Your DNS is an Asset (Twitter DNS Woes…)

By: Danny McPherson -

Given all the hoopla surrounding yesterday’s Twitter outage, and the apparent source of the outage being the result of nothing more than some maliciously modified DNS resource records enabled by a simple password compromise of Twitter’s DNS administrator account with their DNS services provider, Dyn Inc., I’d like to again take this opportunity to share this public service announcement:

Your DNS is an asset folks, you best treat it like one!

I find it perplexing that such a huge amount of attention is garnered by things like DNS cache poisoning, DNS SEC deployment, and related operational DNS infrastructure insecurities (recursive servers, authoritative servers, etc..), while the simple stuff, the low hanging fruit, like administrative access account authentication mechanisms with registrant<>registrar or registrant<>DNS provider/internal systems remain insipid and neglected.  Given, the sex appeal isn’t as apparent when considering these sorts of mundane things proactively, but contrast that with an embarrassing public dissection ofrincident postmortem that results from the exploitation of one of these trivial attack paths, and your perspective may sway a bit.

Millions (billions…) are invested in content serving infrastructure, network infrastructure, interconnections and bandwidth, DDoS attack detection and mitigation systems, intrusion detection and prevention systems and firewall abound, even DNS network infrastructure itself, yet the benefits of dropping anything more than $4.99/year on a domain name – an asset for which your entire Internet presence is wholly reliant, are oft overlooked.  Furthermore, evaluating the associated policies and processes employed by registrars from which you obtain high-value domains, or ensuring some multi-factor authentication mechanism for registrar administrative account access, or DNS hosting providers administrative access (if employed as with Twitter), or internal authoritative DNS elements associated with critical properties or systems, these things are apparently rarely considered when developing risk profiles or performing attack surface analysis.  Given that meat computers (registrants) are most always the weakest link, and static passwords for DNS provisioning elements are ripe for compromise, or if your registrar is hacked you’re fully exposed, you’d think this would be one of the initial components folks consider when evaluating operational security posture.

I suspect most organizations spend far more in a single day (at a single location) on coffee filters or toilet paper than they do annually on DNS provisioning function security, yet they throw millions at tape backups, site security, and all those sexier components, when what most matters [first] to keep their Internet presence functioning – the availability and integrity of that DNS provisioning data, is sorely neglected.

In August the Security and Stability Advisory Council published a report titled Measures to Protect Domain Registration Services Against Exploitation or Misuse, SAC040, available at the SSAC Reports and Advisories repository — I’ve been intending to plug this report here for a while.  In preparing the report we studied several high profile incidents, as well as techniques that some registrars employ to help deal with these sorts of threats.  In the report we provide several recommendations organizations should evaluate for applicability in their operating environment, mostly pertaining to registrant-registrar interactions, possible market opportunities for registrars to offer these sorts of services, and although not alluded to in the “Executive Summary”, some discussion exists regarding safeguarding administrative account access with DNS hosting providers, or internal authoritative DNS elements, as opposed to just on the registrar side.

If you’ve got a domain name or Internet presence you consider even remotely valuable, and you’re in some way responsible for your organizations availability and information security posture, you might well consider putting this report in your holiday bedside reading queue;  Your DNS is an asset….

Twitter-based Botnet Command Channel

By: Jose -

UPDATED TO ADD STATS AND JAIKU PROFILE AND A TUMBLR PROFILE

While digging around I found a botnet that uses Twitter as its command and control structure. Basically what it does is use the status messages to send out new links to contact, then these contain new commands or executables to download and run. It’s an infostealer operation.

The account in question is under analysis by Twitter’s security team. I spotted it because a bot uses the RSS feed to get the status updates.

upd4t3 twitter profile.png

As for the original bot in question that fetches the updates, here’s the VirusTotal analysis, where you can see it’s detected by 19/41 (46.34%) AV tools under evaluation. We can look at the status messages and discover more nefarious activity; the bot’s hiding new malcode which is poorly detected this way. The original link from the malcode came from a ShadowServer nightly link report, which they make available to folks. Many thanks to them.

Let’s look at one of the update messages; it’s pretty clearly base64 encoded. What does it say?

$ echo "aHR0cDovL2JpdC5seS9SNlNUViAgaHR0cDovL2JpdC5seS8yS29Ibw==" | openssl base64 -d
hxxp://bit.ly/R6STV hxxp://bit.ly/2KoHo

OK, a couple of links. One is dead (to a pastebin), one is live.

That second link yields a base64 encoded block of text. When we un-encode it using base64 we see a PKZIP archive (which we have dumped as “out.qqq” since we don’t know what the extension would have been beforehand). We can then unpack this and see what we find:

$ unzip out.qqq
Archive: out.qqq
inflating: gbpm.dll
inflating: gbpm.exe
$ openssl md5 gbpm.*
MD5(gbpm.dll)= ceb8d7fd74da0a187cc39ced4550ddb4
MD5(gbpm.exe)= a5cc8140e783190efb69d38c2be4393f

gbpm.dll is UPX packed, so we can unpack this:

$ upx2 -d gbpm.dll.upx
Ultimate Packer for eXecutables
Copyright (C) 1996,1997,1998,1999,2000,2001,2002,2003,2004,2005,2006
UPX 2.02 Markus Oberhumer, Laszlo Molnar & John Reiser Aug 13th 2006
.
File size Ratio Format Name
-------------------- ------ ----------- -----------
263680 <- 103424 39.22% win32/pe gbpm.dll.upx
.
Unpacked 1 file.

This file looks like an infostealer. Here are some of the URLs it will send data to:

hxxp://64.79.197.110/friends/alert/new.php
hxxps://www2.bancobrasil.com.br/aapf/login.jsp?aapf.IDH=sim
hxxp://64.79.197.110/friends/post.php
hxxps://www2.bancobrasil.com.br/aapf/
hxxps://www2.bancobrasil.com.br/aapf/

gbpm.exe is packed with a different packer.

That DLL is very poorly detected, the EXE has a VTotal result of 9/41 (21.95%) and appears to be a Buzus sample according to one vendor.

The account is presently live but under review by Twitter, and is just one of what appear to be a handful of Twitter C&C accounts.

UPDATE 14 Aug 2009

Via bit.ly, some statistics that suggest the malcode has infected a couple hundred PCs, mostly in Brazil.

bitly twitter botnet geo.png

Now that it’s disabled, “upd4t3″ had a similar profile on Jaiku.com:

upd4t3 jaiku profile.png

Many thanks to the Jaiku team for reviewing and shutting this account down. Still looking for more services “upd4t3″ is abusing … looks like Tumblr has also been used by “upd4t3″:

upd4t3 tumblr profile.png

Still poking around various micro-blogging services. I wonder why he abandoned Tumblr. (There are more microblogging tools than I had anticipated …)

The Other Attacks Last Thursday

By: Craig Labovitz -

Yesterday morning was a busy time for Internet security.

As an illustration of this activity, the graph below shows a summary of attack traffic across the 77 Observatory ISPs reporting anonymized attack statistics.

Each line or rectangle represents a distinct attack (we saw over 770 attacks Thursday covering a wide variety of scale and targets). Each color represents a different ISP under attack.

Though most of the press and blogosphere focused on Twitter, Facebook and LiveJournal, from an Observatory perspective those weren’t even the biggest attacks (at least in terms of traffic rate / volume). Turns out that the 30 Gbps spike in the above graph represents a withering attack against the web portal of a 3G mobile operator in Asia.

The press and various public / private mailing lists have generated a lot of discussion (and quite a bit of speculation) on the execution and motives behind the Twitter / Facebook / LiveJournal attacks (including this Slashot overview). I don’t have much new to add to this part of the discussion, but I can share a few anecdotal bits of data the Observatory saw on these attacks.

First, some background: the Observatory monitors both coarse grain Internet traffic and attack DDoS statistics. The DDoS portion of the Observatory is designed to provide visibility into broad trends, i.e. what are the new types of attacks, how are attacks growing against specific services (and ports / protocols), etc. As part of the data data sharing arrangement with Observatory participants, the system goes to great lengths to protect the commercial privacy and anonymity of the actual companies and ISPs under attack.

So, for example, we generally have visibility into, say the growth of “Christmas Tree” attacks against web servers in Asia, but the actual victims are anonymous. In particular, this means we cannot correlate most of the attack traffic yesterday with specific sites like Twitter / Facebook / etc. (though we can monitor aggregate traffic levels to these sites using the traffic portion of the Observatory as in our previous post).

The one exception to this anonymity is outbound attacks. In other words, the Observatory does monitor the destination of an attack if the provider has explicitly configured their DDoS detection to alert when machines within their network or customer base attack services in another ISP.

Since each individual ISP in a well-distributed DDoS attack may originate relatively little traffic (i.e. the attack does not impact their infrastructure, many providers only focus detection on inbound attacks (i.e. when the attack does impact their customers or infrastructure).

The data below is an example snippet of a dozen or so such outgoing attacks yesterday (all times are EDT). Note that destinations of outgoing attacks are not anonymized but specific source addresses have the first two octets replaced with “XX”.

The first two DDoS look like small run of the mill TCP Syn attacks against a Twitter IP from both randomized sources and an individual host. The two attacks originate in an anonymous North American tier1 and MSO, respectively. The third attack example occurred later in the day (5:30pm EDT) and consisted of a 80 Kpps UDP flood.

While “Joe Job” SPAM links may have comprised a significant portion of the attacks yesterday (as others have reported), the Observatory saw a range of additional attack vectors including TCP Syn, UDP flood, and Christmas Tree attacks.

Where Did All the Tweets Go?

By: Craig Labovitz -

At roughly 9:00am (EDT) this morning, the Twitisphere fell silent (or at least significantly fewer twitters).

And though you could not follow the outage via tweets, Twitter’s blog announced the popular site was under DDoS.

The below graph shows Observatory data from 55 providers around the world to Twitter’s two NTT hosted addresses blocks: 168.143.0.0/16, 128.121.0.0/16.

From the data, Twitter traffic declined abruptly around 9am EDT this morning.

We generally don’t see a lot of data (i.e. it takes thousands of tweets to match the bandwidth of a single video), but 55 ISPs in the Internet Observatory were exchanging roughly 200 Mbps with Twitter before the DDoS. Then traffic dropped to a low of 60 Mbps around 10:40am and began climbing after that. As of 1pm EDT, Twitter traffic was still down by 50% at 150 Mbps (normally we see close to 300 Mbps for this time of day).

From DNS, it looks like Twitter has moved some of their infrastructure to different address blocks as of 2pm EDT.

Iran DDoS Activity: Chatter, Tools and Traffic Rates

By: Jose -

I’m here in Talinn at the CCD COE Cyber Warfar Conference listening to Martin Libicki’s perspectives on information warfare in modern warfare theories. This is an interesting week to be here with last week’s Charter97 attacks in Belarus (with someone from Charter97 speaking yesterday) and the unrest in Iran leading to a wealth of activity.

DSC00894.JPG

As Craig wrote earlier this week (and he’s continuing his analysis, I hope it gets written up soon) there’s some large-scale filtering going on in Iran, visible from the outside world as a bandwidth drop. This has major implications for any attacks inbound:

The struggle for transit capacity becomes a zero-sum game, because of the requirement that domestic providers come to a central place (DCI) for their international bandwidth and to exchange traffic with each other. In other words, if you attack a pro-government site, you are almost certainly also stealing bandwidth from pro-opposition sites.

Jim Cowie, CTO of Renesys, quoted by Evgeny Morozov in a blog entry entitled More on the unintended consequences of DDoS attacks on pro-Ahmadinejad web-sites that is well worth reading. (Evgeny’s blog is worth reading continuously, by the way.)

Rather than using simple code, with automated viral botnets and the like, these efforts are largely being driven by hand. There are a number of simple scripts going around that can be downloaded and which continually re-load the target Web sites in a browser window.

Kit Eaton writing in a blog entry entitled Iranian Protests Becoming Crowd-Sourced Cyber War on the Fast Company website.

Here’s a peek at one such script, using the “page reboot” site as a basis for the tools. Page reboot uses a very simple method, namely use Javascript to reload the URL in the page repeatedly. The browser will happily do so, just like the user was sitting there hitting F5 in their Internet Explorer. This can cause some stress on the attacker’s specific machine, reveals their IPs through the HTTP connections, and is trivial to filter, but is growing in popularity.

IR page reboot iframe collection.png

In this case someone’s put together a single page of HTML with multiple “IFRAME” elements which embed the remote page into the local page. This is a simple magnifier of the local site’s effect but has the effect of diminishing results: the attacker’s machine slows down for all attacks as it loads them and consumes more bandwidth as it loads all of the pages again and again.

“We turned our collective power and outrage into a serious weapon that we could use at our will, without ever having to feel the consequences. We practiced distributed, citizen-based warfare,” writes Matthew Burton, a former U.S. intelligence analyst who joined in the online assaults, thanks to a “push-button tool that would, upon your click, immediately start bombarding 10 Web sites with requests.”

Source: Noah Shachtman writing in Web Attacks Expand in Iran’s Cyber Battle (Updated Again) on the Wired website.

However if you think you can get enough people to participate, the impact on a local attacker’s bandwidth can be offset with the effect of coordination. A human run botnet but one that is friendly to the attacker, they need very little computer sophistication beyond “surf to this page”.

Through a combination of DIY (do it yourself) denial of service attack tools (DDoS), multiple iFrame loading scripts, public web page “refresher” tool, and a much more effective PHP script, the participants have already prompted some of the major Iranian outlets to switch to “lite” versions of their sites in an attempt to mitigate the attack.

… Moreover, the ongoing distributed denial of service attacks, are using techniques which greatly resemble those used in last year’s Russia vs Georgia cyber attack, and the ones Chinese hacktivists used back in 2008 in order to temporarily shut down CNN, with a single exception – there’s no indication of a botnet involvement in the present attack.

Dancho Danchev, writing in Iranian opposition launches organized cyber attack against pro-Ahmadinejad sites. And he’s right, mostly. There’s no botnets attacking Iranian opposition sites; in fact the only botnet attack commands against sites in Iran in the past week or so that I’ve seen are against a stereotypical Iranian website spreading news against American and Israeli news. Hardly the stuff that would be expected to be seen if there’s a massive pro-opposition DDoS flood afoot.

The attackers who participate by loading these pages and going off to dinner, sleep, or on with their days open themselves up to attacks back through drive-by attacks. Imagine a simple scenario: the victims modify their sites to include some code like LuckySploit that commits a simple set of attacks. The attacker’s machine reloads the page (this is, after all, part of the attack). Hit a browser or accessory bug and bam, the attacker has been attacked. Now you’ve got a foothold on the attacker’s machine and, if you’re a sophisticated cyberwar player, you can use this to further understand your adversary.

This is a dangerous strategy. If you’re going to employ this kind of attack you need to remember you may be putting your “army” at risk. This is the kind of thing that folks should keep in mind in any Cyberwar Guide To Helping The Iranian Protesters.

Also we can question, and measure, how effective this attack may be. There’s just no massive traffic uptick visible in our monitors that we may expect to see in this kind of event. That’s not to say it’s not happening, it’s just not on the same scale as attacks in China, the US, or Russia that we typically see, at least from our perspective.

Most importantly the Iranian protesters and supporters recognize the duopoly of their situation. If they attack sites they take that meager amount of bandwidth left from those who may be using it to get news and organize street protests. Indeed, the community seems to be thinking along these lines. Outsiders like my friend Pedro Bueno write “No guys, that’s not the right path”. On DailyKos we can see:

If everyone were actually to do this, we’d risk losing the Twitter feeds and emails that are providing the eyewitness accounts to the current events in Tehran, all to shut down websites for a regime that is already losing credibility fast.

Source: Do NOT DDOS Iranian websites on DailyKos.

Twitter is being used to coordinate these protests and cyber attacks, as noted by my friend Gary Warner writing on his blog. Twitter’s also being used as people re-think their use of DDoS to effect change in Iran.

I’m currently pausing all ddos activity until it becomes clear what to do

From: strager_tu on Twitter, June 17 2009.

And that seems to be what people are thinking right now.

Lessons for the Internet from Swine Flu: Bear with me!

By: Jose -

This morning on my drive to work I listened to a story on NPR about swine flu in relation to past epidemics. Just an hour or so earlier I had sent a message over Twitter that I was trying to avoid the flurry of swine flu chatter and focus on getting caught up on the EU Ministerial Conference on Critical Information Infrastructure Protection going on in Talinn. I also need to focus on Conficker stuff, specifically lining up some conversations about remediation on some upcoming trips.

All of these are linked, it seems, and there are some lessons to learn from swine flu with how we need to respond to Conficker and other Internet epidemics. Obviously this has a larger role in protecting national and international communications backbones. Suddenly my playlist is packed with stories over the past two days from public health officials talking about pandemics. I’m looking for lessons to learn and things we should be thinking about if the Internet is really similar.

It’s debatable if the Internet is something like public health. We talk about viruses and infections and often use biological analogies. We even based original worm spread models on epidemic models (but in fact they’re different). Because of this, many folks have even proposed a Cyber CDC to carry out research and coordination. Weren’t CERTs supposed to do this, like we learned after the Morris worm of 1988? But, just because we can draw the parallels (however flawed) doesn’t mean that it’s analogous to public health.

At it’s core as a set of technologies the Internet is simply infrastructure, communications infrastructure. It is just routers, packets, switches, fiber and copper, and ultimately bytes on the wire. This isn’t much different than the phone system. Its role in global commerce, communications or entertainment is no less significant.

But unlike the telecommunications infrastructure, the endpoints can cause outages via malcode, and the infrastructure itself is vulnerable to attacks from any endpoint. Furthermore data store on other nodes is vulnerable to outsiders eavesdropping or accessing. The water supply isn’t analogous; a stranger halfway around the world can’t modify the water in your tap. The telephone system isn’t analogous; it’s a gated network and devices can’t make arbitrary requests for resources.

Completely unlike any public health concern are areas of crime and espionage. Online crime is a hot topic and appears to be growing rapidly. I’m not aware of any robust numbers around them, there’s a lot of speculation based on a sample set that has an unknown representation of the true community. There’s also a lot of hype that some people throw in there to drum up visibility for themselves. But experientially it appears to be growing.

On top of that you have espionage and data leakage, either corporate or nation-state. Neither of these issues have much analog in public health, and it’s unclear to me the role of the ITU during abuses of the telecommunications infrastructure to commit such acts. Those matters are usually handled internally and far outside of any shared organization, they tend to have a polarized set of sides.

It is therefore infrastructure at risk of new attacks. It seems to lie in a new ground between public health, where you have to help address uncontrolled endpoints (people) and their ability to disrupt the world’s economic system, and the pile of telecommunications equipment it is. So can we still draw on public health models and pandemics when dealing with global events like Conficker that threaten millions of lives’ worth of finances or data and possibly the communications infrastructure the globe depends on? Maybe.

Thinking about the above, it seems to me that the following parallels from public health responses to epidemics are worth exploring.

We may really need some sort of global Internet health body akin to WHO. I don’t know if a “Cyber CDC” is what you need but some form of truly global coordination and visibility. What we have now sort of works, but is limited by competitive pressures and a horribly incomplete understanding of a complex system with an untold number of vulnerabilities.

Imagine a scenario where customers of drug company X didn’t get cold A but got colds B and C, while drug company Y’s customers got A and B but not C. We don’t have that so overtly, mind you, but you’d have a competitive landscape. You probably wouldn’t get cooperation between competing drug companies to defend against common diseases, enabling epidemics to form. Put aside the idea that people would surely die and focus instead on how one might solve this, namely making sure that all drug companies got the common things and could defend against them but could pick and chose among things that are less prevalent or less pressing for their immediate customer base. That’s essentially what we have with the current infosec landscape.

So, if we’re to have an accurate and complete picture of threats to the Internet (and hence global commerce), what would we need? What are the real threats to the Internet and how do you measure them? Can someone take all of the real time data feeds that we produce from our sensor networks and come up with an accurate picture of the state of the Internet? Where are those gaps and what questions need to be answered, with what tools, and in what format? Folks have tried and tried but we don’t seem to be getting anywhere. We’re a long way off of a true early warning system.

Next, what is the response of such an organization? What are its goals and its mission? The obvious goals are to stop the spread of whatever is causing problems on the network, and cure any victims if possible. Stop viruses and worms from spreading, when needed, and if someone has come under attack to stop the attack itself (packet flood, data exfiltration, etc).

As noted in one of the NPR pieces I listened to this morning, alert condition scales are for governments, not individuals. Ultimately any Internet monitoring group can only help inform and coordinate governments’ and major enterprises’ actions to protect their constituents. The idea that there would be a global body who could change anyone’s router or PC is unacceptable to almost anyone; even the most power mad of us would cringe at management nightmare that would be! However what your government, employer, or ISP could do in response to the threat – locking down infected PCs, for example – would be guided by this kind of information and guidance. This doesn’t yet address outsiders giving trained assistance, however.

One of the biggest issues we see right now in any global Internet crisis management is an unclear chain of command, begging us to always ask “who is in charge?” There’s a tremendous power vacuum that all too often gets filled by the wrong folks with the wrong skills, motives, or abilities. Also worth identifying are the emergency responders. In the event of a civil emergency we know who they are, they’re either full time or trained civilian part timers. When a crisis is encountered, what is the plan, who owns the decision making process and who do people answer to? None of this is very clear in most incidents, such as Conficker. This lack of concreteness and transparency hinders a successful effort.

Finally, to get a handle on the problem and to task efforts appropriately, accurate and complete infected population information is vital. Right now we have some good numbers on Conficker around the world but to think that we have this visibility for other threats is wrong. Every threat is different and so measuring populations is a challenge (AV company numbers are rarely right, by the way, we need something better) but no one said this would be easy.

Another challenge here for any such organization is time. Events like SQLSlammer demonstrate that problems on the Internet move a lot faster than they do in real life. By the time we had diagnosed the problem the Internet was crushed under a traffic flood. Defensive measures were in place by that point, even without global coordination, but global coordination would have helped save all networks faster. The Internet moves at the speed of light and problems move sometimes just as fast.

Finally to really address this systematically we need to stop treating the Internet as “something other” and start treating it as a key piece of infrastructure. Key policy makers shouldn’t try to prove that they “get it” by talking about how they use the Internet; they don’t say stuff like “I drive on roads just like you” or “My kids use the phone for school”. Every policy think tank and policy board should have representation of Internet infrastructure on par with public health and classic infrastructure (power, water, etc). It’s that key an ingredient in the global backbone at this point, even if its deployment to individuals is uneven (aka the digital divide).

I think there is adequate reason to look to established crisis management setups and learn lessons from history if we’re to provide reliability to the Internet infrastructure. There appears to be no shortage in the EU and the US to establish more significant cyber security policies and practices. Hopefully the above highlights questions that we need to answer, open avenues for research, and direction that so many ministers call for at events like CIIP. The time for empty platitudes is long over, the time for visionless talk is past, and there can be no more leadership vacuums. We have an opportunity, we need to seize it.

Many Days of DDoS for Everyone

By: Jose -

The past few weeks have been a flurry of activity for me and everyone at Arbor. We’ve been very involved in the Conficker Working Group efforts and notifying lots of people using ATLAS. Even after that Herculean effort and the great “fizzle” (thank goodness!), there’s lots to do. Blogging has not been at the top of my priority list, however.

Outside of the Conficker mess we’ve been busy in the community watching some DDoS events unfold. Information has been sporadically making it out there; it turns out that Twitter is a great source for DDoS reports once you can separate the legit reports from the cruft. This article, DDoS Attacks on Web Hosts Continue from Data center Knowledge, assembles many of the high profile attacks that folks are talking about. We have data on some of these attacks but not all, and we’re actively looking for C&Cs in all cases. What’s interesting is the major services they’re hitting. There’s no apparent gain here, but definitely some widespread impact.

It amazes me that I’m still talking about this problem over ten years after I first started looking at it, prior to me coming to Arbor.

The second piece worth noting today, Not every Botnet is Conficker, is from the ESET Threat Blog. Basically a Russian news site mentioned several high profile DDoS attacks in Russia and blamed Conficker, for no obvious reason. It turns out that I was characterizing a new (to me) DDoS bot codebase we have dubbed ‘Votwup’ and it’s responsible for at least some of the attacks. And it would be difficult to confuse this malware with Conficker, and it has its own little dropper. In this case once the bot is dropped it checks into a website with its UID and version and gets back a Base64 encoded command:

ZGQxPWh0dHA6Ly90b25rcy5ydS9pbmRleC5waHA/bmFtZT1mb3J1bXM=

Which, when you decode it using Base64, you get:

dd1=http://tonks.ru/index.php?name=forums

The malware starts pounding on the site if you’re not careful. Sure enough that was the DDoS. Most of the Votwup C&Cs we classified so far are dead, but we’ll keep on looking for new ones.

Never a dull day around here, even when you need one.

Metasploit And Other Sites DDoSed

By: Jose -

At about 12:52 PM Feb 7th, HD Moore (leader of the Metasploit project) twittered “heh, metasploit.com is being DDoS’d again”. A little while he pointed to a traffic graph and asked, “see if you can pick out the DDoS”. Hint: it’s obvious. He later started blogging the incident:

On Friday, starting around 9:00pm CST, the main metasploit.com was hit with a highly-annoying, if pretty useless distributed denial of service. The attack consisted of a botnet-sourced connection flood against port 80 for the metasploit.com host name. This flood consisted of about 80,000 connections per second, all from real hosts trying to send a simple HTTP request.

Source: Pathetic DDoS vs Security Sites, via the Metasploit blog.

The attack in this case involved hundreds of thousands of IPs and was a mix of a TCP SYN flood and an HTTP GET flood. As HD noted, the Metasploit site was one of a handful, and other sites being targeted included Milw0rm and Packet Storm.

So, what did Metasploit do to weather the attack if they don’t have services available (gathered from watching this and actively mining the domain name, and reading the Twitter account and also a second blog post and a third blog post)? They employ some well known tricks that sometimes work:

  • They moved real services to port 8000, bypassing the TCP SYN flood and the HTTP GET flood which targeted port 80.
  • They moved the domain name to 127.0.0.1 with a short TTL to get the bots to target a useless address.
  • They noticed that the target hit the metasploit.com domain and not www.metasploit.com, so they were able to selectively disable that use.
  • They also moved to another network, presumably with more bandwidth or some filtering capabilities available to the Metasploit site.

He’s also shared a list of sources from the attack. Note that a lot of the very small request chunks are often search engine indexing bots.

In the end while they evaded the attacks for a bit, this didn’t appear to be sufficient.

We’ve been investigating this and cannot share any additional info at this time.

Follow the ASERT blog with Twitter

By: Arbor Networks -

Follow Arbor on Twitter!

Twitter is a free service that lets you keep in touch with people through the exchange of quick, frequent answers to one simple question: What are you doing? Join today to start receiving Arbor Networks updates, or add http://twitter.com/arbornetworks to your favorites!

UPDATED to fix the HREF. Thanks to all who noted it to us :)

Twitter and MSN: Driving Malcode Distribution

By: Jose -

We recently came across a bot that merged MSN Messenger link spam with Twitter to get users to download malcode. Twitter malcode is nothing new, but this one adds a twist to those that monitor IM link spam bots. You have to do an extra level or two of link analysis to figure it out.

Once activated, the malcode fetches a file “/config.txt” from a server in Brazil which yields a configuration file for the malcode:

[GERAL]
modulo=Q7HqS3elBtTtTovmON9XUc5lCZ0mE2vhQNGkRcLqBtTpOsvqPdWkQd1d
ne=Q7HqS3elBtTtTovmON9XUc5lCZ0mE2vhQNGkRcLqBsrpRcKkQd1d
plugin=Q7HqS3elBtTtTovmON9XUc5lCZ0mE2vhQNGkRcLqBt1oRsDbStCkQd1d
autork=Q7HqS3elBtTtTovmON9XUc5lCZ0mE2vhQNGkRcLqBsrpSsXbR6mkQd1d
automsn=Q7HqS3elBtTtTovmON9XUc5lCZ0mE2vhQNGkRcLqBsrpRNDkBcfmPm
mensagemorkut=Oi, vc sumil o que foi?hoje escutei a musica da cantora internacional Colbie Caillat
em um blog e lembrei de vc o nome da musica é Bubbly se quizer escutar to deixando o endereço do
blog (  twitter.com/ColbieCaillat/statuses/894897063  ) Tudo de bom saudades e se cuida.
AssuntoHotmail=ta ai as fotos da festa tinha esquecido.
MensagemHotmail=Q7HqS3elBtTtTovsQMHXRczsOMrXQMmkQsbqBcvbT2zjSsTeRtGkQ7HjR0
AutenticacaoHotmail=Q7HqS3elBtTtTovsQMHXRczsOMrXQMmkQsbqBcvbT2zpRNHmBdHuT0
idmaquina=Q7HqS3elBtTtTovmON9XUc5lCZ0mE2vhQNGkRcLqBsbaRM5nCp8kQd1d
php=Q7HqS3elBtTtTovhR68mCIvkPNGuD2vkPNGlQMvaPNWkS6Xm

That message loosely translates to:

Hi, you sumil what? Today heard the music of singer international Colbie Caillat
on a blog and you remembered the name of the song Bubbly is if you want to hear the address of leaving
blog (twitter.com/ColbieCaillat/statuses/894897063) All the best and miss it handles.

That Twitter profile has one message that reads (translated), Clik on the link below w / listen but the new success of the music singer Colbie Caillat Bubbly. That link, however, is the malcode itself. Users who think they’re getting the next big song from the band actually get malcode.

ColbieCaillatTwitter.png

This account is now suspended, hurray. VirusTotal shows a mixed bag for detection with some ambiguous names at times:

[ scan result ]
AhnLab-V3	2008.10.18.0/20081017	found [Win-Trojan/Xema.variant]
AntiVir	7.9.0.5/20081017	found [TR/Dldr.Delphi.Gen]
Authentium	5.1.0.4/20081017	found [W32/Trojan2.DIXN]
Avast	4.8.1248.0/20081015	found [Win32:Banload-FZK]
AVG	8.0.0.161/20081017	found [Generic11.NVP]
BitDefender	7.2/20081017	found nothing
CAT-QuickHeal	9.50/20081017	found [Trojan.Delf.ehi]
ClamAV	0.93.1/20081017	found nothing
DrWeb	4.44.0.09170/20081017	found [Trojan.DownLoad.4951]
eSafe	7.0.17.0/20081016	found nothing
eTrust-Vet	31.6.6154/20081017	found nothing
Ewido	4.0/20081017	found [Downloader.Banload.usk]
F-Prot	4.4.4.56/20081017	found [W32/Trojan2.DIXN]
F-Secure	8.0.14332.0/20081017	found [Trojan.Win32.Delf.ehi]
Fortinet	3.113.0.0/20081017	found [W32/DelpDldr.D!tr]
GData	19/20081017	found [Win32:Banload-FZK ]
Ikarus	T3.1.1.44.0/20081017	found [Virus.Win32.Gamania.DG]
K7AntiVirus	7.10.498/20081017	found [Trojan.Win32.Delf.ehi]
Kaspersky	7.0.0.125/20081017	found [Trojan.Win32.Delf.ehi]
McAfee	5407/20081016	found [PWS-Banker]
Microsoft	1.4005/20081017	found [TrojanDownloader:Win32/Banload.gen!H]
NOD32	3532/20081017	found [probably a variant of Win32/Delf]
Norman	5.80.02/20081017	found [W32/Malware.DQAC]
Panda	9.0.0.4/20081017	found [Trj/Downloader.MDW]
PCTools	4.4.2.0/20081017	found nothing
Prevx1	V2/20081017	found [Banking Info Stealer]
Rising	20.66.42.00/20081017	found nothing
SecureWeb-Gateway	6.7.6/20081017	found [Trojan.Dldr.Delphi.Gen]
Sophos	4.34.0/20081017	found [Mal/DelpDldr-D]
Sunbelt	3.1.1730.1/20081017	found [BehavesLike.Win32.Malware (v)]
Symantec	10/20081017	found nothing
TheHacker	6.3.1.0.117/20081017	found nothing
TrendMicro	8.700.0.1004/20081017	found nothing
VBA32	3.12.8.7/20081017	found [Trojan.Win32.Delf.ehi]
ViRobot	2008.10.17.1425/20081017	found nothing
VirusBuster	4.5.11.0/20081017	found nothing

And so it goes. Any new communications medium, once it has enough eyeballs, is fair ground for malcode attacks. This marriage – MSN and twitter – means that you can now drive visitors to the malicious profiles.

No idea how many more profiles like this exist. We’ve contacted Twitter about this one and encouraged them to do some digging to find more.