Friday, August 28, 2009

Rent a DDoS botnet

Over recent weeks there has been a lot of interest in DDoS botnets – that is to say, rentable botnets that provide DDoS as a managed service. I’ve spoken to a number of people about how easy this is to do, and how practically anyone who happens to know how to use a popular Internet search engine can probably locate the sellers or the hacking message boards they hang around. Perhaps one of the finer points missing about the discussion of renting DDoS botnets pertains to the size.

A fairly typical rate for DDoS botnet rental hovers around the $200 for 10,000 bot agents per day. The rate per day is fairly flexible, and influenced by the actual size of the botnet that the bot master is trying to section off for DDoS services and where those hosts are physically situated. For example, some DDoS providers make a virtue of allocating bots that are located within a particular country and their average Internet bandwidth. Meanwhile, you’ll find providers at the other end of the spectrum offering DDoS services at substantially lower rates. For example, here’s a DDoS botnet for rent at the moment over at Ghost Market


As you can see from above, this particular operator is offering a botnet of between 80k and 120k hosts capable of launching DDoS attacks of 10-100Gbps – which is more than enough to take out practically any popular site on the Internet. The price for this service? $200 per 24 hours – oh, and there’s a 3 minute try-before-you-buy.

By way of another example, the following screenshot is from another botnet master offering a 12k botnet for rent – for the price of $500 per month. Screenshots like this appear to be popular as a means of validating the sellers claims of the size of their botnets – despite the fact that all of this information can be trivially forged. Notice that only a handful of bots appear to be online and currently accessible? (this ties in to what I was saying the other day about counting botnets).


There are of course plenty of other operators that work this way – offering DDoS managed services – and there’s lots of competition amongst them. What’s perhaps most amusing about this botnet market to me is the fact that so few sellers have “good” reputations – and the message boards are rife with competitors throwing mud about the quality of the service or that the “seller” is actually just running a scam on newbie buyers.

I’d encourage readers to keep an eye on these kinds of hacking portals – just make sure you only access the sites from VM/sandboxed disposable hosts since many of the sites attempt to hack your Web browser. You’ll uncover lots of information about the mainstream botnet seller/renter market and, just as importantly, details about many of the newer or popular DIY botnet creation kits out there.

--Repost from

Wednesday, August 26, 2009

Opt-in Botnets and hacking from the office

An area of personal interest for me over the last couple of years has been the evolution of cyber-protesting - in particular the development of what could be best called "opt-in botnets".

While the last 12 months have seen numerous stories covering politically motivated DDoS attacks targeting government institutions and country-specific brand name multi-nationals, several aspects to the evolution of this threat have been lost in the noise.

I'm planning on writing a handful of papers and articles covering both the emergence and evolution of cyber-protesting (from a security practitioners view), and how social networking sites are a game changer for the nature and breadth of attacks we can expect over the coming years.

That said, an important aspect of this cyber-protesting threat I believe lies with the increasing acceptance of opt-in botnets. In particular, the capability of a social group to create/access customized attack tools that can be harnessed for collaborative attacks against a shared target - where the software agent is intelligently linked to a centralized command and control infrastructure - and the distributed agents can be coordinated as a single weapon. All this with the consent of their cyber-protesting supporters.

Some aspects to this botnet-based cyber-protesting have already manifested themselves - in particular the way social networking sites like Facebook were used to incentivize supporters to visit external sites and download tools that would target Hamas or Israeli government sites at the beginning of this year.

That said, and why I bring up this topic now, there was an interesting column piece on SecurityFocus yesterday by Mark Rasch - Lazy Workers May Be Deemed Hackers. Mark examines the very important issue that many corporate entities may have unintentionally exposed their employees to some pretty severe legal ramifications - i.e. potentially exposing them to criminal prosecution if they misuse their work machines. This is important in the context of opt-in botnets.

If an employee decides to install any out-in cyber-protesting software on to their work machine and allows it to launch an attack against some target, while it may be a fire-able offense (i.e. inappropriate use of corporate systems) it could also lead to criminal hacking charges. Which, as Mark's column points out, is a pretty harsh offence for the employee - but also means considerable work (and distractions) for the employer in having to be involved with law enforcement and their prosecution process, whether they want to or not.

Tuesday, August 18, 2009 Sting Backfires

OK, so this is quite amusing. It appears that some Ozzie cops had their cyber-sting backfire on them. After taking over the hacking forum by basically busting an administrator of the site at their home address and posting a "warning" on their sites front page...

"This underground form has been monitored by law enforcement - every post, private message and all registration information has been captured. All member IP addresses and have been logged and identification processes are now underway.

The creation and distribution of malware, denial of service attacks and accessing stolen information are serious crimes.

Every movement on this forum has been tracked and where there is information to suggest a person has committed a criminal act, referrals will be forwarded to the relevant authority in each jurisdiction. There have already been a number of arrests as a result of current investigations. This message should serve as a warning not to engage in criminal activity."
... it seems that a sympathetic soul has in turned hacked the Australian federal police system.

Its odd that the Ozzie police would have decided to alert patrons of the site that they were now being monitored - instead of running with it for longer and perhaps building a cases against the sites users/subscribers. Oh well lessons learned I guess... the painful way.

It's also odd that they didn't take down the affiliated Black Hacking site at the same time? perhaps they did and they're just watching it now ;-)

Monday, August 17, 2009

Dumpster Diving - XCrypt by Kazuya

For the last week or so I've been repeatedly asked "how do you find these crime-ware tools?" The answer is pretty simple really, I often just use a search engine and focus in on the hacking forums if I'm curious or after some low hanging fruit.

For example, lets take a look at a new(ish) crypter - XCrypt.

I stumbled across this particular crime-ware tool while perusing a popular Spanish hacking site - - which I originally came across when I was looking to see if there were any new (or related) updates to the DIY Octopus Keylogger tool.

Since my Spanish is pretty much non-existent, I need to rely upon one of those online Web translators for these kinds of sites - but then again, it seems that most of the "better" underground malware and hacking sites tend not to be in English anyway. These translators are good enough for my purposes though.

XCrypt caught my eye for a handful of reasons:
  1. It was a 1.0 cryptor (and I wasn't familiar with it)...
  2. It wa hosted on a Spanish site but had German instructions...
  3. It was high up on the first page of the forum.
If you're wondering what a cryptor does - well, generally, you point the tool at a malicious file (e.g. a piece of malware that you've already created - say the output from the DIY Octopus Keylogger), click start, and out pops an auto-unpacking self-encrypted version of the original malware that's (probably) going to bypass any anti-virus detection tools out there.

I was curious about XCrypt though, so I did a little more searching - this time using the keywords "xCrypt Public Kazuya" - and came across yet another hacking forum site - - which had a whole bundle of other Trojans and keyloggers for download (along with satisfied customer reviews).

PortalHacker had a bit of a discussion going on about XCrypt, including the latest anti-virus coverage (which was nothing currently detected it)...

... which isn't precisely unexpected. It's new(ish).

And, to help things along, the site (and review) also included a convenient option to download the tool from one of the free file-hosting providers out there (which is a popular way of distributing these kinds of crime-ware tools). The file was also password protected - to prevent any perimeter or host-based security products from intercepting the file and potentially flagging it as malware (the tool itself - not the output from the tool).

As for the specifics of this particular crime-ware creator tool - I'll leave that to a full-time threat analyst to do his/her stuff and provide the juicy biopsy of XCrypt - even though there were a bundle of postings on the forum congratulating the author of the tool for their skills and eliteness... as well as repeated AV evasion test results.

So, what was next? How about examining the German heritage of this particular tool?... which led to (yet another) hacking forum site - - with a thread covering the XCrypt tool, but this time the thread was started by someone called Kazuya (the author?).

And what do you know, pay dirt, there's an even newer version of the tool available...

... along with new AV test results (only one AV discovers its crypted crime-ware output), and 140 satisfied downloaders.

Most of these kinds of hacking and malware discussion forums have rating systems for contributors (and sellers), and it looks like the last stop in my search found a site that the author of this particular tool likes to hang out - 440 posts and a 5-star site reputation.

And so concludes a brief demonstration in how easy it is to uncover new crime-ware creator kits and tools, and how to get hold of samples to "play" with. This isn't really rocket science kind of stuff.

You may be asking yourself "isn't this all kind of illegal?" and "why aren't these kinds of sites shut down?". Well the answer to that is typically different laws apply in different countries. In most countries it is not illegal to create these kinds of tools, nor is it illegal to discuss their use. In some countries it may be illegal to buy/sell these tools, and in many countries it may be illegal to use them against computers you're not authorized to access - but the net result is that these kinds of information and crime-ware toolsets are out on the Internet for anyone to access (subject to Web filtering policies :-)

Thursday, August 13, 2009

Malware of the Day

It seems that most malware served up by cyber-criminals has a shelf-life of only 24 hours. PandaLabs said that 52% of the 37,000 virus samples they get each day will never be seen again on any other day.

I'm not surprised. Serial variant production lines have been pumping out new malware samples in industrial quantities. Back in early 2007 I released a whitepaper for IBM covering the mechanisms many of the drive-by-download sites were using to create and deploy "unique" malware samples on a per victim visit basis. I'm just glad that one of the anti-virus companies has "confessed" to the problem.

Unfortunately the problem is only going to get worse, and these "cloud-based" service proposals are probably going to provide as much protection against the real botnet threat as a real fluffy-white cloud does against a bullet.

I blogged in more detail on the topic over at the Damballa site. Half of New Viruses Only Useful to Cyber-criminals For A Single Day.

Sunday, August 2, 2009

Blackhat & Defcon - Las Vegas '09

It’s always great to catch up with former colleagues and security peers from around the world, but if there’s a t-shirt I need to add to my collection, it’ll be “I survived another Blackhat/Defcon”. With back-to-back “lets grab a beer and chat” meetings, the days (and evenings) quickly blur in to a litany of bar hops and, with only 24 hours in the day, “sleep” becomes the sacrificial goat on the altar of security knowledge exchange.

Irrespective of the sleep deprivation, the annual pilgrimage to Las Vegas for the paired conferences is generally a vital part of most security professional’s year – particularly those of us who tend to focus on attack vectors and vulnerabilities.

I found this year’s Blackhat to be less claustrophobic than previous years – largely due to the better layout of the stands and spread of conference rooms, but I’m sure that the number of attendees were down quite a bit (the figure thrown around the corridors was “40% down”) – and the average quality of the talks tended to be fairly high, although the variety of genuinely new security content was down quite a bit from previous years. This has been an ongoing trend with Blackhat which I’d attribute to the increasing popularity of more regional/international security conferences and fiercer competition. That said, there were no shortage of terribly boring sessions – particularly those with novice speakers who have rediscovered an old vulnerability and obscured the parallels due to their unique naming conventions.

Of all the talks I attended, the ones I tended to like the most had very little to do with the types of security I do now, or have done in the past – with my favorite being the SSN talk delivered by Alessandro Acquisti. Alessandro delivered an excellent presentation backed by rigorous research, and I enjoyed the anecdotes pertaining to the challenges in dealing with government offices.

One thing I noted too was that in just about every presentation at Blackhat there were references to botnets. Which is great to hear since that’s what I’m focused on, although it was pretty clear that most of the presenters don’t really understand the motivations behind them or their criminal operations particularly well. Often their references to botnets were more in the tune of “…and at the extreme end of damage, it could be used by a botnet to destroy the planet.”

Apart from that, Blackhat/Defcon was its usual self. Lots of geeks traveling in migratory packs lurching from one bar to another after a day of presentations – being lured by the prospect of free alcohol to vendor parties – and trying to fit in with the overall party atmosphere of Vegas. Which, needless to say, tends to go wrong pretty quickly. Geeks + Alcohol + Parties + Vegas Nightlife = Dread (for both those participating and those watching). - But hey, I'll probably be doing it all again next year ;-)