« September 2008 · March 2009 · February 2012 »
|
|
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
- 29.01.2009: Asprox Goes Phishing Again
- 24.01.2009: More Waledac Domains to Block
- 22.01.2009: Asprox - It's Baaaaaaack
- 19.01.2009: Inauguration Themed Waledac - New Tactics & New Domains
- 09.01.2009: Waledac Domains - Updated List
- 31.12.2008: Waledac is Storm is Waledac? Peer-to-Peer over HTTP.. HTTP2p?
- 11.12.2008: IE7 0-Day Exploit Gets Worse
- 10.12.2008: IE7 0-Day Exploit Sites
- 05.12.2008: See below.
- No entries for November 2008.
Friday, 5 December 2008
Anti-Fraud Website Under Constant DDoS Attack
Anti-Fraud Website Under Constant DDoS Attack
In the last month the U.K. based anti-fraud website www.bobbear.co.uk has come under several heavy distributed denial of service (DDoS). We first observed an attack that lasted several days starting on November 12 and not letting up until November 18. In this attack multiple BlackEnergy HTTP botnets on a single command and control (C&C) server were instructed to flood the website with a barrage of continuous web requests. These attacks succeeded at taking the website completely offline for a prolonged period of time. Fortunately the C&C server housing these botnets went offline a short time later. However, this was not the end of the attacks or troubles for the website.
Beyond DDoS
It turns out that miscreants also decided to attack the website on another front. Bob Bear also tells us that his website has been under a constant "Joe Job" attack where massive amounts of spam messages are sent out with offensive, harassing, or false information that appear to be coming his e-mail addresses. As a result a backlash from recipients can and has occurred that result in several misguided complaints. Despite all of this Bob is continuing with his efforts and is optimistic about the future. He told us the following:
"The criminal attacks on me and my website only serve to indicate the effectiveness of the website in highlighting criminal activity and raising victim awareness. The only effect of this attack is to increase the resolve to continue publicising this criminal activity. I'd like to thank the police, my service providers, (Fasthosts) and all my site contributors for the tremendous support I've received."
December DDoS
There have been a few articles already about the November DDoS attacks and the Joe Job attacks that have been continuing. However, we recently detected yet another botnet that has taken aim against the Bob Bear website. A new BlackEnergy botnet C&C server in China located at on the IP address 58.241.255.34 recently took AIM at www.bobbear.co.uk. They have sent HTTP floods to the website every day in December so far. It would appear miscreants are not too happy with the efforts of the Bob Bear website. Hopefully these attacks will stop soon, as it should be apparent the website is not going to go away.
Check your outbound traffic for polling to 58.241.255.34 on tcp port 80. If you see POST requests going there to "/stat.php" then you most likely have an infected client. If your website or hosts are coming under DDoS attack, feel free to drop us a line and we'll see if we can help. Also take a look at some of the tips recently offered on the Internet Storm Center's website for responding to DDoS incidents at http://isc.sans.org/diary.html?storyid=5375.
=>Posted December 05, 2008, at 01:36 AM by Steven Adair
