13
May 13

DDoS Services Advertise Openly, Take PayPal

facebooktwittergoogle_plusredditpinterestlinkedinmail

The past few years have brought a proliferation of online services that can be hired to knock Web sites and individual Internet users offline. Once only found advertised in shadowy underground forums, many of today’s so-called “booter” or “stresser” services are operated by U.S. citizens who openly advertise their services while hiding behind legally dubious disclaimers. Oh, and they nearly all rely on Paypal to receive payments.

Asylum's attack options.

Asylum’s attack options.

Many of these booter sites are based on the same source code, meaning that any vulnerabilities in that code can be used to siphon data from the back-end databases of multiple, competing services. This happened in March to booter.tw, a service that was used to launch a volley of attacks against this blog, among others.

Today we’ll be taking a closer look at another booter service whose customer database was recently leaked: asylumstresser.com (a.k.a. asylumbooter.com/net/us). Like other booter services, asylumstresser.com isn’t designed to take down large Web sites that are accustomed to dealing with massive attacks from Internet extortionists. But these services can and are used to sideline medium-sized sites, although their most common targets are online gaming servers.

Asylum says it deletes records of attacked sites after one month, and the leaked database confirms that. But the database also shows the sheer volume of online attacks that are channeled through these services: Between the week of Mar. 17, 2013 and Mar. 23, 2013, asylumstresser.com was used to launch more than 10,000 online attacks.

According to the leaked database for Asylum, the administrator and first registrant on the site uses the address chandlerdowns1995@gmail.com. That same email address was the beneficiary of more than $35,000 in Paypal payments made by customers of the service. Overall, more than 33,000 user accounts were created on the site.

That chanderdowns1995@gmail.com address also is tied to a Facebook account for a 17-year-old honor roll student named Chandler Downs from suburban Chicago. A reverse WHOIS report (PDF) ordered from domaintools.com shows other interesting sites registered with that same email address.

In a brief interview conducted over Gmail chat, Downs maintained that the service is intended only for “stress testing” one’s own site, not for attacking others. And yet, asylumstresser.com includes a Skype resolver service that lets users locate the Internet address of anyone using Skype. Asylum’s resolver wouldn’t let me look up Downs’ own Skype address — “hugocub1.” But another Skype resolver service shows that that Skype username traces back to a Comcast Internet address outside of Chicago.

Asylumstresser.com also features a youtube.com ad that highlights the service’s ability to “take down your competitors’ servers or Web site.”

“Do you get annoyed all the time because of skids on xBox Live? Do you want to take down your competitors’ servers or Web site?,” reads the site’s ad, apparently recorded by this paid actor at Fiverr.com. “Well, boy, do we have the product for you! Now, with asylumstresser, you can take your enemies offline for just 30 cents for a 10 minute time period. Sounds awesome, right? Well, it gets even better: For only $18 per month, you can have an unlimited number of attacks with an increased boot time. We also offer Skype and tiny chat IP resolvers.”

Downs said he was not the owner of the site – just the administrator. He shrugged off the ad’s message, and said Asylum wasn’t responsible for what customers did with the service.

“You are able to block any of the ‘attacks’ as you say with rather basic networking knowledge,” Downs said. “If you’re unable to do such a thing you probably shouldn’t be running a website in the first place. No one would spend money to stress a site without a reason. If you’re giving someone a reason, that’s your own fault.”

Not so fast, said Mark Rasch, a computer security expert and former U.S. Justice Department attorney.

“If they’ve got their fingers on the trigger and they launch the attacks when they’re paid to, then I would say they’re criminally and civilly liable for it,” Rasch said.

Allison Nixon, a security consultant who recently left a job analyzing attack traffic at Dell SecureWorks, looked at all of the attack methods offered by Aslyum. Nixon said she was disappointed to discover a glitch in the site’s code: No matter which attack method she chose, the booter ran the same attack: A reflected DNS attack, and some weeks later, a UDP flood.

“They promise all these attacks – like Layer 7 attacks, SYN floods, Apache memory exhaustion, and all I ever got was reflected DNS attacks and UDP floods,” Nixon said. “Booters are written and modified by amateur coders who often don’t know what they are doing, so these sort of bugs are unsurprising.”

Nixon noted that all of the packets incoming from the traffic she ordered to her test machines appeared to have been sent from spoofed IP addresses. However, when she used the “Down or Not?” host checker function on Asylum, the site responded from what appears to be the real Internet address of one of the servers that are used to launch the attacks: 93.114.42.28. She noted that a booter service that appears to be a clone of Asylum – vastresser.ru – is hosted on the same network — at 93.114.41.94.

Asylum, like most other booter services, is hidden behind Cloudflare, a content distribution network that helps sites block attacks that services like Asylum are designed to launch. Apparently, getting attacked is something of an occupational hazard for those running a booter services. Behind the Cloudflare proxy, Nixon found that the secret IP for the Asylum stresser Web frontend was 93.114.42.205.

Both IP addresses map back to Voxility, a hosting facility in Romania that has a solid reputation in the cybercrime underground for providing so-called “bulletproof hosting” services, or those that generally turn a deaf ear to abuse complaints and requests from law enforcement officials. In January 2013, I profiled one data center at this ISP called Powerhost.ro that was being used as the home base of operations for the organized cybercrime gang that is currently facing charges of developing and distributing the Gozi Banking Trojan.

“I think it is outrageous that Paypal processes money for these people,” Nixon said of Asylum. “If law enforcement cared at all, every booter uses Paypal and the owners’ real financial info will be tied up in it.  It would be super easy for the cops to find them and round all of them up.  And if the info is fake, Paypal should be freezing those accounts.”

Update, 8:24 p.m. ET: A Paypal spokesperson sent the following statement in response to this story:

“While we cannot share specifics on our customers’ accounts due to our privacy policy, we can confirm that we will review suspicious accounts for malicious activity and work with law enforcement to ensure cyber criminals are reported properly. We take security very seriously at PayPal and we do not condone the use of our site in the sale or dissemination of tools, which have the sole purpose to attack customers and illegally take down web sites.”

Update, May 16, 12:07 p.m. ET: Downs took rather strong exception to several statements in this story. Principally, he maintains the site is owned by someone else, but he has not supplied any information about that individual other than a commonly-used hacker handle. I thought it made sense to share a few more details about my reporting that led me to believe Downs was running the site, if not also profiting directly from it. Check out this thread from Hackforums.net, where this service is primarily advertised. It shows that the user “Asylum” states that his contact nickname on Skype is “hugocub1,” which as mentioned in the story above traces back to a user in Chicago. But a more important and interesting find comes from Downs’ youtube.com channel (referred to by his gaming profile XBLvirus — one of the nicks listed in the Domaintools report linked above), which features mostly videos of his xBox Live gaming and hacking prowess. In one video, the narrator can be heard stating, “Hey youtube, what’s up, it’s Chandler from darklitstudios.” At around  4:01 in this video, if you pause it just right, you can see Lastpass listing his available stored passwords, including several different accounts using the nickname “hugocub”. Hat tip to Allison Nixon for digging up this additional information.

Tags: , , , , , , , , , ,

36 comments

  1. SKIDROW as in the warez scene release group? If not I think they’re going to be pissed when they see this.

    • no, they’re referring to “skids” as in “skiddies”, or “script kiddies”. Basically people who use free downloadable hacking tools and think they’re top shit because of it.

  2. I really do enjoy reading how these miscreant script kiddies try to legally justify their actions with fantasy loop holes in the law. I really wouldn’t want to end up with one of these kids as my lawyer if i ever got in trouble.

    I wonder if “it’s a legal stress testing service” really holds up in court when you are clearly advertising on a “hacking” forum, promoting illegal use of the tool, breaking the server ISP’s code of conduct and sending denial of service attacks to other peoples DNS systems in order to perform a reflective attack. My guess is that they better buy a nice sturdy soap holder.

  3. Put this criminal in prison.

  4. We should all chip in 30 cents and pay to have it flood itself lmao

  5. I’d love to read about this kid, and his family, being investigated, arrested and prosecuted. Perhaps his parents would care a bit more about what their son is doing when faced with a few hundred grand in fines and fee’s.

    Of course, this assumes they don’t know what he is doing and are not enjoying some of the gains of his “business”.

    I look forward to seeing this guy brought down. If Krebs is able to find this out so quickly, one wonders why law enforcement doesn’t jump on it and make an example. Put some fear into these people and perhaps a few will abandon the practice before they even get started.

    • Unfortunately, I think part of the problem here, Jeff, is that from what I can tell of the American Justice System ™, there is no easy facility for charging minors. It is possible they will wait until he turns 18. I have noticed in my research that a lot of minors’ charges get processed through the local justice systems there (be it state or whatever), as there are no youth incarceration facilities for minors.

      Probably one other problem is that there is usually a minimum damage amount informally (sometimes formally) considered ‘enough’ to start an investigation. In addition, one generally needs a victim or victims to come forward and make those claims. I’m guessing a lot of these ‘booter’ victims are individual gamers and maybe little shared web forums for gamers. Some may also be illegal vendors. Finding a victim willing to come forward and capable of getting the justice system interested is not always as easy as it may seem. On the other hand, we have all seen instances of where the justice system considers someone fairly irrelevant useful as an ‘example’.

      It is crazy that this person seems so brazen. When I first read this, my initial instinct was to ask if it was not possible that this was not someone using someone else’s information (perhaps someone the actual person greatly disliked). My initial guess would have been that this person was over 18, but not by much. Maybe 19-21 range. But I am not expert. :)

      • I meant to say no *federal* incarceration facilities for minors. Somehow I must have deleted this word in my post.

    • If a 17-year old kid’s parents don’t know that he or she is suddenly doing things that require more money than they’re providing to him/her or which the teenager could make from a normal job (or worse, they don’t care), then the parents should get a significant share in that jail time.

      • That’s completely unreasonable IMO.

        Also Krebs On Security seems to be under some sort of mildly effective DDoS attack ATM … couldn’t see that coming! :p

        Keep up the good work BK.

    • The unfortunate part of the statment of “Put some fear into these people and perhaps a few will abandon the practice…” is that this is a lot like a ant eater sitting on top of an anthill… sure, a few ants will lose everything in the process but there’s always more ants willing to take up the cause as it were. This is such a wide spread problem that Law enforcment can barely keep up and in most cases fail utterly in dealing effectively with situations that are very clearly spelt out.

  6. Gigaloader was an old, well known and public “stress tester” people used to use years ago. I think their service was free too. But they’ve long since shut down.

    • I remember gigaloader. I used them once or twice to check my own sites when I was configuring to avoid DDOS. :)

  7. Related only marginally — this bookreviewstew page just depressed me thoroughly. Remind me not to click on all of your links, Brian. :(

    • For $5 bookreviewstew will cheer you up!

      • For 40 USD I can tip him to take his family to the zoo!

        Hm I wonder how long until somebody realizes they can pay him to record a video reply to this post? :(

  8. Man they took down quakelive.com for 3 days. and now battlelog.com was down for a couple days. All this past week. two online games I play.

  9. Who is to blame: the person doing the attack, or the person ordering, authorizing and paying for the attack?

    Like wise: The hitman, or who paid him.

    Subsequently: The soldier, or the people who voted a particular administration in……

    Suddenly good/bad, legal/illegal, friend/foe are debatable and depends on your P.O.V.

  10. Paypal is one guilty party, and CloudFlare is another. Why hasn’t CloudFlare yanked the DNS records on this site? That would take it offline until such time that it finds another DNS provider. In my opinion, CloudFlare is a cyberwar profiteer, and they enjoy hosting booter sites because it’s good for business. The more DDoSing out there, the more paying customers they get.

    Cloudflare has been providing DNS for asylumstresser.com at least since last October, according to results from the search box at the bottom of http://www.cloudflare-watch.org/cgi-bin/cfsearch.cgi

    But CloudFlare always blows off complaints with their well-worn mantra. “We don’t host any sites,” they say, while ignoring the fact that they provide an essential service for such sites.

    It is possible to “hide” your original hosting provider behind CloudFlare, and nearly all cybercriminals know this. But in this case, the perp didn’t even try to hide. There’s no need to if your original host is in Romania, and your DNS is provided by CloudFlare.

    • and you sir are quite an idiot if you’re the one behind cloudflare-watch. don’t you think having real ips for some websites hosted behind cloudflare puts them at risk of having to succomb to a ddos ? some websites (and not just one) use that service for legit reasons.

      • I am president of the tax-exempt organization behind cloudflare-watch.org, and we record the original IPs behind CloudFlare users to the extent that this information is revealed by public sources. The need for real IPs is CloudFlare’s fault. They protect the cybercriminals who use their service.

        CloudFlare’s response to complaints from the victims of these criminals is invariably a mixture of equivocation and obfuscation. By way of contrast, if you know the original hosting provider for a cybercriminal who is hiding behind CloudFlare, there is about a 50/50 chance that this provider will take your complaint seriously. With CloudFlare, your chances are zero.

        • Who cares you are tax exempted and you use public records ?

          I looked around yesterday on the internet searching for infos about you, and you sir are clearly and completely an utter idiot, not even a need to try to argue about it.

          Not only are you delusional but you have a tendency to see conspiracies everywhere, so you just deserve a single and beautiful : fuck you.

  11. “That chanderdowns1995@gmail.com address also is tied to a Facebook account for a 17-year-old honor roll student named Chandler Downs from suburban Chicago. ” Chandler, on your next birthday you will be 18, legally an adult and thus subject to the full force of the law. Don’t f***up by getting a criminal record that could haunt you for the rest of your career. Intelligence is a gift that should be used for good, not evil and the world has more than enough evil. Any dumbf*** can be evil.

    • In all likelihood the authorities are biding their time and waiting a year to put him in prison for a long, long, long time. For many crimes in Illinois 17 is more than old enough to be tried as an adult, but 18 is a magic number that avoids a lot of court time.

  12. If there is a positive side to this brazen methodology it may be that it forces the hand of our legislators to pass laws that are effective but do not stir the “privacy” pot.

    Not holding my breath though.

  13. Nicholas Weaver

    Too bad it is pretty much impossible to get law enforcement interested in these low level knuckledraggers: Krebs just handed an easy bust on a silver platter: all the information needed to get a warrant to Google and Paypal and get a nice arrest in Chicago.

    But nothing ever happens.

  14. StillFiguring

    I kind of don’t get it.
    There is no substantial risk of getting caught by the authorities.
    The bad guys are basically immune from prosecution.

    If I have a web site, and that web site is attacked, what are my options?
    If my site goes down for two days, who do I complain to?
    Do the folks that host my web site wish to review the records of internet traffic? Do I pay them money to perform this review?

    I understand that KrebsOnSecurity is a popular web site, and that Brian can gather interest from security researchers to aid him. So for a popular web site, tracking the attackers is potentially possible.

    But in the case of a less popular web site, who would care?

    The resources needed to attempt a prosecution seem to be out of reach for most web sites and most people.

    Even granting that Brian’s report is completely accurate, what crime occurred?
    Some guy is accepting money on paypal, then a DDOS occurs from Romania.
    Where is the proof that a crime occurred?

    • allison nixon

      You are a small website owner so you are screwed. You have no options because you won’t have the resources to track down these people. Paying experts costs a lot of money and there are a lot of cases where the necessary information isn’t available even to experts.

      The only reason these booter owners can be tracked down is because the police haven’t “naturally selected” these guys out of the herd yet. So they can have horrible opsec and keep on operating despite being doxed 9999 times, featured on Krebs, and paraded throughout town. The fact that private citizens can find this info is very telling of how much police effort is directed at these people. I expect Chandler and his crew can continue operating freely because the police don’t care.

      Booters are a niche of the black market that is largely run by Americans. I have seen few people that I suspect of being foreign. I believe this is because of the 0 police enforcement spent on this particular niche.

      There is no argument that crime is happening here. The question is how much effort do you want to expend to link the criminal to the crime?

      I think the key here is getting the private sector to self police. removing booters ddos protection is a good step towards making the problem solve itself.

      • I agree with increasing private sector involvement, and much of what allison nixon said about the “police” is true. On the federal level I know that they do take these seriously and they are actively fighting these, even against resistance from budgets, privacy groups, foreign law enforcement cooperation, corporate and individual apathy.
        However, I’ve worked with some groups that have gained public/private cooperation and cooperation of foreign LEO.

        The real power is with the people. Not just in what can be done to self police, but in supporting efforts to go after these through our legislators and corporate decision makers.

        • allison nixon

          There is definitely a lot of really bad crime out there that needs to be taken care of before booters.

          I don’t think we should be giving up our privacy in the name of safety, but I think there is a lot we can do before getting to that point. If private citizens can find this much damning info, then the police should have enough resources that they can do this too.

  15. Someone needs to arrest and shut down this crap, report this ASAP, totally bogus

  16. I also own a stresser company on this site, Hackforums. I am only 13 and live in the USA. :)

  17. I also own a stresser company on this site, Hackforums. I am only 13 and live in the BANGLADESH.