Press Release - 28 April 2009

At the end of February Time Warner Cable DNS servers were subjected to a weeklong series of DDoS attacks. Their customers from a wide region in the US reported slow connections and in some cases could not access the internet pages they request but instead receive “Page cannot be displayed” error messages.

Following the attack on Time Warner Cable in early March Satellites.co.uk and other satellite enthusiast forums were the unlikely targets of DDoS attacks. The list of victim sites includes Techwatch.co.uk, alsat.co.uk and satpimps.com and several others. The motive of the attack is suspected to be extortion, following a message from an anonymous poster via a proxy to the Techwatch forum. Several sites were down for long periods of time while they tried to defend against the attacks. Investigations are ongoing.   close

Also early in March the BitTorrent site Mininova was the victim of a DDoS attack that made the site inaccessible at times. The attack was spread across three continents and reached 2GB at times. The reason for the attack is unknown.   close

There were several other attacks reported during the month of March including attacks against UltraDNS and GoGrid. But then at the end of the month and early April came the big one. Register.com the world’s eighth biggest domain registrar was hit by a DDoS attack that ultimately led to a 48hr outage of service. The attack was against their DNS servers causing a great deal of disruption for many of their customers. Register has not disclosed if they are aware of a motive for the attack.   close

April the 1st came and went without the global internet devastation people were predicting. So what happened? The answer is plain and simple Conficker, also known as Downadup or Kido did what it was supposed to do, it updated itself. The update instruction linked the botnet nodes that have been created by Conficker.c. It also generated 50,000 Domain Names and began contacting them. The botnet is now more powerful than anything the internet has seen in the past and its power should not be underestimated.

Botnets are normally updated from a central source however with Conficker the update system has been decentralised making it far more difficult to track and shut down.

Current estimates are that millions of computers have been infected with the Conficker worm. The reality is more likely to be around 1.1 to 1.5 million. However even with these lower estimates it is still a powerful adversary.

So what are the herder/herders intentions? It is hard to say in this case. The most prevalent reason in the past has been money. However, it is very unlikely that the herder will be able to sell the botnet in its entirety because it has too high a profile, thus making it too hot to handle. But leasing part or parts of the botnet to criminal gangs is possible. This would give the criminal gangs the ability to attack without the fear of it being traced back to them. They could then use the computing power of the botnet to carry out DDoS attacks against UNPROTECTED sites, send spam, steal financial data such as credit card details and numerous other criminal activities.   close

Botherders are attacking social networking sites to create large-scale botnets. The Koobface Worm is being used by the botherders to exploit the new trend of social networking sites such as Facebook and MySpace. The worm once downloaded onto the victim’s computer uses the cookies to identify the Social Networking Site. It connects to the site using the user login session stored in the cookie. Ultimately Koobface makes contact with the victim’s “friends” from the site and attempts to send a message to each of them. The message contains a link to a website where a copy of the original malware is downloaded. The cycle then repeats itself creating more and more zombies for the botherder. The final goals of the botherder is to create a large botnet for malicious use against legitimate companies, including DDoS and Phishing and with Facebook having more than 170 million users the pickings are rich.   close

There have been several reports on the internet this month about Pysb0t the new malware that is targeting home based routers. According to researchers this is the first malware to go after home network devices. The malware targets routers that are Mipsel-Linux-based; have telnet, SSH, or Web-based interfaces available to the wide-area network; and have a weak username and password, or firmware daemons that are exploitable.

With this new technique being deployed it is important that people have strong password protection on their Routers and ensure that they keep their firmware up to date. This may be the first time that bots have been created from DSL routers but it certainly will not be the last.   close