Botnets of ever-expanding size could be used to perform large-scale distributed denial of service attacks against selected computers, experts say, disrupting some of the internet's most basic functionality.
Andy Ellis, the CSO of Akamai Technologies, told CIO magazine that it's possible that even the creators of the botnets are not fully aware of how widely their creations have spread, though PC World reports that a quarter of botnet-infected PCs are in enterprise networks.
Ellis also said that the DDoS attacks of today are far more sophisticated than the worm-created ones of the past. Instead of techniques like Mydoom or Blaster, which dramatically slow the machines that they infect, CIO reports, the botnets target servers with a flood of seemingly licit connection requests. The resultant slowdown affects only the targeted machine, which can easily use up all of its allotted bandwidth and cease to be accessible.
Experts say that botnets typically spread via phishing and some types of worm programs, which can automatically spread themselves across a network without any action by a human user beyond the initial infection.
Tag Archives: DDoS
Botnets proliferate, making DDoS attacks cheaper
Network security researchers tracking online criminal activity say the underground marketplace for networks of hacked computers - botnets - has become so crowded in recent years that renting a botnet to launch attacks is becoming cheaper.
Botnets, which can be used by bot-herders to send out waves of spam and malware and to launch distributed denial-of-service (DDoS) attacks to take down websites and servers, are traded and rented out to attackers as a kind of black market software-as-a-service.
But as more PCs become infected by proliferating worms and Trojan malware, the price to rent a botnet is becoming progressively cheaper, according to Jose Nazario, security researcher for Arbor Networks.
"The barriers to entry in that marketplace are so low you have people basically flooding the market," Nazario said, according to Computerworld. "The way you differentiate yourself is on price."
Security researchers at Finjan previously discovered a trading platform called Golden Cash that sells batches of 1,000 infected PCs - an infected PC is called a "zombie" or bot - for as liuttle as $25 to $500.
Researchers said not all of the botnet rentals are equally dangerous, so low-end attackers may not be getting much for their money.
Botnets, which can be used by bot-herders to send out waves of spam and malware and to launch distributed denial-of-service (DDoS) attacks to take down websites and servers, are traded and rented out to attackers as a kind of black market software-as-a-service.
But as more PCs become infected by proliferating worms and Trojan malware, the price to rent a botnet is becoming progressively cheaper, according to Jose Nazario, security researcher for Arbor Networks.
"The barriers to entry in that marketplace are so low you have people basically flooding the market," Nazario said, according to Computerworld. "The way you differentiate yourself is on price."
Security researchers at Finjan previously discovered a trading platform called Golden Cash that sells batches of 1,000 infected PCs - an infected PC is called a "zombie" or bot - for as liuttle as $25 to $500.
Researchers said not all of the botnet rentals are equally dangerous, so low-end attackers may not be getting much for their money.
Spam offers Obama opponents chance to DDoS White House
A spam email detected by email security firm Proofpoint attempts to exploit anti-Obama sentiment by offering recipients a chance to launch distributed denial-of-service (DDoS) cyberattacks on the White House - if they just download malware onto their PC.
The email subject heading says "Here You can buy DDoS" and in the body says "If You dont like Obama come here, you can help to ddos his site with your installs [sic]."
A link in the body takes users to a website that offers to pay visitors to install malware on their machines and advises them to return to the website for updated versions of the malware if it is detected by anti-virus software on their PC.
As the security experts at Proofpoint noted, voluntarily downloading malware onto your computer is a very bad idea.
But this spam points to how well the spammers and cybercriminals track popular trends to better target victims with their scams and malicious payloads.
In the wake of the inauguration of the new president, when his popularity was sky high, spammers tried to exploit pro-Obama sentiment. Now that his popularity is waning, the spammers shift gears to exploit the surge in opposition to his policies.
The email subject heading says "Here You can buy DDoS" and in the body says "If You dont like Obama come here, you can help to ddos his site with your installs [sic]."
A link in the body takes users to a website that offers to pay visitors to install malware on their machines and advises them to return to the website for updated versions of the malware if it is detected by anti-virus software on their PC.
As the security experts at Proofpoint noted, voluntarily downloading malware onto your computer is a very bad idea.
But this spam points to how well the spammers and cybercriminals track popular trends to better target victims with their scams and malicious payloads.
In the wake of the inauguration of the new president, when his popularity was sky high, spammers tried to exploit pro-Obama sentiment. Now that his popularity is waning, the spammers shift gears to exploit the surge in opposition to his policies.
Russian mobsters tied to DDoS cyberattacks on Georgia
Cyberattacks that shut down Georgian government and media websites during a brief war with Russia last August were launched by civilians and criminal gangs, who were tipped off about the impending Russian invasion of the South Ossetia region, according to a technical analysis.
The mostly classified report from the U.S. Cyber Consequences Unit, a nonprofit research institute, concludes that the close timing of distributed denial-of-service (DDoS) cyberattacks to the invasion meant that "there had to be close cooperation between people in the Russian military and the civilian cyber attackers," according to IDG News Service, which reviewed a summary of the report.
The report said the Russian government didn't directly carry out the attacks, but at some level encouraged civilian nationalists who were recruited through social networking sites to participate in the DDoS, IDG News reported.
Servers frequently used by Russian criminal gangs for hosting malicious software were also used in the attacks.
Tensions between Russia and Georgia may have also played a part in more recent DDoS attacks against Twitter, Facebook, LiveJournal and Google.
Security researchers said recent DDoS attacks that knocked out Twitter for several hours two weeks ago were directed by Russian hackers at a Georgian blogger with the nickname Cyxymu, who had been posting accounts of events leading to the Russia-Georgia war to his blog.
The mostly classified report from the U.S. Cyber Consequences Unit, a nonprofit research institute, concludes that the close timing of distributed denial-of-service (DDoS) cyberattacks to the invasion meant that "there had to be close cooperation between people in the Russian military and the civilian cyber attackers," according to IDG News Service, which reviewed a summary of the report.
The report said the Russian government didn't directly carry out the attacks, but at some level encouraged civilian nationalists who were recruited through social networking sites to participate in the DDoS, IDG News reported.
Servers frequently used by Russian criminal gangs for hosting malicious software were also used in the attacks.
Tensions between Russia and Georgia may have also played a part in more recent DDoS attacks against Twitter, Facebook, LiveJournal and Google.
Security researchers said recent DDoS attacks that knocked out Twitter for several hours two weeks ago were directed by Russian hackers at a Georgian blogger with the nickname Cyxymu, who had been posting accounts of events leading to the Russia-Georgia war to his blog.
Georgian blogger ‘Cyxymu’ target of DDoS attacks
Filed under Security News
Tagged as blogger, Cyxymu, DDoS, Facebook, Georgia, McAfee, target, Twitter
Tagged as blogger, Cyxymu, DDoS, Facebook, Georgia, McAfee, target, Twitter
The distributed denial-of-service attacks (DDoS) targeting Twitter, Facebook and other websites on Thursday were directed by Russian hackers at a Georgian blogger with the nickname Cyxymu, according to reports.
The blogger had been posting accounts of events leading to the conflict between Russia and Georgia last August to his blog and linked through Twitter and other social networks, he told the New York Times.
Attackers also bombarded email inboxes with spam that appeared to come from the Gmail email address of the blogger, in order to intimidate him and show him that he was the target of the attacks, according to the Avert Labs blog of web security firm McAfee.
By Friday, Twitter was back online after suffering a second wave of attacks. Cyxymu posted a message on his Twitter page that said: "My twitter is online! Thank you all for support after ciber [sic] attack from Russia!"
PC World reported that Twitter continued to experience DDoS attacks on Friday and into Saturday, but the company set up defenses to block the excess traffic.
A DDoS attack uses networks of malware-infected PCs, called botnets, to overwhelm a website with traffic. Similar cyberattacks occurred in early June that knocked out government websites in the U.S. and South Korea.
The blogger had been posting accounts of events leading to the conflict between Russia and Georgia last August to his blog and linked through Twitter and other social networks, he told the New York Times.
Attackers also bombarded email inboxes with spam that appeared to come from the Gmail email address of the blogger, in order to intimidate him and show him that he was the target of the attacks, according to the Avert Labs blog of web security firm McAfee.
By Friday, Twitter was back online after suffering a second wave of attacks. Cyxymu posted a message on his Twitter page that said: "My twitter is online! Thank you all for support after ciber [sic] attack from Russia!"
PC World reported that Twitter continued to experience DDoS attacks on Friday and into Saturday, but the company set up defenses to block the excess traffic.
A DDoS attack uses networks of malware-infected PCs, called botnets, to overwhelm a website with traffic. Similar cyberattacks occurred in early June that knocked out government websites in the U.S. and South Korea.
Twitter goes down by DDoS cyberattack
Filed under Security News
Tagged as cyberattack, DDoS, denial of service, TechCrunch, Thursday, Twitter
Tagged as cyberattack, DDoS, denial of service, TechCrunch, Thursday, Twitter
Twitter users were unable to access the Twitter homepage on Thursday, which the company said was due to an ongoing distributed denial-of-service (DDoS) cyberattack.
TechCrunch reported that Twitter was inaccessible as of approximately 9 a.m. eastern time. By 11 a.m. eastern on Thursday, the company posted on the Twitter status blog: "We are defending against a denial-of-service attack and will update status again shortly."
Media outlets on Thursday also reported that popular social networks LiveJournal and Facebook were suffering outages.
A DDoS or DoS is a type of cyberattack used by hackers to overwhelm a website or server with traffic to slow down or force a website offline. DDoS attacks often use botnets of compromised PCs to submit repeated requests to a targeted website.
Recently, DDoS attacks have been reported against the online media site Gawker, the file-sharing site The Pirate Bay and the messageboard 4chan.org.
A series of DDoS attacks beginning the weekend of July 4 hit government websites in the U.S. and South Korea.
More than 160,000 infected PCs were used in those attacks to disrupt service from sensitive sites including those of the White House, the Secret Service and the New York Stock Exchange.
TechCrunch reported that Twitter was inaccessible as of approximately 9 a.m. eastern time. By 11 a.m. eastern on Thursday, the company posted on the Twitter status blog: "We are defending against a denial-of-service attack and will update status again shortly."
Media outlets on Thursday also reported that popular social networks LiveJournal and Facebook were suffering outages.
A DDoS or DoS is a type of cyberattack used by hackers to overwhelm a website or server with traffic to slow down or force a website offline. DDoS attacks often use botnets of compromised PCs to submit repeated requests to a targeted website.
Recently, DDoS attacks have been reported against the online media site Gawker, the file-sharing site The Pirate Bay and the messageboard 4chan.org.
A series of DDoS attacks beginning the weekend of July 4 hit government websites in the U.S. and South Korea.
More than 160,000 infected PCs were used in those attacks to disrupt service from sensitive sites including those of the White House, the Secret Service and the New York Stock Exchange.
South Korean websites source of malware in July 4 DDoS
The malware used to infect thousands of PCs for a series of distributed denial-of-service (DDoS) cyberattacks beginning the weekend of July 4 originated from two online storage websites based in South Korea, according to a report from state police, the Korea Times reported.
A wave of DDoS cyberattacks from more than 160,000 infected PCs brought down government and banking websites in the U.S., South Korea and China, setting off speculation that North Korea was behind the attacks.
But South Korea's National Police Agency said the malicious software was distributed to PCs through two storage websites based in the South, in Seoul and Busan, which host commercial peer-to-peer file distribution, the Korea Times reported Monday.
"Users of these online storage sites unknowingly downloaded the malicious programs, thinking they were updating the programs for the peer-to-peer transactions," a police source told the newspaper. "We found four foreign servers that we believed were used to issue the attack orders."
The command-and-control servers used to direct the attacks were based in the UK and Germany, according to the report.
In the U.S., the attacks overwhelmed the websites of the Treasury department, the Secret Service, the Federal Trade Commission and the Department of Transportation, along with banking websites including the site of the New York Stock Exchange.
A wave of DDoS cyberattacks from more than 160,000 infected PCs brought down government and banking websites in the U.S., South Korea and China, setting off speculation that North Korea was behind the attacks.
But South Korea's National Police Agency said the malicious software was distributed to PCs through two storage websites based in the South, in Seoul and Busan, which host commercial peer-to-peer file distribution, the Korea Times reported Monday.
"Users of these online storage sites unknowingly downloaded the malicious programs, thinking they were updating the programs for the peer-to-peer transactions," a police source told the newspaper. "We found four foreign servers that we believed were used to issue the attack orders."
The command-and-control servers used to direct the attacks were based in the UK and Germany, according to the report.
In the U.S., the attacks overwhelmed the websites of the Treasury department, the Secret Service, the Federal Trade Commission and the Department of Transportation, along with banking websites including the site of the New York Stock Exchange.
DDoS attacks require global response, Gillibrand says
Citing the recent wave of distributed denial-of-service (DDoS) attacks on U.S. and South Korean government sites, Senator Kirsten Gillibrand of New York has proposed legislation to bolster U.S. efforts to work with foreign governments on cybersecurity.
Called the Fostering a Global Response to Cyber Attacks Act, the bill would require the secretary of state to report to Congress on efforts to encourage international cooperation in improving cybersecurity.
"Attacks potentially launched from within North Korea, Russia, China and other countries have grown more sophisticated, more targeted and more serious over the past year and will only grow more dangerous in time," Gillibrand said.
The DDoS attacks that began the weekend of July 4 originated from more than 166,000 zombie PCs in 74 countries, according to the Vietnamese security firm Bkis. The firm reported that the botnet was controlled by eight command and control servers under the direction of a master server located in the UK.
The Korea Communications Commission (KCC), South Korea's broadcasting and telecommunications regulator, said the Bkis report was "credible" and said authorities in South Korea are seeking cooperation with the British government to investigate the attacks, according to the Korea Times.
"We don't know that the attackers were actually based in Britain, or mainly hacked a British IP address and used it for delivery," an official from KCC told the Korean paper.
Called the Fostering a Global Response to Cyber Attacks Act, the bill would require the secretary of state to report to Congress on efforts to encourage international cooperation in improving cybersecurity.
"Attacks potentially launched from within North Korea, Russia, China and other countries have grown more sophisticated, more targeted and more serious over the past year and will only grow more dangerous in time," Gillibrand said.
The DDoS attacks that began the weekend of July 4 originated from more than 166,000 zombie PCs in 74 countries, according to the Vietnamese security firm Bkis. The firm reported that the botnet was controlled by eight command and control servers under the direction of a master server located in the UK.
The Korea Communications Commission (KCC), South Korea's broadcasting and telecommunications regulator, said the Bkis report was "credible" and said authorities in South Korea are seeking cooperation with the British government to investigate the attacks, according to the Korea Times.
"We don't know that the attackers were actually based in Britain, or mainly hacked a British IP address and used it for delivery," an official from KCC told the Korean paper.
Trojan used in DDoS attacks programmed to self-destruct
Filed under Security News
Tagged as attack, DDoS, programmed, SecureWorks, self-destruct, South Korea, trojan
Tagged as attack, DDoS, programmed, SecureWorks, self-destruct, South Korea, trojan
Trojan malware that was responsible for a series of cyberattacks on websites in the U.S. and South Korea last week was programmed by the attackers to erase the hard drives of the infected PCs used to launch distributed denial-of-service (DDoS) attacks, a web security researcher said.
Joe Stewart, director of malware research at SecureWorks, said the cyberattackers programmed the malware to download a program that overwrites the data on the hard drive with a message that reads "memory of the independence day," followed by as many "u" characters as it takes to write over the drive, the Washington Post's Security Fix blog reported.
The DDoS attacks, which began on July 4 and hit sensitive sites including the South Korean defense ministry and the U.S. Secret Service, disrupted government and commercial websites in at least three separate waves.
South Korean officials said Friday that the attacks used 86 IP addresses in 16 countries, including South Korea, the U.S. and Japan, but not North Korea, according to the Associated Press.
However, members of the South Korean parliament's intelligence committee told media Wednesday that the country's National Intelligence Service told them it believes North Korea or its sympathizers were responsible.
Joe Stewart, director of malware research at SecureWorks, said the cyberattackers programmed the malware to download a program that overwrites the data on the hard drive with a message that reads "memory of the independence day," followed by as many "u" characters as it takes to write over the drive, the Washington Post's Security Fix blog reported.
The DDoS attacks, which began on July 4 and hit sensitive sites including the South Korean defense ministry and the U.S. Secret Service, disrupted government and commercial websites in at least three separate waves.
South Korean officials said Friday that the attacks used 86 IP addresses in 16 countries, including South Korea, the U.S. and Japan, but not North Korea, according to the Associated Press.
However, members of the South Korean parliament's intelligence committee told media Wednesday that the country's National Intelligence Service told them it believes North Korea or its sympathizers were responsible.
Korean hackers, MyDoom worm suspected in DDoS attacks
Government websites in the U.S. and South Korea were hit by a major cyberattack beginning on July 4, which intelligence officials believe were launched by hackers sympathetic to the authoritarian regime in North Korea.
U.S. officials told the Associated Press that websites for the Treasury department, the Secret Service, the Federal Trade Commission and the Department of Transportation were hit by a sustained distributed denial-of-service attack (DDoS) over the holiday weekend.
South Korean intelligence officials said a botnet of 18,000 infected computers located on the Korean peninsula was used to launch the attacks, according to the Korea Herald.
A series of attacks on South Korean government sites began on Tuesday, including the sites of the office of the president, Cheong Wa Dae and the National Assembly, Ministry of Defense and Shinhan Bank and Korea Exchange Bank, the newspaper reported.
Amy Kudwa, a spokeswoman for the Department of Homeland Security, said the U.S. Computer Emergency Readiness Team issued a notice to federal departments and "advised them of steps to take to help mitigate against such attacks," according to the AP.
Web security researchers from AhnLab said the attack could have been spawned by PCs infected with a version of the MyDoom worm, according to IDG News Service.
U.S. officials told the Associated Press that websites for the Treasury department, the Secret Service, the Federal Trade Commission and the Department of Transportation were hit by a sustained distributed denial-of-service attack (DDoS) over the holiday weekend.
South Korean intelligence officials said a botnet of 18,000 infected computers located on the Korean peninsula was used to launch the attacks, according to the Korea Herald.
A series of attacks on South Korean government sites began on Tuesday, including the sites of the office of the president, Cheong Wa Dae and the National Assembly, Ministry of Defense and Shinhan Bank and Korea Exchange Bank, the newspaper reported.
Amy Kudwa, a spokeswoman for the Department of Homeland Security, said the U.S. Computer Emergency Readiness Team issued a notice to federal departments and "advised them of steps to take to help mitigate against such attacks," according to the AP.
Web security researchers from AhnLab said the attack could have been spawned by PCs infected with a version of the MyDoom worm, according to IDG News Service.