Denial Of Service Attacks

As a Penetration Specialist I possess many, many tools to defend and offend computer network intrusions, with a lot of different Operating Systems. I have to know several different programming languages. Here is just a small list of DOS attack tools used to invade systems. ...Butch

There are a variety of popular Denial of Service attack tools that have received a fair amount of attention by the security research community, but there are many other attack tools in existence that have been developed in the last few years. A visual review of some of the popular and less popular attack tools will be provided here.

We will cover both simple and complex contemporary and historical threats – showing a sample ranging from single user flooding tools, small host booters, shell booters, Remote Access Trojans (RATs) with flooding capabilities, simple DDoS bots, complex DDoS bots and some commercial DDoS services. Many types of threats can be blended into any given tool in order to make the tool more attractive and financially lucrative.

At the other end of the spectrum, the commercial DDoS services are running full-steam, with a variety of service offerings easily available. While there are numerous motives for DDoS such as revenge, extortion, competitive advantage and protest, many of the commercial DDoS services emphasize competitive advantage with wording devoted to taking down a competitor. More troubling is the recently reported distracting use of DDoS to flood networks after financial theft has been performed via a banking Trojan in order to allow the thieves extended access to the loot. Within this diverse landscape, we are aware of many ongoing attacks from large widely distributed DDoS botnets.

________________________________________________________________________________________________

Fg Power DDOSER
This tool is primarily a “hostbooter” and is aimed at giving unscrupulous gamers an advantage by flooding opponents with traffic. HTTP flooding capabilities may be effective at bringing down unprotected websites as well. A Firefox password stealer is also included, which can be very deadly as people re-use passwords all the time.GB

DDoSeR v3
This tool is advertised as a booter and delivers a TCP or UDP stream of characters of the attacker’s choice towards a victim IP/host and port. This simple bot is written in Visual Basic.


Silent-DDoSer
This Visual Basic tool offers attack types “UDP”, “SYN” and “HTTP”. All appear to send a basic user-specified flood string. Silent-DDoSer utilizes triple-DES and RC4 encryption, IPv6 capabilities, and password stealing functions.

Drop-Dead DDoS
This tool is one example of a Runescaper booter. While I am not a gamer, the opportunity to make real-world money through the virtual economies of gaming worlds may have help make such tools popular.

D.NET DDoSeR
This tool is again aimed at the Runescape audience, but also features SYN and HTTP flooding. The floods in this case are just poorly formed garbage characters randomly generated. This particular screenshot only has one connected bot.

Positve’s xDDoSeR
Like anything flooding port 3074, this is an Xbox booter application, designed to boot users off to generate an unfair advantage. This particular screenshot shows no connected bots.

Sniff DDoSer
This one was announced on a forum and appears to be written in .NET. The default operation appears targeted towards Xbox flooding. We can also see some of the typical anti-detection mechanisms at play in the builder screen.

Darth DDoSeR v2
Another tool aimed at Xbox booting, at least in this screenshot. The flood in this case looks like a “SSYN” type, which is slightly different than many other host booters that appear to use UDP by default.

Net-Weave
Net-Weave is one of the many bots that appeared in our malware collection in mid-2011. It is a booter/bot and backdoor written in .NET and features the typical array of malware functionality including download and execute, USB spreading capabilities, TCP connection exhaustion flood, UDP flood, and a crude port 80 flood instantiated with a .NET Socket call.


Malevolent DDoSeR
The source code for a version of this leaked some time back. The server is written in C++ and the client is written in Visual Basic. It appears to offer only download and execute and UDP flooding attacks. We show a server screenshot, and a developer’s viewpoint screenshot, obtained from various forums.

HypoCrite
HypoCrite is a Visual Basic host booter apparently on version 4 and offers the ability to steal MSN passwords in addition to providing basic flooding capabilities.

Host Booter v5.7
This booter features several flooding attacks including the popular Slowloris attack style. The features are listed as: UDP (UDP flood), Port (Blocks connections on that port), HTTP (For websites), Slowloris (For websites), Bandwidth Drain (Put a direct link for a .exe or any other file), Send Command To All / Send Stop To All (Execute or End your command), Ports: 25 / 80 / 445 / 3074 / 27015 (Ports you can choose from, you can use your own), Sockets: [1-250] (How many sockets you will use), Seconds: [1-60] (How many seconds you wish your attack to be enabled for), Minutes: [1-59] (How many minutes you wish your attack to be enabled for), Size (KB) Packet size for UDP, Delay (MS) Time between sending a packet

Connect (MS) Reconnect sockets, Timeout (MS) Connection timeout

AlbaDDoS
It appears that the author of this DDoS tool is also involved in defacing websites.


Manta d0s v1.0
The author of this tool, Puridee, has also written multiple other tools including the “Good-Bye” DoS tool.

Good Bye v3.0
The Good-Bye tools appear to be simple HTTP flooding tools that have no DDoS or botnet capability.

Good Bye v5.0

Black Peace Group DDoser
Little additional information was found about this particular tool. Now we’ll look at a couple of “shell booters” that utilize hijacked web applications to perform flooding attacks. While these have been well documented in the past, shell booters typically leverage a number of compromised web applications where an attacker has typically installed a PHP webshell. Sometimes, these webshells may exist on high bandwidth networks, which can amplify the force of the attack significantly. Private webshells are worth more, and lists of webshells can be purchased. Some generic webshells are x32, greenshell, PsYChOTiiC, shell, mouss, Supershell, venom, atomic, and many others. There are other shells specifically created for ddos, such as ddos.php. A webshell can of course be named anything, but these names are common.

PHPDoS


TWBOOTER
This screenshot shows 235 shells online. An update from about a year ago says “Releasing twBooter Web Version today! Might have slowloris and http tonight, but I’ll be releasing without.” Incidentally, someone using the nick “twbooter” was seen selling flooding services via chat.

Gray Pigeon RAT
This is a screenshot from the Gray Pigeon Remote Access Trojan (RAT). In this screenshot, the attacker appears to have three bots online but has filtered the list to show only bots from Beijing, China. Gray Pigeon is well known for its RAT capabilities but it also has DDoS features as well. There are many DDoS bots using Chinese language sets and operating from within the Chinese IP address space. Some of these have been profiled by Jeff Edwards of Arbor Networks ASERT in the past. A great deal of code sharing takes place among the Chinese DDoS bot families that we have analyzed.


DarkComet RAT aka Fynloski
DarkComet is freeware and easily available to anyone. While it features a variety of flooding types, these are an afterthought compared to its main Remote Access Trojan functions which are significant. The binaries for this threat are often called Fynloski.

MP-DDoser v 1.3
MP-DDoser is a relatively new threat, coming to our attention in December 2011. It supports UDP, TCP connection flood, and HTTP attacks. Marketing materials and the GUI for this bot claim that it supports a slowloris style attack. Despite these claims, ASERT analysis indicates that the slowloris attack does not function.

DarkShell
Darkshell is popular among the Chinese DDoS bot families and features a variety of attack types. Included are three distinct HTTP attacks, two types of TCP flooding attacks, two UDP floods, ICMP flood, SYN flood, TCP connection exhaustion and TCP idle attack types. For extensive details on the Darkshell bot, please see the excellent analysis by ASERT’s Jeff Edwards at http://ddos.arbornetworks.com/2011/01/darkshell-a-ddos-bot-targetting-vendors-of-industrial-food-processing-equipment/

Warbot
This is the warbot web based control panel. Commands are ddos.http (seen here), ddos.tcp and ddos.udp.

Janidos
Without a license key, Janidos runs as a “weak edition”. This version offers to the opportunity to toggle through a variety of User-Agent values during an HTTP DDoS attack. Janidos appears to be of Turkish origin.

Aldi Bot
This is an inexpensive bot that showed up late in 2011. It was interesting to see InfinityBot downloaded and executed from one Aldi Bot node that I was analyzing. Some forums suggest that Aldi Bot is not very good quality. For more information about Aldi Bot, please see an analysis and writeup at http://ddos.arbornetworks.com/2011/10/ddos-aldi-bot/


Infinity Bot
Infinity Bot was seen being downloaded in the wild by an Aldi Bot instance in September 2011. A demonstration video posted October 4 2011 on YouTube shows Infinity-Bot being used to DDoS the Pentagon website and shows approximately 15,000 bots on the botnet with the highest concentration of bots being in Germany, Netherlands, Austria and Switzerland.

N0PE
The n0pe bot is written in .NET. Here is a screenshot of the control panel that demonstrates its attack types. N0pe appears to be Russian in origin.


Darkness (prior to Darkness X)
This is a banner used to advertise the Russian Darkness bot. Darkness connects to a back-end called Optima. Darkness appears to be popular and used in commercial DDoS services.


Darkness X
Darkness X is the 10th version (10a being the latest) of the Darkness bot. The following advertising graphic was used in various forums. Prices have been seen ranging from $499 to $999, depending upon what features are requested. Darkness X includes newly developed plugin architecture.


Optima – DarknessX control panel
The Optima control panel for DarknessX (aka “Destination Darkness Outcast System & Optima control panel”) has been explored in other forums and looks something like this, as of October 2011.

Dedal
Dedal has been mentioned in Russian underground forums describing commercial DDoS services. Dedal has been seen to utilize three types of attack – TCP, UDP and HTTP GET. The HTTP GET attack looks very similar to another bot, implying code-sharing or swiping.

Russkill
Russkill is another Russian bot that has undergone some evolution and is commonly mentioned in commercial botnet service advertisements. Russkill appears to have evolved into the Dirt Jumper.


DirtJumper
Dirt Jumper continues its popularity in the underground DDoS service economy. Dirt Jumper attacks have been widespread. See http://ddos.arbornetworks.com/2011/08/dirt-jumper-caught/ for a full write-up of this version of Dirt Jumper, and also see the excellent blog entry by DeepEnd Research for a writeup of Dirt Jumper version 3, aka “September” at http://www.deependresearch.org/2011/10/dirt-jumper-ddos-bot-new-versions-new.html

Dirt Jumper v3, aka “September”
Thanks to DeepEnd research for this screenshot

G-Bot aka Piranha
G-Bot has been mentioned many times in various forums in 2011 and seems to be a popular Russian bot. There are indicators that it is used in the commercial DDoS market. It appears that version 2.0 is probably the newest. Around July of 2011, G-Bot source code and customer lists were apparently sold by “westside” to “night”. Development stats currently is unknown. Various versions of the web panel and other artifacts are displayed here. G-Bot is also known as DroopTroop.

G-Bot bot list screenshot
First an older version, then a newer.
The second screenshot appears to be from somewhere around January of 2011 and shows the (obscured) IP addresses of infected hosts, country, and version of G-Bot installed on the host, mostly version 1.4.

Armageddon
The Russian Armageddon bot increased in popularity in mid to late 2011. It has been positioned as a competitor to Dirt Jumper, G-Bot, Darkness/Optima and DeDal. Recent versions of Armageddon allow greater control of attack traffic from within the web panel Command & Control, and also claim to have an “Anti-DDoS” attack style that is said to bypass various Anti-DDoS defenses. Additionally, DoS attacks against specific Apache vulnerabilities have been discussed. Armageddon has been observed performing many attacks including politically motivated attacks in Russia, attacks towards online betting sites, attacks towards forums advertising competing DDoS bot products and more. While Armageddon is heavily involved in HTTP attacks, it has also been seen targeting other services such as Remote Desktop, FTP and SSH.

Commercial DDoS Services
Unique DDoS Service

WildDDOS


Death ddos service


DDoS-SeRVIS


Beer DDoS


500 Internal DDoS Service


OXIA DDoS Service


504 Gateway DDoS Tools


NoName


Wotter DDoS Service


IceDDoS


Reference:

How To Surf The Internet Safely

Many, many times I am asked, "How do I surf the Internet safely". There never has been or will be a completely safe way to use the Net. As long as you can reach millions of people and their links, they will be able to reach you. There is no such thing as complete Internet Security, it is an illusion. The best you can do is be vigilant on your updates and patches for your preventive maintenance software. Here are the steps, again, that I and many of my "security penetration associates" use. And always keep in mind "for every lock there is a key"...Butch.

________________________________________________________________________

Never, Never, Never...

1. NEVER click on a link that is contained in an e-mail, instant message, or post to a Usenet or other group.
2. NEVER open or install a program directly from the Internet. First, download it to your hard disk, scan it with your anti-virus software, and only then, if it is clean, install it.
3. NEVER open or install a program directly from a CD-ROM or DVD. First, scan it with your anti-virus software, and only then, if it is clean, install it.
4. NEVER enter any personal details in forms on unknown sites.
5. NEVER type your User ID or password unless you see the LOCK icon at the bottom of the screen and the Web address starts with https://
6. NEVER click on a pop-up, no matter what it says! Don't click on it even if you want to close it.
7. NEVER open attachments that you receive by e-mail. If in doubt, save the attachment to the hard disk, scan it with your anti-virus software, and only then, if it is clean, open it. Try to read all your e-mail messages in text format, rather than HTML.
8. NEVER visit unfamiliar Websites. First, go to Google (www.google.com) and check whether the site is legitimate and does not carry malware. Only if it is clean, visit it for the first time using the Opera browser.
9. CHANGE your passwords frequently; use complex passwords (example: 7Yby89IfD); never give your passwords to anyone.
10. UPDATE your Operating System, Antivirus, Firewall, Antispyware, and computer manufacturer's utilities DAILY.
11. SCAN your computer for malware every time you use the computer, after you have used it.
12. ANYTHING SUSPICIOUS? Stop everything you are doing, disconnect from the Internet, and scan the computer for malware. Examples of suspicious behavior: persistent pop-ups; the computer or connection slow down considerably; repeated re-boots; mouse or keyboard freeze; strange messages and alerts.
13. Remember NOTHING you get off the Net is "free". NOTHING!

14. DO NOT use Internet Explorer. Reference: 
15. DO NOT use the same Web Browser all the time. (Google, Opera, Firefox, etc.) Try not to become predictable. Change up.

Mac Botnet Generated $10,000 A Day

Flashback was robbing Google of advertising dollars by redirecting clicks from infected Mac OS X machines and stealing the ad revenue.

Security researchers at Symantec are estimating that the cyber-crimibals behind the Flashback Mac OS X botnet may have raked in about $10,000 a day.

In a new blog post that discusses the business model of the botnet, Symantec found that Flashback was robbing Google of advertising dollars by redirecting clicks from infected Mac OS X machines and stealing the ad revenue.

At its height, Flashback contained more than 700,000 Mac machines and Symantec calculates that a botnet of that size could easily generate about $10,000 a day in click-fraud.

I guess you MAC users feel pretty violated. Don't worry about it, us PC users have been having sex without kisses for years. Welcome to the club!!!                                ...Butch

P. S. Tell me Cyber Crime doesn't pay, when was the last time you made $10,000 a day?

Mystery Group Hacks US military, Harvard, NASA, More

The Unknowns says it has hacked ESA, NASA, US military, US Air Force, Thai Royal Navy, Harvard, Renault, French ministry of Defense, Bahrain Ministry of Defense, and Jordanian Yellow Pages.

A hacker group calling itself “The Unknowns” claims to have hacked 10 organizations around the world, gaining administrator access for all and leaking data for some. Most are related to the U.S. government or another international legislative body, while the rest just seemed like random targets.

The Unknowns yesterday set up the Twitter account “1_The_Unknown_1” and released their results on Pastebin. Apparently, the group’s slogan is “We are The Unknowns; Our Knowledge Talks and Wisdom Listens…”

The Unknowns listed 10 victim websites for which it publicly posted administrator accounts and passwords: 

NASA - Glenn Research Center
U.S. military
U.S. Air Force
European Space Agency
Thai Royal Navy
Harvard University
Renault
French ministry of Defense
Bahrain Ministry of Defense
Jordanian Yellow Pages

Good news though.

NASA and the European Space Agency (ESA) have confirmed they were recently hacked. The hacking group The Unknowns says most of the 10 companies it attacked have patched their systems.

Isn't this like shutting the barn door after the (Trojan)horse ran away.                   ...Butch

3 Million Hacked Bank Accounts

An Iranian security researcher recently hacked 3 million accounts across at least 22 banks in the country. Now, Google has taken down the blog on which he posted the account details of his victims.
Khosrow Zarefarid, an Iranian security researcher who hacked 3 million bank accounts, has had his blog taken down by Google. Zarefarid did not steal money from the accounts; he merely dumped the account details of around 3 million individuals, including card numbers and PINs over at ircard.blogspot.ca. I found the link via his Facebook account, along with the question “Is your bank card between these 3000000 cards?” As you can see in the screenshot above, however, the blog is no longer operational.

Hold on it gets even better!

Zarefarid is still, however, allowed to blog on Blogger; it appears Google is comfortable with him doing so as lomg as he doesn’t post stolen data. In fact, Zarefarid has at least two other blogs:irbanks.blogspot.ca (called Banking Problems in Iran, written in Persian) and zarefarid.blogspot.ca(his personal one).
Reference:

Gartner Study On Internet Identity Theft

According a Gartner Study on Internet identity theft, based on a survey of 5000 U.S. adult Internet users, it has been estimated that:

• 1.78 million adults could have fallen victim to the scams
• 57 million adults have experienced a phishing attack
• The cost of phishing… 1.2 billion dollars!

It ‘clear that the figures mentioned are a great attraction for criminal organizations that are devoting substantial resources and investments in the sector. An increasing component of organized crime is specializing in this kind of activity characterized by high profits and low risks compared to traditional criminal activities. In the US The Federal Trade Commission is monitoring the phenomenon of Identity Theft with main national agencies promoting several activities to aware the population regarding the risks derived to the crime exposure.

________________________________________________________________________

Data we give up over the internet...

Digital Identity

Particularly alarming is the growth of such crimes in computers. Which are the information that compose our digital identity?

On the Internet, our identity composed by:

1. IP (Internet Protocol) address
2. address where we live
3. usernames
4. passwords
5. personal identification numbers (PINs)
6. social security numbers
7. birth dates
8. account numbers
9. our names
10. our families names
11. our interests and hobbies
12. our personalities (likes and dislikes)
13. social profiles
14. religious beliefs
15. where we lived as children 
16. pictures of everyone we know and ourselves
17. where we go on vacation and when our house will be empty
18. what we own(personal property)
19. personal beliefs
20. whether we possess or believe in firearms rights
21. other personal information

..it is this author's belief at the present rate of information seepage, that soon organizations like the Census Bureau will no longer be needed, because some of us will voluntarily give up our personal lives to social media.                                                            Butch Morton

Reference:

Seven Facebook Crimes

There’s no doubt that Facebook has completely revolutionized the way people interact. But there’s a dark side to the world’s love affair with social media. Criminals are finding new ways to utilize Facebook to commit new and disturbing crimes that authorities don’t necessarily know how to police. That’s why if you want to continue to enjoy social media, you should be aware of the common crimes committed on Facebook so that you can avoid becoming a victim. Here are the seven most common Facebook crimes.


Scams
Criminals have been utilizing the scam for centuries. In the Facebook world, scams are particularly effective at drawing people in by simply enticing an individual to click on a link that would interest almost anyone, such as an innocent-looking notification that you’ve won a free prize like a gift card. Then, in order to claim the prize, scammers require you to submit some information, such as a credit card number or Social Security number. This description may make it seem like scams are easy to spot, but even the most savvy social media user has to be on the lookout for illegitimate requests for information.


Cyberbullying
Cyberbullying is a common occurrence among teenagers on Facebook and one that can result in serious criminal charges if it goes far enough. Cyberbullying on Facebook has contributed to the deaths of several teens who either committed suicide or were killed by a peer. Cyberbullying that involves hacking or password and identity theft may be punishable under state and federal law. When adults engage in this kind of online behavior it is called cyber-harassment or cyberstalking.


Stalking
The term “stalking” is thrown around a lot on Facebook, and it is often meant as a joke for regularly looking at someone’s profile. However, the actual act of cyberstalking is a common crime on the social networking site and can result in a serious offense. Cyberstalking typically involves harassing a person with messages, written threats, and other persistent online behavior that endangers a person’s safety. Although cyberstalking may seem like nothing more than annoying behavior, it is a legitimate cause for concern in many cases and can even lead to in-person stalking or endangerment if not treated seriously.


Robbery
It doesn’t take much for a thief to find out where you live, go to school, work, or hang out if you make that information readily available on Facebook. If you use Facebook’s check-in or Google Maps feature, then you could be in a heap of trouble if a robber is paying attention. This person isn’t always a complete stranger either; they may be an old acquaintance or someone else you’d never expect to come rob you.


Identity theft (# 1 crime in America)
With the large amount of personal information swarming around Facebook these days, it has become fairly easy for criminals to steal users’ identities. Hackers often break into users’ e-mails and make fake Facebook accounts. From there they can access personal and bank information and cause havoc to your sense of security. Protect yourself from identity theft on Facebook by keeping your profile very secure and free of personal information that a criminal would love to have.


Defamation
An individual commits the crime of defamation when they communicate a false statement to a third party that paints another individual or entity in a negative light. Facebook makes communicating defamatory statements frighteningly easy, and the exposure Facebook provides makes it more likely that businesses or individuals will be harmed by the defamatory statement, and thus more likely to pursue legal remedies. Be careful what you say on Facebook; you may be committing a crime without even knowing it.


Harassment
Harassment happens all the time on Facebook. From sexual harassment to assault threats, there has been a significant increase in the number of harassment cases happening on Facebook. It’s not uncommon for sex offenders and sexual predators to prey on unsuspecting victims on Facebook and even pose as a teen or college student. Harassing messages, inappropriate comments, and other persistent behaviors should be reported to Facebook and your local police station.


Reference:

SIRv12: The Obstinacy Of Conficker

Conficker is one of the most significant threat families facing organizations worldwide today; its initial impact along with its continued obstinacy shows that clearly. In the fourth quarter of 2011,  three years after its initial release, it attempted to infect just over 1.7 million computers. 


Conficker’s persistence is illustrated not only by the number of computers it has attempted to infect, but also by the nearly 59 million attacks launched against those computers in the fourth quarter of 2011. But perhaps the most interesting manifestation of its obstinacy is that it has been the number one threat facing businesses for the past two and a half years.

The China States of America – Unethical Marketing Tactics?

I recently had the fortune of investigating a case where a unsuspecting Internet user received an email that looked suspicious. I see a lot of SPAM that comes through like that and suspect it is something that goes wrong during the language translation that often result in text that just doesn't make any sense. 


Anyway, my gut feeling is that this is a site setup by Chinese Scammers with fake online electronics for sale. Another scenario would be an unethical marketing company hired to drive traffic to this Chinese electronics site and they are using illegal tactics by exploiting user email accounts.


Give them your credit card and you lose!


Reference:

Iran Admits Expanded Cyberattacks

The Iranian government acknowledged today that authorities have found evidence of recent cyber-attacks against several agencies, according to reports by state-sponsored media outlets.

A week ago, the country's oil ministry confirmed that it and other facilities in the energy industry had been targeted by malware attacks. Today, the Mehr News Agency said that Esmaeil Ahmadi-Moqaddam, Iran's national police chief, had claimed that his office has "found clues about recent cyberattacks on a number of Iranian ministries and companies." Mehr is a semi-official arm of the Iranian government. The report did not spell out what "clues" police had found, or which ministries and companies had been attacked. 

 "In cooperation with the Information and Communications Technology Ministry, the Intelligence Ministry, and the ministries which have been targeted by cyber attacks, we are investigating and pursuing the matter...and we have found clues in this relation," Mehr quoted Ahmadi-Moqaddam as saying.