Sledgehammer DDoS Gamification and Future Bugbounty Integration

Monetization of DDoS attacks has been core to online crime way before the term cybercrime was ever coined. For the first half of the Internet’s life DDoS was primarily a mechanism to extort money from targeted organizations. As with just about every Internet threat over time, it has evolved and broadened in scope and objectives.

The new report by Forcepoint Security Labs covering their investigation of the Sledgehammer gamification of DDoS attacks is a beautiful example of that evolution. Their analysis paper walks through both the malware agents and the scoreboard/leaderboard mechanics of a Turkish DDoS collaboration program (named Sath-ı Müdafaa or “Surface Defense”) behind a group that has targeted organizations with political ties deemed inconsistent with Turkey’s current government.

In this most recent example of DDoS threat evolution, a pool of hackers is encouraged to join a collective of hackers targeting the websites of perceived enemies of Turkey’s political establishment.

Using the DDoS agent “Balyoz” (the Turkish word for “sledgehammer”), members of the collective are tasked with attacking a predefined list of target sites – but can suggest new sites if they so wish. In parallel, a scoreboard tracks participants use of the Balyoz attack tool – allocating points that can be redeemed against acquiring a stand-alone version of the DDoS tool and other revenue-generating cybercrime tools, for every ten minutes of attack they conducted.

As is traditional in the dog-eat-dog world of cybercrime, there are several omissions that the organizers behind the gamification of the attacks failed to pass on to the participants – such as the backdoor built in to the malware they’re using.

Back in 2010 I wrote the detailed paper “Understanding the Modern DDoS Threat” and defined three categories of attacker – Professional, Gamerz, and Opt-in. This new DDoS threat appears to meld the Professional and Opt-in categories in to a single political and money-making venture. Not a surprise evolutionary step, but certainly an unwanted one.

If it’s taken six years of DDoS cybercrime evolution to get to this hybrid gamification, what else can we expect?

In that same period of time we’ve seen ad hoc website hacking move from an ignored threat, to forcing a public disclosure discourse, to acknowledgement of discovery and remediation, and on to commercial bug bounty platforms.

The bug bounty platforms (such as Bugcrowd, HackerOne, Vulbox, etc.) have successfully gamified the low-end business of website vulnerability discovery – where bug hunters and security researchers around the world compete for premium rewards. Is it not a logical step that DDoS also make the transition to the commercial world?

Several legitimate organizations provide “DDoS Resilience Testing” services. Typically, through the use of software bots they spin up within public cloud infrastructure, DDoS-like attacks are launched at paying customers. The objectives of such an attack include the measurement and verification of the defensive capabilities of the targets infrastructure to DDoS attacks, to exercise and test the companies “blue team” response, and to wargame business continuity plans.

If we were to apply the principles of bug bounty programs to gamifying the commercial delivery of DDoS attacks, rather than a contrived limited-scope public cloud imitation, we’d likely have much more realistic testing capability – benefiting all participants. I wonder who’ll be the first organization to master scoreboard construction and incentivisation? I think the new bug bounty companies are agile enough and likely have the collective community following needed to reap the financial rewards of the next DDoS evolutionary step.

Hacker Halted USA 2009

Next week, in the run up to this years Hacker Halted USA 2009 conference, I'll be delivering a EC-Council webinar covering DIY Malware Construction. The presentation covered the dynamics of building custom malware and making it undetectable to anti-virus - regardless of signature, heuristic or behavioral detection engines (but eventually protectable one the good-guy AV folks finally get a sample and develop a dedicated signature).

If you've got the time, please join the webinar. You can see a line up of past and future presentations here.



With regards to main conference event, well thats not until September 23-25 down in Miami. I'll be presenting on the topic of Factoring Malware into Web Application Design - which will of course be very cool :-)

URL Shortening Equals Short-cut to Drive-by-download

URL shorting has always been a convenient vector for obfuscating a malicious URL. They've been used in phishing URL's for nearly a decade now, and in drive-by-download's for almost as long. Now it seems that another flaw in shorten URL services have been exploited by the bad guys - exploiting the hosting provider and getting ALL shortened URL's to point to a malicious drive-by-download URL.

That's what happened to Cligs Sunday/Monday this week.

Apparently, according to their blog, some 2.2 million shortened URL's were affected - redirecting victims to malicious content over at freedomblogging.com. Not pretty - but hardly unexpected.

From their blog...

"... I’m restoring the URLs back to their original destination states. However, the most recent backup is from early May, and so we may have lost all URLs created since then. My daily backups with my host were turned off for some reason, which is another story.

The restoration will take a long time - it’s millions of URLs that have to be individually restored - and so you may not see your proper links till tomorrow."

I suspect that this won't be the last time a shortened URL service provider will be compromised. Theres good money to be made by the bad guys if they exploit these kinds of services - so there's motivation and skills in abundence to do so. Frankly, the providers of shortened URL services aren't known for their security ambitions.

Gamespot.com Vulnerable to SQL Injection - 8,000,000 records exposed

It seems that "Unu" over at HackersBlog has exploited a new SQL Injection flaw in Gamespot.com to unveil some 8,000,000 member accounts.

The credentials extracted by Unu included the home address, date of birth, email address, and obfuscated password (hashed/encrypted?), and a few other details - all of which are valuable to enterprising criminals and have a monetary value "on the street".

I'm glad that Gamespot at least did something right by not storing user account passwords in the clear - which is so often the case with many Web application portals. I'm not so pleased that Gamespot hadn't found this particular SQL Injection point within their application during a regular pentest. The flaw appears to have been in http://www.gamespot.com/pages/unions/emblems.php with the "union_id" variable open to tampering. This particular flaw would have been easily discovered by simply running a commercial Web application vulnerability scanning tool.


While it appears that Gamespot have now fixed the problem, it does raise the question of responsibility for leaking personal information in such a manner. We hear of all sorts of corporate requirements around the world that require large registered corporations to publicly disclose any data leakages, and to update their customers of any break-in's. But how does that apply to Web-only portals - especially to large portals such as Gamespot? I haven't seen any acknowledgment by Gamespot to their "customers" about the flaw - and no confirmation that the personal information of their 8,000,000 "customers" is safe from future attacks - nor a rebuttal of how many credentials were actually leaked.

Granted Unu appeared to have (at least partially) done the right thing in informing Gamespot of the flaw and withheld his public notification until it was fixed - but Unu isn't the only hacker out there armed with SQL Injection tools/knowledge, and I'm reasonably sure that this was the only flaw within Gamespots Web portal (given how easy this one would have been to spot using standard off-the-shelf tools). Which raises the question of just how safe is anyone's personal data when entrusted to Web-only providers, and how accountable are they for that information?

I don't have any answers to that question - but plenty of opinions as to what needs to be done. Should the security industry help develop an online code of ethics for entities such as Gamespot and help them become better Internet denizens, or does naming and shaming work best?

Who Cloned the Web Site? Here's how to Tell...

One of the problems regularly encountered when dealing with phishing, fraud and other flavors of counterfeit Web site content is the process of tracking back who the original perpetrator of the crime was.

Given the stateless nature of Web application technologies and the abundance of tools capable of conveniently cloning and creating "off-line" copies of popular transactional Web sites, it's damned near impossible to tell where the copy came from unless you can uniquely "seed" the content in some way.

Over the years I've been asked by dozens of financial institutes around the world as to the best techniques and technologies that can be used to seed Web application content and tag it in such a way that it's possible to figure out who the original "copier" was - without alerting them to the fact.

There are a number of techniques available to Web application designers and architects, but I've found the best solutions (i.e. least detectable and least prone to tampering or removal) revolve around tagging the images used within the application.

It's not an easy solution to implement, but the principle of "Distribution Tracing" can be applied to Web applications in the form of anti-fraud images.

I've finally had a chance to knock up a whitepaper describing the relative merits of the different techniques after all these years, and you can find it on my main Web site under the topic "Anti-fraud Image Solutions".

Now I'm sure some people are going to question the merits of the solution - and rightly so. I'm not an overly strong proponent of this kind of tracking solution. It needs to be used carefully and with an expert eye in order to yield prosecutable results, but for some organizations (particularly financial services organizations) it adds an extra arrow to their quiver in hunting down criminals who try to defraud their customers.

So, here's a question for readers (after they've read the paper of course)... can you name some of the large international banks that have already implemented Distribution Tracing within their secure customer portals?

------------
The whitepaper's abstract:

The Use of Distribution Tracing Within Web Content to Identify Counterfeiting Sources

Many of today’s more successful Internet-based fraud tactics require the counterfeiting of popular transactional Web sites such as financial portals, stock-trading platforms and online retail sites. For the fraud to be successful, the cyber-criminal must typically clone most, if not all, of the targeted site’s content and host the counterfeit site on a Web server under their control. With some minor modifications to the underlying HTML code and changes to the application logic, the cyber-criminal will seek to steal the personal authentication or authorization credentials of unlucky victims who fall to the counterfeit site. Armed with these credentials, the cyber-criminal will subsequently attempt to defraud the accounts of their victim.

The major subclass of this attack is often referred to as “phishing” and typically targets the customers of major financial organizations; with the cyber-criminals end-goal being the removal of monies from their victim’s bank accounts. However, over time, phishing attacks have increasingly targeted a broader range of online consumer.

One key problem facing organizations targeted by these cyber-criminals is the identification of the perpetrators. While it is sometimes a simple task to shut down or have removed a counterfeit site, it is much more difficult to uncover the identity of those responsible for its creation.

Since the counterfeit sites are predominantly clones of a legitimate site, there are a number of techniques that can be employed by an organization to essentially “embed” a key in to the duplicated content which can then later be used to trace back to the original source of the content.

This whitepaper provides an overview of the techniques available to organizations that wish to undertake such identification activities – evaluating the pro’s and con’s of the various mechanisms and providing advice on how to employ this class of investigative technology.

<PDF of Anti-Fraud Image Solutions>

Google's What's Up CAPTCHA

Earlier this week there was a little chatter about a new CAPTCHA proposed by some of Google's research team. The actual paper - What's Up CAPTCHA? A CAPTCHA Based On Image Orientation - is well worth a read, and it's an interesting slant on the theme of helping deflect automated attacks against Web applications.

One criticism that I've had in the past for many of the CAPTCHA's out there and in use today is the fact that, in order to thwart the bad guys and their improved attack tools, the CAPTCHA has evolved to an almost unusable state for the "average" user - i.e. my grandma wouldn't be able to answer it even if she wore her glasses.

This proposal from the Google researchers I think addresses that concern, as it seems to be much more usable than some heavily obfuscated and random arrangement of letters and numbers we see on most sites. That said, I suspect that it's not going to be particularly successful against the bad guys - but, then again, the current generation of deployed CAPTCHA's don't solve that problem either (and I don't think they ever will).

CAPTCHA's as a defensive technology have proved to be redundant in the face of organized criminal attacks. You can find more analysis of how the bad guys have moved beyond this technology with my previous blogs - Evolving Beyond CAPTCHA - and - CAPTCHA's and Mechanical Turks.

Personally I'd like to see these image-based CAPTCHA's used rather than the current generation of letters/numbers ones - not so much because of their defensive value, but rather for ease of use by average Internet users. Reducing the complexity of these security hurdles is always going to be beneficial.