DDoS Activity in the Context of Hong Kong’s Pro-democracy Movement

By: Kirk Soluk -

In early August, we examined data demonstrating a striking correlation between real-world and online conflict [1], which ASERT tracks on a continual basis [2-7]. Recent political unrest provides another situation in which strong correlative indicators emerge when conducting time-series analysis of DDoS attack data.

The latest round of pro-democracy protests in Hong Kong began on September 22nd when “. . . Students from 25 schools and universities go ahead with a week-long boycott to protest Beijing’s decision to proceed with indirect elections for Hong Kong’s Chief Executive position.” [8]. The protests ramped up on September 28th when a larger pro-democracy group, Occupy Central with Love and Peace, combined forces with the student demonstrators [8-9]. On October 1st, protesters vowed to increased the level of civil disobedience if Hong Kong’s Chief Executive, Leung Chun-Ying, did not step down [10].  Since that time, tensions have increased, with police crackdowns, tear gas, barricades, skirmishes, shutdowns of government buildings and infrastructure, and heavy use of social media to promote both pro-and anti-protest sentiment.  By examining Arbor ATLAS Internet-wide attack visibility data we have identified DDoS attack activity in the APAC region which correlates strongly with the ebb and flow of protest activity in Hong Kong.

Arbor’s ATLAS Initiative

The DDoS information provided in the remainder of this report is derived from Arbor’s ATLAS Initiative. Arbor ATLAS receives anonymized Internet traffic and DDoS event data from over 290 ISPs worldwide which have deployed Arbor’s DDoS Mitigation solutions.  While many observed events are symptomatic of attacks during this period, it is important to note that we cannot definitively identify the motivations behind any given event.

Hong Kong as a Target of DDoS Attacks (September-October)

Number of Observed DDoS Attacks

The following graph illustrates that the number of observed DDoS attacks targeting Hong Kong-related online properties more than doubled between September and October, from 1,688 discrete attacks in September to 3,565 attacks in October:

Figure 1: Total Number of Attacks Targeting Hong Kong (September and October, 2014)

Figure 1: Total Number of Attacks Targeting Hong Kong (September and October, 2014)

Although the sheer number of DDoS attacks increased significantly from September to October, there was not a significant difference with respect to other attack attributes such as size or duration.  For example, the following charts break out the percentage of DDoS attacks within a given size range for both September and October, along with the raw number of DDoS attacks in that size range:

Figure 2: Percentage of Attacks within a given Size Range

Figure 2: Percentage of Attacks within a given Size Range

Overall, the percentage of DDoS attacks within a given size range remain fairly consistent from September to October, with the biggest difference being a relative 4% decrease in the number of DDoS  attacks within the 2gb/sec-to-5gb/sec range.

In summary, the analysis of the number and size of Hong Kong-related DDoS attacks depicted by Figures 1 and 2 above can be summed up by stating that “October saw more of the same – a lot more!

Size of Attacks and Related News Events

Figure 3 illustrates the largest DDoS attacks per day, in terms of bandwidth, targeting Hong Kong-related online properties during the month of October:

Figure 3: Peak Attack Sizes per Day (Gbps)

Figure 3: Peak Attack Sizes per Day (Gbps)

Three large DDoS attacks on October 14th (45.4gb/sec), 17th (38.3gb/sec), and 19th (45.6gb/sec) stand out. The total number of observed DDoS attacks targeting Hong Kong-related online properties (289, 419, and 427 respectively) also peaked on these days.  Since the vast majority of DDoS events reported via ATLAS are anonymized, it cannot be definitively determined how these specific DDoS attacks were related to the ongoing protests.  However, it appears that these attacks coincide with reports on Twitter and  by the Wall Street Journal of anti-protest crowds attempting to physically prevent pro-democracy newspaper publisher Apple Daily from distributing its newspapers. Specifically, the Journal noted that Apple Daily “simultaneously faced a cyberattack that brought down its email system for hours” [11]. On October 14th, Computerworld Hong Kong quoted an employee from Next Media (Apple Daily’s parent company), as follows: “The network was a total failure, affecting not just Apple Daily, but all the publications under Next Media” [12].

What’s Next?

Based on in-region DDoS attack statistics for the first week of November, continued DDoS attacks on Hong Kong-related Internet properties appear to be taking place. The following graph illustrates peak DDoS attack sizes in the 30gb/sec-plus range on four consecutive days (November 3rd – 6th):

Figure 4: Peak Attack Sizes per Day (Gbps) in the first week of November

Figure 4: Peak Attack Sizes per Day (Gbps) in the first week of November


While establishing definitive causal relationships and attribution are challenging  it is apparent that DDoS attacks have become the ‘new normal’ during periods of political unrest worldwide. In this case, we observed a 111% increase in the number of DDoS attacks targeting Hong Kong-related Internet properties when analyzing the months immediately before and after protester demands, on October 1st, for Hong Kong’s Chief Executive to step down. Additionally, large-scale DDoS attacks were observed targeting Hong Kong-related Internet properties that coincide with reports of debilitating disruptions of online media outlets sympathetic to the protest movement.


[1] http://www.arbornetworks.com/asert/2014/08/ddos-and-geopolitics-attack-analysis-in-the-context-of-the-israeli-hamas-conflict/

[2] http://www.arbornetworks.com/asert/2007/12/political-ddos-ukraine-kasparov/

[3] http://www.arbornetworks.com/asert/2013/05/estonia-six-years-later/

[4] ASERT Threat Intelligence Brief 2013-5: Observed Syrian Cyber Adversary Capabilities and Indicators. Available to Arbor customers upon request.

[5] ASERT Threat Intelligence Brief 2013-7: The Impact of Protest Activity on Internet Service in Thailand. Available to Arbor customers upon request.

[6] ASERT Threat Intelligence Brief 2013-4: Potential Targeted Attacks Against Various International Interests. TLP Amber. Available to Arbor customers upon request.

[7] ASERT Threat Intelligence Brief 2014-04: Counter Terrorism Expo and Bulgarian State Agency for National Security Cyber-Threat Alert. TLP Amber. Available to Arbor customers upon request.

[8] http://www.theepochtimes.com/n3/1015132-hong-kong-occupy-central-time-line-of-key-umbrella-movement-events/

[9] http://www.scmp.com/topics/occupy-central

[10] http://www.reuters.com/article/2014/10/01/hongkong-china-idUSL6N0RV5F920141001

[11] http://online.wsj.com/articles/hong-kongs-press-under-siege-1413330960

[12] http://cw.com.hk/news/next-media-under-cyberattack-and-operations-disruption

NTP attacks continue – a quick look at traffic over the past few months

By: Chris G. Sellers -

In February, Kirk Soluk’s post on NTP Attacks: Welcome to The Hockey Stick Era reported that we have seen a increase in NTP-based application attacks.   We thought we would take a few minutes to post an update on the state of traffic metrics.

The graphs below are depicting aggregate traffic based on the NTP network port (123).  The first graph shows observed NTP traffic via UDP since December of 2013 until early March.


You can see that the observed traffic increase started at the end of 2013 and increased to nearly 800Gb/s in early March across the participants of Arbor Network’s ATLAS  system.   Let us dive in a little closer.


Looking at the late January until early March timeframe, we can see the increase continues with February’s NTP/UDP bandwidth traffic being fairly sustained, approaching and exceeding 400Gb/s most days.   It appears that as we get into March the bandwidth of NTP traffic is waining slightly, but remains at 300Gb/s on most days, far above the 50Gb/s even in late January.   March 04 was a significantly troublesome day as traffic peeked at nearly 800Gb/s on that day shortly before midnight UTC.


To see where traffic typically is, let’s take a look at one more graph, showing the level of traffic in late 2013 before the campaigns began.


Here you can get a view of what the NTP/UDP traffic was, hovering around one to two (1-2) Gb/s of time sync traffic in early December.

To learn more about defending your network against NTP-based attacks, we recommend attending the upcoming Arbor Webinar on Friday, March 14th at 3pm UTC /11am EDT, entitled ‘Too Much Time on My Hands:  Network-Scale Mitigation of NTP DDoS Attacks,’ presented by Arbor’s Roland Dobbins, Senior ASERT Analyst, and Ben Fischer, Product Marketing Manager.


Introducing the Digital Attack Map

By: Dan Holden -

What our ATLAS data highlights is just how commonplace DDoS attacks have become – both in terms of frequency but also in terms of how many Internet users are impacted by DDoS. It’s not just a problem for large, global organizations and service providers, but anyone with an Internet connection can be caught in the crossfire of an attack. The ‘collateral damage’ of an attack against a large organization or service provider are the people that rely on those networks every single day.

That’s why Google Ideas and Arbor have collaborated on a Digital Attack Map – a project we’re very excited to announce today.

Digital Attack Map 2013-10-21 09-27-31[1]

The Digital Attack Map utilizes anonymous traffic data from our ATLAS® threat monitoring system to create a data visualization that allows users to explore historical trends in DDoS attacks, and to make the connection to related news events on any given day. The data is updated daily, and historical data can be viewed for all geographies.  This collaboration brings life to the ATLAS data we leverage every day to uncover new attack trends and techniques, sharing it in a visual way that connects the dots between current events and cyberattacks taking place all over the world.

We invite you to explore the Digital Attack Map to see for yourself how DDoS has become a global threat to the availability of networks, applications and services that billions of people rely on every day.

Syria taken offline

By: Darren Anstee -

ATLAS is Arbor Networks innovative, one-of-a-kind Internet monitoring system. ATLAS is a collaborative effort with 250+ ISPs globally who have agreed to share anonymous traffic data on an hourly basis (leveraging Arbor’s technology that sits on ISP networks), together with data from Arbor dark address monitoring probes, as well as third-party and other data feeds. In total, ATLAS is seeing 42Tbps of peak IPv4 traffic. With this unique vantage point, Arbor is ideally positioned to deliver intelligence about malware, exploits, phishing and botnets that threaten Internet infrastructure and services. The information is aggregated, analyzed and fed back to our customers via our product deployments.

You can clearly see the traffic we are tracking for Syria drop to virtually 0 at 2000 UTC on the graph.  This will be approximately 1 hour after the drop happened in the ‘real’ world given that ATLAS participants only report hourly.


We’ve seen entire countries in the Mideast taken offline before. Here is a look back to January-February 2011 and Egypt,

Egypt Returns







Digging Through an “Administrative Network Stressor” Provider’s Database

By: Dennis Schwarz -

On March 15, 2013, Brian Krebs of Krebs on Security wrote “The World Has No Room For Cowards.” In it, he writes a fascinating story about a DDoS attack against his site and also a physical attack against his person. The part where Krebs’ notes that “… there are strong indications that a site named booter.tw may have been involved in the denial-of-service attack on my site yesterday. For some bone-headed reason, the entire customer database file for booter.tw appears to be available for download if you happen to the [sic] know the link to the archive” stood out to me. booter.tw advertises itself as “The Ultimate Administrative Network Stresser [sic] Tool.”

blog image 1

As a security researcher, getting access to a database dump associated with an incident is always interesting. An earlier version of the Krebs’ article linked to the database file, so the following are some quick bits and pieces I pulled out of it. Here is a geo IP location map of the ‘lastip’ field of the ‘users’ database table. The assumption here is that these are the last login IPs for the 312 users of the service. It is important to note that proxies, VPN services, the Tor network, and other IP anonymizing services come into play here and the IPs might not trace back to a user’s actual physical location.


blog image 2

The ‘attacks’ database table contains attacks from January 23, 2013 to March 15, 2013. There were 48,844 entries. Resolving hostnames and parsing out some junk IPs, close to 11,000 unique IPs were targeted. Here is a geo IP location map of the IPs.

blog image 3


The targeted IPs roughly map into the following organization types.

blog image 4

Assuming the ‘duration’ field is in seconds, the average attack duration was 34 minutes. Here is a breakdown of the different attack types:

blog image 5

This posting was a quick visualization of some of booter.tw’s database data as referenced by Krebs. I am glad that he and his family were unharmed during the associated “SWAT”ing attack and I look forward to reading his updates on this fascinating story.

Lessons learned from the U.S. financial services DDoS attacks

By: Arbor Networks -

By Dan Holden and Curt Wilson of Arbor’s Security Engineering & Response Team (ASERT)

During the months of September and October we witnessed targeted and very serious DDoS attacks against U.S. based financial institutions. They were very much premeditated, focused, advertised before the fact, and executed to the letter.

In the case of the September 2012 DDoS attack series, many compromised PHP Web applications were used as bots in the attacks. Additionally, many WordPress sites, often using the out-of-date TimThumb plugin, were being compromised around the same time. Joomla and other PHP-based applications were also compromised. Unmaintained sites running out-of-date extensions are easy targets and the attackers took full advantage of this to upload various PHP webshells which were then used to further deploy attack tools. Attackers connect to the compromised webservers hosting the tools directly or through intermediate servers/proxies/scripts and issue attack commands. In the September 2012 attacks there were several PHP based tools used, the most prominent of which was “Brobot” along with two other tools, KamiKaze and AMOS which were used a bit less often.  Brobot has also been referred to as “itsoknoproblembro”.

The attack tactics observered were a mix of application layer attacks on HTTP, HTTPS and DNS with volumetric attack traffic on a variety of TCP, UDP, ICMP and other IP protocols. The other obvious and uncommon factor at play was the launch of simultaneous attacks, at high bandwidth, to multiple companies in the same vertical.

On December 10, 2012 the group claiming responsibility for the prior attacks, the Izz ad-Din al-Qassam Cyber Fighters announced “Phase 2 Operation Ababil”.  A new wave of attacks were announced on their Pastebin page:  which described their targets as follows:

“Continually, the goals under attacks of this week are including: U.S. Bancorp, JPMorgan Chase&co, Bank of America, PNC Financial Services Group, SunTrust Banks, Inc.”

On December 11, 2012, attacks on several of these victims were observed. Some attacks looked similar in construction to Brobot v1, however there is a newly crafted DNS packet attack and a few other attack changes in Brobot v2.

These attacks have shown why DDoS continues to be such a popular and effective attack vector. Yes, DDoS can take the form of very large attacks. In fact, some of this week’s attacks have been as large as 60Gbps. What makes these attacks so significant is not their size, but the fact that the attacks are quite focused, part of an ongoing campaign, and like most DDoS attacks quite public. These attacks utilize multiple targets, from network infrastructure to Web applications.

Lessons Learned

While there has been much speculation about who is behind these attacks, our focus is less on the who or why, but how we can successfully defend. There are multiple lessons to be learned from these attacks, by everyone involved – the targeted enterprises, their managed security providers, Website and Web application administrators, and the vendor community.

For enterprises, it is clear that typical perimeter defenses such as firewalls and IPS are not effective when dealing with DDoS attacks, as each technology inline to the target is actually a potential bottleneck. These devices can be an important part of a layered defense strategy but they were built for problems far different than today’s complex DDoS threat. Given the complexity of today’s threat landscape, and the nature of application layer attacks, it is increasingly clear that enterprises need better visibility and control over their networks which require a purpose built, on-premise DDoS mitigation solution. This could sound self-serving, however, visibility into a DDoS attack needs to be far better than the first report of your Website or critical business asset going down. Without real-time knowledge of the attack, defense and recovery becomes increasingly difficult.

For providers of managed security services, they have begun to evaluate their deployments and mitigation capacity. These attacks were unique in that they targeted multiple organizations within the same vertical, putting a strain on the capacity of provider’s cloud-based mitigation services.

What these attacks have continued to demonstrate is that DDoS will continue to be a popular and increasingly complex attack vector. DDoS is no longer simply a network issue, but is increasingly a feature or additional aspect of other threats. The motivation of modern attackers can be singular, but the threat landscape continues to become more complex and mixes various threats to increase the likelihood of success. There have certainly been cases where the MSSP was successful at mitigating against an attack but the target Website still went down due to  corruption of the underlying application and data. In order to defend networks today, enterprises need to deploy DDoS security in multiple layers, from the perimeter of their network to the provider cloud, and ensure that on-premise equipment can work in harmony with provider networks for effective and robust attack mitigation.


Snapshot: Syria’s Internet drops, returns

By: Darren Anstee -

The Arbor ATLAS system leverages Arbor Networks’ world-wide service provider customer base to gather data about Internet traffic patterns and threats.  Currently 246 of Arbor’s customers are actively participating in the Arbor ATLAS system, and are sharing data on an hourly basis. The data shared includes information on the traffic crossing the boundaries of participating networks, and the kinds of DDoS attacks they are seeing. The graph below shows the cumulative ‘total’ traffic ( to / from) Syria across all of these participating networks. This does not the total traffic into and out of Syria, this is simply a snapshot taken from the vantage point of 246 network operators around the world.

As you can see traffic dropped sharply at around 1730 in the graph below.  The low level could either indicate a reduction in traffic to / from Syria or an outage for less than an hour (as the data is at one hour granularity). The actual traffic interruption is likely to have occurred at around 1630, the graphs show traffic interruption an hour later than this due to the variable, hourly reporting from ATLAS participants to our servers.

How likely is a DDoS Armageddon attack?

By: Carlos Morales -

The recent DDoS attacks against many of the North American financial firms had some unique characteristics that put a strain on the defenses in place and resulted in a number of well publicized service outages. The escalating threat is not new.  It’s been steadily building up over the last few years as botnet command and control has matured, the tools available to exploit those botnets have gone mainstream, and the cost of using the tools has plummeted.  What the attacks did do is raise the industry’s collective consciousness around how bad the situation has gotten.    The effectiveness of the attacks has changed the way that Internet operators, whether service provider, hosting provider, government or enterprise think about their defenses.   It has also raised a number of troubling questions.

The most common question that I have been asked is around the growing size of attacks and the capacity of Internet operators to withstand such threats.   How big does an attack have to be to overwhelm the biggest, most prepared financial company?   How big does an attack have to be to overwhelm the biggest and most prepared service provider?   Is there an Armageddon attack on the horizon that threatens to take down the entire Internet?  There are indications that this could be the case.

It should be noted that size is by no means the only means by which an attack can be effective.  It’s a very visible way of taking down a network similar to the way a 7 mile backup on a local highway is a visible sign that you’re not getting to your destination quickly.   Application layer attacks, IP protocol attacks, connection attacks and other stealthy attack methods can be just as effective in taking down a victim while being much more difficult to detect and mitigate.  The financial sector attacks were multi-vector and had aspects of both volumetric and application layer attack traffic.

This article is going to focus on larger sized attacks and the possibility of an Armageddon attack.   First, there are a few different measures of size including bandwidth (bps), packets (pps) and connections (cps).    In all three cases Internet operators such as enterprises will have a limit which they can handle.   Bps is the most commonly considered measure of size and it is easy to estimate network bandwidth limits.  If the internet operator has 10Gbps worth of upstream bandwidth, then attacks bigger than this will overwhelm the links.   Packet per second (pps) limits are more of a challenge to estimate limits because each device that is in-line with traffic will have limits in handling pps that will be dependent on the configurations that they are running and the type of traffic seen.   High pps attacks often cause more challenges than high bps attacks because multiple bottlenecks may exist on the network.     High cps attacks are typically targeted at stateful devices on the network that have a connection table.   These tend to be the harder to measure because network traffic analyzers tend to focus on just bps or pps.

With all three attack types, all enterprise, government and hosting provider networks will have bottlenecks that can be over-run relatively easily by big DDoS attacks.  Most enterprise and government datacenters have no more than 10 Gbps with some ranging slightly higher than this.   Arbor Network frequently sees attacks much larger than this.  As an example, Arbor’s ATLAS system receives anonymous attack statistics from hundreds of Arbor Peakflow SP deployments.   The largest bandwidth attacks measured in 2011 and 2012 were 101.4 Gbps and 100.8 Gbps respectively.   The largest packet per second attacks measured in 2011 and 2012 were 139.7 Mpps and 82.4 Mpps respectively.   Another source of data is the annual security survey of Internet operators that Arbor runs.   One of the survey questions is about the largest bps attacks seen over the previous year.    The chart below reflects that biggest attacks reported each year since the survey was first conducted in 2002.

Based on the data from the chart above, there have been DDoS attacks capable of overwhelming a 10 Gbps datacenter since 2005.   All this means that enterprises, governments and hosting providers need help from their upstream service providers to deal with threats of this magnitude.   Many of these providers offer managed security services that will provide protection against bigger attacks.   At a certain point, the attacks are big enough that the providers consider them their responsibility anyways because of the potential impact to multiple customers.  However, it’s heavily recommended to have an agreement in place to ensure SLAS and guaranteed response times.

That brings me back to the question on whether an Armageddon attack is possible that can not only overwhelm the end victim but also all the Internet providers in between.   Based on the current Internet environment, this is all too possible.   The first thing that you need to consider what the available bandwidth is to generate an attack.   There have been botnets discovered that have contained more than 1M infected hosts.   Assuming an average of 1 Mbps worth of upstream access per host, a conservative estimate based on the number of broadband subscribers, 4G and 3G users deployed in the world, a 1M host botnet could generate an attack of 1 Tbps.   Now what if this botnet and multiple other large botnets attack at the same time?   Service providers have a lot of bandwidth throughout their network but there are limits to how much traffic they can handle.   Attacks of that magnitude described would have profound effect on the Internet as a whole exploiting bottlenecks in many places simultaneously.  No single service provider, even the largest tier ones, would be able to handle all this traffic without adversely affecting their user base.

Is this possible?  It certainly seems so.  Is it likely?   It doesn’t seem so since it would affect everyone on the Internet and not just a single victim.   That said, many attacks that didn’t seem likely before are now becoming commonplace as motivations have shifted.   It is something that CSOs from within the carrier community are likely considering and hopefully taking steps to plan for the worst.


ATLAS October Snapshot

By: Arbor Networks -

DDoS attack size continues to rise with average attacks hitting the 1.67 Gbps range, a rise of 72% year-over-year. This data comes from ATLAS, is an innovative partnership with our customers who share traffic data with us on an anonymous basis. It’s through ATLAS that we’re able to deliver unparalleled visibility into the backbone networks that form the Internet’s core. This data gives Arbor a globally scoped view of the Internet threat landscape.

Exterminating the RAT Part I: Dissecting Dark Comet Campaigns

By: cwilson -

It should be abundantly clear that there are serious concerns at play when dealing with Remote Access Trojans, as they are used in many espionage style attacks where sensitive data and valuable intellectual property are stolen. Occasionally, a RAT is also used to launch DDoS attacks, but these DDoS attacks are less common.  The real value of the RAT to the attacker is the core remote control functionality that breaches the confidentiality and integrity of the victim and the victim network by allowing the attacker full access to the target system. The monitoring of all keystrokes (including passwords, sensitive data entered onto secure sites), control of file upload/download, the ability to steal any file, access network shares, spy via webcam or microphone, download and install additional malware, and other features make these RATs a formidable threat when wielded by a focused attacker. A common targeted attack methodology starts with initial network penetration by compromising one or more systems and installing a RAT or something similar to a RAT that calls back to the attacker. Once the RAT is installed, that infected system becomes a valuable launching pad for the attacker to move laterally on the internal network, seeking information of value to the goals of the attackers campaign.


Arbor Networks and others have previously profiled the Dark Comet Remote Access Trojan (RAT). While the author of Dark Comet claims that the tool is not intended for malicious purposes, it has been used for  many malicious campaigns, including the recent attack on Syrian opposition leaders where the Dark Comet Trojan was delivered to them disguised as a Skype component. Dark Comet is clearly popular, free and stable enough for many attack campaigns with varying motives and therefore provides some insight into this arena.

When an organization is hit by a RAT infection, it can be helpful to attempt to determine what the attacker was up to and what indicators point towards their motives. Using a combination of open source intelligence and ASERT insight, we will try to piece together some interesting elements. While these indicators can help, unless verbose logging or system/network monitoring is in place, it can be difficult if not impossible to determine every action taken via the RAT.  Unfortunately, a “wipe and reload” approach isn’t sufficient to determine what took place.  An extensive analysis may need to be undertaken to determine the depth and scope of the breach.

We will profile several potentially interesting Dark Comet campaigns that we have discovered in this first part of the RAT series. Future entries in this series will cover other RAT campaigns of interest as our research delivers additional insights.

Interesting campaign indicators

How might we start trying to narrow down the campaigns of interest from among the 4000+ Dark Comet samples that we have in our malware analysis repository? One method might be to take a look at the passwords, server IDs and Command & Control infrastructure being used by the RAT itself. While it is of course possible for any attacker to set any password, C&C or server ID or name for any reason such as for misdirection purposes, it is also possible that these elements may reflect the intent of the campaign and give a hint towards the actors behind the scenes. It is also possible that attackers are smart enough to use very vague or generic names for all of the user-selected components of any RAT campaign in order to reduce visibility and fly under the radar.

Campaign #1: Password contains the phrase “Boeing747”

C&C Name/IP address : port Password Server ID Md5 hash Boeing747!@#Legacy123 Guest16 40f1aac00c440ed7811cd042bca1b4d8

The password caught my eye due to its contents and also the length and use of mixed case, numbers and special characters. The use of “Boeing747” may have nothing to do with a real Boeing 747 and could have just been something chosen to make a strong password. The C&C in this case is a South African IP, apparently located in an area called Centurion, which houses two Air Force bases which could account for the password reference. There is clearly not enough information available here to determine motive.  Very little public information is available when searching for the MD5, only virus scan results showing that many antivirus scans from early in 2011 provide a generic detection name, except for a vendor that alerts for “BackDoor.Comet.16” and two other vendors that alert using the name “Fynloski”.  Enterprises seeing hits that match these names need to be aware of what they are dealing with and take proper investigation measures to determine the intent and scope of the breach.

Campaign #2: Server ID “SearchandDestroy_GOV”

C&C Name/IP address : port Password Server ID Md5 hash
ratnetwork.no-ip.net:1604 SearchandDestroy_GOV 2770f5bd84bb585d449a7c0e1223920f

This campaign, while noisy is a little bit more interesting as it suggests that the attacker may be experimenting with redirecting .gov sites. After infection, the hosts file of the infected machine has been changed, adding the following entries:









These are all bogus domains, however it does illustrate the potential to perform a redirect or a man-in-the-middle attack on the unsuspecting user. The destination IP address is a webserver containing several virtual domains, which included “underworldhacking.com”.

The IP address of the host at the time of the attack seen in our analysis infrastructure was and currently resolves to Both IP addresses are associated with the hostnames ratnetwork.no-ip.net and zombienetwork.no-ip.net.

Campaign #3: Server ID “server-Bifrost1.3” and hostname “9d1.no-ip.org”

C&C Name/IP address : port Password Server ID Md5 hash
9d1.no-ip.org:1604 server-Bifrost1.3 0e492c93cbaec7b5d4cc432e2c66454f

The C&C name here is associated with multiple RAT campaigns. For example, we see information on an Arabic language forum thread including a user named “9D1” discussing TCP port 288 as being associated with a message about “Xtreme RAT” in late 2011.  The topic of that thread relates to password theft. Another likely Xtreme RAT campaign can be found mentioned at http://home.mcafee.com/virusinfo/virusprofile.aspx?key=1063074#none running on TCP port 3460 from late April 2012. We also see another Dark Comet campaign on TCP port 3333 in sandbox output http://xml.ssdsandbox.net/index.php/6fcb95632b754a941f3e490d5785e7c4 which is using a default DarkComet mutex that starts with the characters DC. The mutex in this case is DC596I04Z1. Clearly, this dynamic address is up to no good.  The server name, Bifrost 1.3, could indicate that this attacker or group of attackers is also working with the Bifrost RAT.  As of May 29, 2012 this hostname points to the IP address that appears to be located in or near Cairo, Egypt.

Campaign #4: Server ID “SynBots” and C&C named “syncenter”

C&C Name/IP address : port Password Server ID Md5 hash
syncenter.no-ip.org:6002 roflcopter SynBots 4fdcc3e11d84d11df182375e83d52938

This campaign appears to be aimed at Runescape users or other gaming communities, as indicated by the sample seeking file attributes for the following files:

Runescape Dicing Hack.resources.dll

Runescape Dicing Hack.resources

Runescape Dicing Hack.resources.exe

Based on the indicators seen here, it is possible that the purpose of this particular campaign could be to build a DDoS bot, potentially for use as a host booter to boot other gamers off-line with SYN flood attacks.

Campaign #5: password used “mafia007”, Server ID “Hack Kurd”

A case of watching too much James Bond, or something more threatening?

C&C Name/IP address : port Password Server ID Md5 hash
mafia007.no-ip.org:10000 mafia007 Hack_Kurd 0e492c93cbaec7b5d4cc432e2c66454f


It looks as though this particular sample was packed using some type of .NET crypter or packer that makes the sample more difficult to analyze. The only quickly discovered public reference to this sample by its MD5 hash  is a sandbox report found at http://xml.ssdsandbox.net/index.php/0e492c93cbaec7b5d4cc432e2c66454f which reveals basically nothing about the sample except that it was unable to run, generating an error code “KilledByWindowsLoader”.

This sample drops a file  C:Documents and Settings[Username]Local SettingsTempAdobeUpdate.exe and attempts to enumerate elements of the Microsoft .NET runtime version 2.  Based on the nickname “mafia007” and a little bit of digging reveals that the crypter likely used here is called “Crypter Zero” or “Zero Crypter” which claims to be 100% FUD (fully undetectable by antivirus). This particular crypter is from 2011, and the authors point to an underground file-scanning service to illustrate their point. Zero Crypter is being sold for 50 euro.

While packers can complicate matters, thankfully we have memory dumps that bypass the need to perform a manual unpacking/decrypting process in many cases.

We also determine that an Italian e-mail address containing the string “mafia007” has shown much interest in Dark Comet and other Trojans and demonstrates the use of the Zero Packer on them. A similar username was found on various underground forums that had been compromised, and passwords leaked by LulzSec.

mafia007.no-ip.org resolved to during the initial sample analysis and currently resolves to Both are Italian IP addresses.

While I cannot be 100% certain, I don’t believe this person to be a serious attacker based on the weak operational security demonstrated here.  Therefore, this campaign may be a case of “too much James Bond” although appearances can be deceiving. It would not be the first time that an attacker does not attempt to hide very well.


Dark Comet is very popular RAT and is actively developed and widely used. It can be difficult to determine the motive of the attacker, however sometimes there are enough traces left over that can help us piece together the potential goals of a campaign.  RAT infections can be very serious, requiring an in-depth investigation to determine the goals of the attacker and the level of risk posed.

Future articles covering other RAT threats will emerge as part of the “Exterminating a RAT” series.







Go Back In Time →