« October 2009 · April 2010 »

December 2009
MonTueWedThuFriSatSun
 010203040506
07080910111213
14151617181920
21222324252627
28293031   
January 2010
MonTueWedThuFriSatSun
    010203
04050607080910
11121314151617
18192021222324
25262728293031
February 2010
MonTueWedThuFriSatSun
01020304050607
08091011121314
15161718192021
22232425262728

Calendar:

  • No entries for February 2010.
  • 29.01.2010: Pushdo DDoS'ing or Blending In?
  • 19.01.2010: Cyber Espionage: Death by 1000 Cuts
  • 16.01.2010: DDoS for Hire - More cooperation, or new competition? UPDATED
  • 09.01.2010: See below.
  • 16.12.2009: Conficker may be forgotten, but it's not gone...
  • 14.12.2009: When PDFs Attack II - New Adobe Acrobat [Reader] 0-Day On the Loose
Newest first Oldest first

Saturday, 9 January 2010

DDoS for Hire - More cooperation, or new competition?


I've always been interested in DDoS attacks, not only for their technical aspects, but also their social, economic, or political aspects. This past summer, several of us were closely watching a DDoS group that was fairly aggressive and diverse in its attack targets. This group, known as the "hack-off" group used the domains 'hack-off.ru" & "hack-off.info" for their command and control. What was particularly interesting about 'hack-off' was their attack campaigns on targeted industries and groups. Such industries included:

hack-off DDoS targeted industries

  • Online pharmacies
  • Porn sites
  • Automotive parts suppliers
  • Replica Watches
  • Online Gambling
  • Logo Design companies
  • Sporting goods and sportswear
  • Healthcare products
  • Electronics vendors

Many of the attacks victims were fairly high profile, and law enforcement agencies from at least 5 different countries became involved. Eventually, with the assistance of cert-ru and Affilias, the domains were suspended and by October 2009, the 'hack-off' crew was offline.

Recently while looking through some of our data sets, I again noticed aggressive DDoS attacks against targeted industry groups. In this case, four domains are seen being used for command and control:

New DDoS controllers

853c9e57.biz
atatatata.org
www.atatata.org
goog-le.ru

Over 250 different sites were targeted for DDoS from these controllers since November, 2009. The victim sites were fairly diverse, but were seen predominately in the following industries:

Industries targeted by atatata and friends

  • Car buying sites
  • Footwear
  • Sporting goods
  • Jewelry
  • Gambling and Lottery
  • Watches
  • Appliances
  • Travel and Tourism

The domains used by these controllers have been run on various hosting providers as described below. atatata.org has also been seen dropping FakeAv as well as other malware. Another active botnet domain on the same IP as atatata.org, is dia2.cn, however I haven't yet seen DDoS related activity from them.

The top IP address prefaced is the currently active IP for that domain. The listing below also shows the nameserver history for each domain.

Domain information

853c9e57.biz

  • 193.104.94.117 - AS50033 - GROUP3-AS GROUP 3 LLC.
  • 91.196.138.97 - AS15756 -CARAVAN
  • 91.212.220.242 - ??

Registrar: ONLINENIC, INC. D/B/A CHINA-CHANNEL.COM

Nameserver: Dns-diy.net

atatatata.org

  • 115.100.250.107 - AS4837 - CHINA169-Backbone
  • 210.51.166.229 - AS9929 - China Netcom Corp.
  • 61.235.117.76 - AS9394 - CHINA RAILWAY Internet

Registrar:Directi Internet Solutions

Nameserver: Everydns.net

www.atatata.org

  • 115.100.250.107 - AS4837 - CHINA169-Backbone
  • 210.51.166.229 - AS9929 - China Netcom Corp.
  • 61.235.117.76 - AS9394 - CHINA RAILWAY Internet
  • 174.37.235.32 - AS36351 - SoftLayer
  • 174.36.195.197 - AS36351 - SoftLayer
  • 91.212.198.137 - AS49314 - NEVAL PE Nevedomskiy Alexey Alexeevich

Registrar: Privacy Protected

Nameservers:
  • 8/22/09 Everydns.net
  • 8/29/09 Slavhost.com
  • 9/5/09 Agava.net.ru
  • 9/6/09 Slavhost.com
  • 9/7/09 Intdelivery.com
  • 9/11/09 Everydns.net

goog-le.ru

  • 91.212.198.171 - AS49314 - NEVAL PE Nevedomskiy Alexey Alexeevich

Registrar: NAUNET-REG-RIPN

Nameserver: freedns.ws

While DDoS for hire is nothing new, these particular attacks and the activity behind them remain interesting. Are these new criminal groups rising up to compete in the lucrative world of DDoS? Or are we just seeing more cooperation and consolidation of efforts among the usual and familiar players?

We'll continue to keep an eye on any new attacks from these controllers as well as the providers from where they are hosted.

***UPDATE - 01/16/2009 ***

Since our blog of 1/9/2009, atatatata.org, www.atatata.org, and 853c9e57.biz have been shut down. With the great assistance of Affilias and Neustar, these domains are now being sinkholed to Shadowserver which allows us to identify the infected drones and alert the respective netblock owner.

Another interesting development is the use of a new domain, qaqaqaqa.net on 115.100.250.104. The botnet here apparently looks to pick up where the others left off in carrying out new DDoS attacks.

In fact, that netblock 115.100.250.0/24 has been quite active of late, with the following activity having being seen since the first of the year:

  • 115.100.250.72 - papaanarhia.cn - botnet controller
  • 115.100.250.104 - qaqaqaqa.net - DDoS controller
  • 115.100.250.107 - atatatata.org - DDoS controller (offline)
  • 115.100.250.119 - vodkalv.com - Zeus controller
  • 115.100.250.114 - sport-lab.cn - botnet C&C (offline)
  • 115.100.250.119 - yit.nei223.com - botnet controller
  • 115.100.250.122 - pobedim.cn - botnet controller

=>Posted January 09, 2010, at 10:25 AM by Andre' - Semper_Securus