Posts Tagged: Shadowserver


1
Aug 11

Digital Hit Men for Hire

Cyber attacks designed to knock Web sites off line happen every day, yet shopping for a virtual hit man to launch one of these assaults has traditionally been a dicey affair. That’s starting to change: Hackers are openly competing to offer services that can take out a rival online business or to settle a score.

An ad for a DDoS attack service.

There are dozens of underground forums where members advertise their ability to execute debilitating “distributed denial-of-service” or DDoS attacks for a price. DDoS attack services tend to charge the same prices, and the average rate for taking a Web site offline is surprisingly affordable: about $5 to $10 per hour; $40 to $50 per day; $350-$400 a week; and upwards of $1,200 per month.

Of course, it pays to read the fine print before you enter into any contract. Most DDoS services charge varying rates depending on the complexity of the target’s infrastructure, and how much lead time the attack service is given to size up the mark. Still, buying in bulk always helps: One service advertised on several fraud forums offered discounts for regular and wholesale customers.

Continue reading →


21
Mar 11

Homegrown: Rustock Botnet Fed by U.S. Firms

Aaron Wendel opened the doors of his business to some unexpected visitors on the morning of Mar. 16, 2011. The chief technology officer of Kansas City based hosting provider Wholesale Internet found that two U.S. marshals, a pair of computer forensics experts and a Microsoft lawyer had come calling, armed with papers allowing them to enter the facility and to commandeer computer hard drives and portions of the hosting firm’s network. Anyone attempting to interfere would be subject to arrest and prosecution.

Weeks earlier, Microsoft had convinced a federal judge (PDF)  to let the software giant seize control of server hard drives and reroute Internet addresses as part of a carefully timed takedown of the Rustock botnet, which had long reigned as the world’s most active spam-spewing crime machine.

In tandem with the visit to Wholesale Internet, Microsoft employees and U.S. marshals were serving similar orders at several other hosting providers at locations around country.  Microsoft’s plan of attack — which it spent about six months hatching with the help of a tightly knit group of industry and academic partners — was to stun the Rustock botnet, by disconnecting more than 100 control servers that the botnet was using to communicate with hundreds of thousands of infected Windows PCs.

Only two of the control servers were located outside the United States; the rest operated from hosting providers here in the US, many at relatively small ISPs in Middle America.

Concentrations of Rustock control networks.

Microsoft was careful not to make any accusations that hosting providers were complicit in helping the Rustock botmasters; however, some of these control servers existed for more than a year, and most likely would have continued to operate undisturbed had Microsoft and others not intervened. Using data gathered by Milpitas, Calif. based security firm FireEye, which assisted Microsoft in the takedown, I was able to plot the location and lifetime of each control server (the map above is clickable and should let you drill down to the details of each control server; the raw data is here). The average life of each controller was 251 days — a little over eight months.

Wholesale Internet’s Wendel said his organization takes action against any customers that appear to be violating the company’s terms of use or its policies. But he insisted that the visit by Microsoft and the marshals was the first time he’d heard that any of the 16 Rustock command and control servers were located on his network.

“To be perfectly honest with you, we never heard of Rustock until Wednesday,” Wendel said in a phone interview last Friday. Wendel also said he  hadn’t heard anything about the problematic servers from either Spamhaus or Shadowserver, which allow ISPs and hosting providers to receive reports about apparent botnet control servers and bot infections on their networks. Both Shadowserver and Spamhaus dispute this claim, saying that while they certainly did not alert Wholesale to all of the problem Internet addresses that it may have had on its network, they filed several reports with the company over the past six months that should have given the company cause to take a closer look at its customers and systems.

Continue reading →