Anti-Malware , DDoS , Technology

DDoS Warnings: Emerging Threats Pack a Punch

Attackers Mix Malware, Extortion, Advertising Networks
DDoS Warnings: Emerging Threats Pack a Punch

By all measures, distributed denial-of-service attacks remain not just alive and well, but are growing more severe. The latest example of the staying - and disruptive - power of DDoS attacks comes with researchers at Akamai Technologies warning that a botnet comprised of Linux systems infected with XOR DDoS malware has been launching DDoS attacks that have reached a blistering 150 Gbps. While that speed doesn't set any records, it nevertheless represents a large enough packet storm to disrupt many websites.

See Also: 12 Top Cloud Threats of 2016

Attackers are also finding new ways to create online disruptions, with DDoS defense firm CloudFlare warning that it's tied a recent attack campaign to an advertising network. And security experts caution that these DDoS disruptions can serve as a smokescreen for hack attacks aimed at breaching organizations' systems, although it's not clear how often such attacks are launched in tandem.

Regardless, security experts say that the quantity and severity of DDoS attacks continues to increase, fueled in part by groups such as DD4BC - for DDoS for Bitcoin - using DDoS attacks, or sometimes just the threat of such attacks, to extort organizations. "Cyber-extortion is probably the hottest trend of 2015," financial fraud expert and Gartner analyst Avivah Litan tells Information Security Media Group, adding that such DDoS attacks remain widely underreported (see DDoS Attacks Against Banks Increasing).

Linux DDoS Malware Upsides

To launch DDoS attacks, many criminals first infect systems with either Windows malware, or Linux malware such as XOR DDoS, which can then be instructed to target sites of the attacker's choosing. Currently, XOR DDoS is being used to target about 20 organizations per day, according to a new report from the security intelligence response team at Akamai Technologies. Most of the targets are in the gaming sector, followed by educational institutions, and the vast majority of the targets are based in Asia.

"The malware spreads via Secure Shell (SSH) services susceptible to brute-force attacks due to weak passwords," Akamai says, and the malicious code is designed to be difficult to eradicate. "XOR DDoS is persistent - it runs processes that will reinstall the malicious files if they are deleted." Security researchers say the malware installs itself both in the Linux boot directory - named with a random, 10-character string - as well as creates scripts and links to those scripts that are designed to keep the malware running.

The use of Linux malware by DDoS attackers is not unusual, in part because many Linux systems do not run antivirus, meaning they're relatively easy to infect and those infections can be longer-lasting, says security firm Kaspersky Lab in an August research report. "Linux-based botnets offer cybercriminals the opportunity to manipulate network protocols, while infected servers have high-speed Internet channels - so attacks launched from them are potentially more powerful than those from Windows botnets," Kaspersky Lab says. "However, to create and operate a Linux botnet, a cybercriminal needs to have a good knowledge of Linux as well as find a suitable bot," either on the black market or by cobbling together free tools.

Mobile Advertising Attacks

As an alternative to using malware to launch DDoS attacks, some criminals have taken to using advertising networks instead. In a Sept. 25 blog post, CloudFlare's Marek Majkowski reported that the company traced a late-August attack against one of its customers to an advertising network that was being used to launch what's known as a layer 7 - or HTTP flood - attack (see Why Malvertising Attacks Won't Stop). This particular DDoS attack peaked at 275,000 HTTP requests per second from 650,000 unique IP addresses, he says, and most of the attack traffic came from users in China.

Security researchers have long theorized that advertising networks might be used to serve code to browsers that generates HTTP-flood attacks. But to date, large-scale versions of these types of browser-based attacks have not surfaced. "Since an efficient distribution vector is crucial in issuing large floods, up until now I haven't seen many sizable browser-based floods," Majkowski says.

This, however, may represent the first such large-scale attack seen by CloudFlare, which suspects that this particular attack was unleashed, in large part, by mobile browsers opening an app or being used to visit a website that was tied into a third-party advertising network. The advertisement may then have served malicious JavaScript, which then used Ajax to launch an HTTP flood attack against a designated website. "There is no way to know for sure why so many mobile devices visited the attack page, but the most plausible distribution vector seems to be an ad network," Majkowski says. "It seems probable that users were served advertisements containing the malicious JavaScript. The ads were likely [shown] in iFrames in mobile apps, or mobile browsers to people casually browsing the Internet."

DDoS Smokescreens: How Prevalent?

Security experts have long warned that one risk from any type of DDoS disruption is that it may be serving as a smokescreen to mask more serious attacks. But related warnings have not always proven to be true. For example, many security experts suspected that the wave of DDoS attacks that began pummeling U.S. financial services firms in 2012 were masking more damaging hacks. No coordinated hacks, however, ever came to light.

But related concerns remain. On Sept. 28, Kaspersky Lab released a report that warned: "Denial of service is frequently used as a decoy to distract IT staff from an intrusion taking place at the same time."

That report, based on a survey of IT professionals at more than 5,500 organizations in 26 countries, suggests that smokescreen attacks remain commonplace. "More than two-thirds of victims of a DDoS attack reported another type of security incident coinciding with an attack," Kaspersky Lab says.

But those numbers are fuzzy. How many IT professionals who self-report their perceptions of a DDoS attack can verify if two simultaneous attacks are coordinated, or just coincidence?


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network