’re going to employ this kind of attack you need to remember you may be putting your “army” at risk.

That’s interesting because it has happened before. A similar type of campaign back in 1998 by EDT was focused on the Pentagon and the site under attack retaliated:

In September 1998, the Electronic Disturbance Theater, a group of activists that practices politically driven cyber civil-disobedience, launched an attack aimed at disabling a Pentagon Web site by flooding it with requests. The Pentagon responded by redirecting the requests to a Java applet programmed to issue a counteroffensive. The applet flooded the browsers used to launch the attack with graphics and messages, causing them to crash.

(Also, the defacers are getting into it: A gov.ir site was defaced too (http://www.marivan.gov.ir/Election.htm))

I think that one of the issues that’s being overlooked is the mobilization and participation component. To just DDOS a site its easier to use/buy/rent/etc… a botnet. That involved few people, it is easy, and its is effective. To get a bunch of people to basically refresh a site (even if they are using some rudimentary automated tools) requires participation. I have doubts about whether the downtime of the targeted sites is due to this type of attack. I suspect that there are likely other attacks involved that do the heavy lifting.

“But to think that it takes a lot of people to execute an act of civil disobedience on the Internet is naiive. Programs make a difference, not people.” — Oxblood Ruffin, cDc

Anyway, I’m finding that these sites are unavailable:

16/06/09 12:18 http://ahmadinejad.ir/ 217.218.155.110 503
16/06/09 12:18 http://www.justice.ir/ 62.193.12.10 503
16/06/09 12:18 http://www.iranjudiciary.org/ 62.18.21.156 (51, ‘Network is unreachable’)
16/06/09 12:18 http://rajanews.com/ 10.7.222.162 (51, ‘Network is unreachable’)
16/06/09 12:18 http://www.farsnews.com/ 77.104.73.15 (61, ‘Connection refused’)
16/06/09 12:18 http://www.leader.ir/ 62.220.121.130 (61, ‘Connection refused’)
16/06/09 12:18 http://www.president.ir/ 80.191.69.11 timed out
16/06/09 12:18 http://www1.farsnews.com 77.104.73.16 timed out
16/06/09 12:18 http://www.irna.ir/ 81.12.51.146 timed out
16/06/09 12:18 http://www.police.ir/ 81.28.32.52 timed out
16/06/09 12:18 http://www.mfa.gov.ir/ 217.172.99.41 timed out

The defacers seem to be out too:

http://zone-h.org/mirror/id/9003285