Mariposa botnet rise from the ashes

The Mariposa botnet made headlines when three of its alleged operators were arrested in Spain prior to its supposed shutdown. This was followed by a sudden and drastic decrease in Mariposa-related incidents, which was very understandable because the botnet was reported to have already been taken down.

Lately, however, Trend Micro has observed a strange increase in activity related to WORM_PALEVO—the Trend Micro detection name for malware related to the Mariposa botnet. The increase started late in the fourth quarter of 2010.

“It seems that despite the Mariposa botnet takedown in early 2010, some of its command-and-control (C&C) servers are still very much alive. Our findings were further verified, as according to abuse.ch, there are currently 89 active Mariposa C&C servers. This number is also steadily growing, as we’ve found 116 active C&C servers as of this writing. The list even includes the infamous URL that was responsible for the botnet’s name—Mariposa,” explained Jessa De La Torre, Trend Micro’s Threat Response Engineer.

“We checked out the variants that were causing the activity and found that although currently in-the-wild samples slightly differed from previous versions, their functions remained the same,” said.

WORM_PALEVO is a modularized bot mainly used to perform distributed denial-of-service (DDoS) attacks and to download other files. As a commercial bot, its modules can be separately bought should herders want to add features such as propagation, browser monitoring and hijacking, cookie stuffing, and flooding and download routines to their creations. The bots communicate with their C&C server using UDP, which firewall devices do not typically block.

US Strategy for Cyberspace says that US will retaliate hostile acts in cyberspace with military means

“When warranted, the United States will respond to hostile acts in cyberspace as we would to any other threat to our country. We reserve the right to use all necessary means – diplomatic, informational, military, and economic – as appropriate and consistent with applicable international law, in order to defend our Nation, our allies, our partners, and our interests. In so doing, we will exhaust all options before military force whenever we can; will carefully weigh the costs and risks of action against the costs of inaction; and will act in a way that reflects our values and strengthens our legitimacy, seeking broad international support whenever possible.”

That isn’t a proposal from a technically challenged US Senator, but the text from the new US International Strategy for Cyberspace. This means you DDoS US and they’ll retaliate with missiles. This is perhaps the most extreme defense strategy against cyberattacks that any country has ever proposed, leave alone implementing it.

The new US cyberspace policy is meant to encourage ‘responsible behavior’ and oppose those who would seek to disrupt networks and systems, thereby dissuading and deterring malicious actors, while reserving the right to defend these vital national assets as necessary and appropriate. According to the policy, the United States will continue to strengthen its network defenses and its ability to withstand and recover from disruptions and other attacks. For those more sophisticated attacks that do create damage, US will act on well-developed response plans to isolate and mitigate disruption to its machines, limiting effects on our networks, and potential cascade effects beyond them.

The new policy has come in the wake of increasingly number of attacks on critical infrastructure that can potentially disrupt power, water and other utility services in the United States. More so, US on many occasions has indicated that they have ‘concrete evidence’ that the cyber attacks on their military websites and sensitive establishments have been coming from China, which is increasingly getting hungry for information.

Arbor Network launches new anti-DDoS package

Arbor Networks, a security and network management solutions provider, announced today the Arbor Pravail Availability Protection System (APS), a new product family focused on securing the Internet data center (IDC) edge. An important new capability introduced within the Arbor Pravail APS is Cloud Signaling, a protocol that bridges the gap between the data center edge and the provider cloud, where Arbor’s Peakflow SP platform is pervasively deployed. The addition of Cloud Signaling automates the connecting of service providers, network operators and data center customers with the mission to ensure the availability of IDC infrastructure and speed time-to-mitigation for distributed denial of service (DDoS) attacks.

Cloud Signaling enables optimal protection of the Internet data center from availability threats, identifying and mitigating application-layer attacks at the data center edge and volumetric denial of service attacks in the provider cloud. No other vendor is able to offer this comprehensive, automated protection against availability threats to IDC infrastructure.

For the second consecutive year, botnet-driven volumetric and application-layer DDoS attacks continue to be the most significant problems facing network operators, according to the Arbor Networks 2010 Worldwide Infrastructure Security Report. In 2010, for the first time, volumetric DDoS attacks topped the 100 Gbps barrier and an alarming 77 percent of respondents detected application-layer attacks. These application-layer attacks are targeting both end customers and network operators’ own critical support services, such as HTTP, Web and domain name system (DNS) services. IDC operators reported that application-layer DDoS attacks are leading to significant outages, increased operational expenditures (OPEX), customer churn and revenue loss. Moreover, enterprises point to the DDoS threat to the data center – the availability of services and data – as one of the biggest obstacles for organizations looking to move to cloud-based infrastructure today.

Cloud Signaling addresses the need for a coordinated response to both aspects of today’s increasingly complex DDoS threat – the magnitude of the largest volumetric attacks and the sophistication of the latest in application-layer denial of service attacks. Working with their Internet service provider (ISP) and managed security services provider (MSSP) customers, Arbor Networks has developed a protocol to facilitate both customer on-premise mitigation of application-layer attacks and upstream mitigation of volumetric attacks in an automated and real-time manner. Arbor customers who utilize Cloud Signaling can offer customers a comprehensive, integrated protection from the data center edge to the service provider cloud.

When a data center operator discovers that they are under a service-disrupting DDoS attack, they can choose to mitigate the attack in the cloud by triggering a signal to upstream infrastructure of their provider’s network. A volumetric DDoS attack congesting the upstream links would immediately diminish or disappear altogether from the data center’s access links and service availability would be protected. IDC customers also benefit from real-time monitoring of the attack mitigation, as well as granular post-mortem reports with details of the attack and the steps taken by the operator to mitigate the attack, keeping them in control and maintaining their expertise in command of the event. The addition of Cloud Signaling into the ISP/MSSP portfolio further strengthens the overall managed DDoS service offering by providing customers with complete DDoS protection from a single dashboard. Cloud Signaling enables the IDC operator to reduce time to mitigation and increase the effectiveness of response against DDoS threats, thus saving the company from major operational expense and preserving the company’s reputation.

Anonymous attacks New Zealand over copyright bill

The notorious hacktivist group Anonymous have struck again. The group previously warned the New Zealand government of a series of attacks after the government proposed The Copyright (Infringing File Sharing) Amendment Bill. Anonymous has launched a major operation to chastise the government of New Zealand for what it calls, an act of ‘oppression’.

Operating under the flagship “Operation Payback”, Anonymous has targeted the domain of the New Zealand parliament for internet silence. On Saturday, April 30 at 23:59 UTC, the website was rendered inoperable by a DDoS attack.

In a video address published minutes before the attack, Anonymous asserted: “Guilty until proven innocent – we shall never accept this, and nobody should.”

Promising a continued large-scale effort, Anonymous is planning a sustained campaign which is likely to include activist action on the ground. Security services protecting the parliament website were “confident [the] website will stand up”, with “adequate firewalls in place”.

However, unable to resist the anger of the masses, system administrators proceeded to cut their own website off from international traffic soon after the attack began.

“This effectively accomplished much of our work for us. This cowardly act also demonstrated a willingness on part of the New Zealand government to isolate themselves from the international community in order to maintain control over their citizenry,” Anonymous said in a statement.

“Unwilling to confront their defeat, the security services promptly buried their head in the sand, denying that any attack ever took place. The extent of their humiliation became painfully obvious to everyone but them when an independent news source finally acknowledged an Anonymous victory,” Anonymous added.

In addition to the protests against the NZ parliament; Anonymous also protested the website of NZ FACT (New Zealand Federation against Copyright Theft) an organization which actively encourages the persuing of “file sharers” and encourages punitive punishments.

North Korean hackers shut down South Korean bank via DDoS attack

North Korea was responsible for paralyzing the National Agricultural Cooperative Federation’s computer network in April in a second online attack in two months linked to the Kim Jong II regime, South Korean prosecutors said.

According to a Bloomberg report, “Hackers used similar techniques employed in cyber assaults that targeted websites in South Korea and the U.S. earlier this year and in 2009, the Seoul Central District Prosecutors’ Office said in an e-mailed statement today.”

The network of the bank better known in Korean as Nonghyup, was shut down on April 12, keeping its almost 20 million clients from using automated teller machines and online banking services. In all of the three bouts of online attacks, a method called “distributed denial service” was used, according to the statement.

Under the DDoS tactic, malicious codes infect computers to trigger mass attacks against targeted websites, according to Ahnlab Inc. (053800), South Korea’s largest maker of antivirus software.

Nonghyup will spend 510 billion won ($477.2 million) by 2015 to boost network security, the bank said in an e-mailed statement. The company received 1,385 claims for compensations related to the network disruption as of May 2, and 1,361 of them have been settled, according to the statement.

North Korea’s postal ministry was responsible for the 2009 attacks, Won Sei Hoon, head of South Korea’s National Intelligence Service, told lawmakers in October 2009.

Attacks in March this year targeted 40 South Korean websites, including at the presidential office, the National Intelligence Service, and Ministry of National Defense. They were traced to the same Internet Protocol addresses used in the 2009 episodes, South Korean police said last month.

The hackers prepared for the April 12 attack on Nonghyup for more than seven months, the Seoul Central District Prosecutors’ Office said today.

Admin accounts breached in the attack on Sony PSN

After a long lazy weekend that was practically wasted because of an attack on Sony PlayStation Network, bringing down PSN to a complete halt, gamers woke up Monday morning with a ray of hope that Sony for sure would’ve fixed PSN by now. To their dismay, PSN is still down, even after 5 days of outage and there is more bad news.

According to a source with close connections to Sony Computer Entertainment Europe, the attack to the PlayStation Network may be a bit deeper than originally reported by Sony. According to the source, who wishes to remain anonymous, the PSN sustained a LOIC attack (which created a denial-of-service attack) that damaged the server. There was also a concentrated attack on the PlayStation servers holding account information. In addition, “Admin Dev accounts were breached.”

This lead to the result of “Sony then shut down the PSN and [is] currently in the process of restoring backups to new servers with new admin dev accounts.” The SCEE (Sony Computer Entertainment Europe) source said Japanese servers may be restored tomorrow while the U.S. and E.U. servers will likely be operational the following day.

Sony Computer Entertainment America recently confirmed that it pulled down the PSN because of an “external intrusion.” The Playstation Network and Qriocity services were pulled offline by Sony on Wednesday, April 20. Initially, hackvist group Anonymous was suspected for the attacks but the group later denied any such rumors.

Be it Anonymous or someone else, Sony should’ve been prepared for Skynet on April 21st (well considering the outage took place on the 20th of April, Sony perhaps should get some less abuses). However, if Sony can’t afford to build a contingency plan with billions of dollars in its pockets and thousands of bright minds behind it, then perhaps it truly deserves this Apocalypse. The only sad part is that tons of Gamers now have to suffer because of Sony’s inability to secure its infrastructure and have crisis management in place.

Anonymous officially denies involvement in PSN outage

Sony’s Playstation Network is still suffering an outage even after more than 48 hours since it began. According to Sony’s blog, the interruption in service may last into the long weekend – for at least another “full day or two”.  Sony released a statement through its EU blog, saying that the network outage may be a result of “targeted behaviour by an outside party”, brining in the possibility of cyberattacks. Adding to the confusion is the fact that the message has since been removed. The hacktivist group Anonymous has been suspected for the attacks since the group openly warned Sony against attacks last week. However, tired of the allegations against it, the Anonymous has finally officially denied any involvement.

In the official statement, Anonymous today said, “While it could be the case that other Anons have acted by themselves, AnonOps was not related to this incident and takes no responsibility for it. A more likely explanation is that Sony is taking advantage of Anonymous’ previous ill-will towards the company to distract users from the fact the outage is accutally an internal problem with the companies servers.”

The PSN users are highly annoyed with this incident as they cannot play their favorite PS3 games online on this long weekend. There couldn’t have been a worse time for an outage of this proportion.

Fooled by fake online lover, revengeful hacker lands himself in jail

A computer programmer has been sentenced to 24 months in prison for launching a virus that infected approximately 100,000 computers around the world and directed them to attack media outlets that republished stories that mentioned him.

In September 2010, a jury returned a guilty verdict against Bruce Raisley, 48, of Kansas City, Missouri, following a six-day trial. Raisley was convicted of the count charged in the Indictment on which he was tried: launching a malicious computer program designed to attack computers and Internet websites, causing damages.

Raisley formerly volunteered for Perverted Justice, an organization that worked with the Dateline NBC television show “To Catch a Predator” to identify and apprehend pedophiles. After a falling out with the group and its founder, Xavier Von Erck, Raisley became an outspoken critic of Perverted Justice and Von Erck.

Von Erck retaliated by posing online as an adult woman named “Holly” and initiating an Internet relationship with Raisley. Eventually, Raisley agreed to leave his wife for “Holly” and was photographed by a Perverted Justice volunteer waiting for “Holly” at the airport.

In September 2006, Radar Magazine published an article entitled “Strange Bedfellows,” and in July 2007, Rolling Stone Magazine published an article entitled, To Catch a Predator: The New American Witch Hunt for Dangerous Pedophiles. Both articles discussed the television show “To Catch a Predator” and, more specifically, the techniques employed by Perverted Justice and the show to ensnare pedophiles. Both articles discussed the episode between Raisley and Von Erck posing as “Holly.”

The two articles proved popular, and were later posted on a number of websites beyond Radar and Rolling Stone, including a website operated by the Rick Ross Institute of New Jersey. As a result, Raisley devised a plan to remove the articles from the websites.

Specifically, Raisley developed a virus that would spread over the Internet and infect computers. When he deployed the virus, it infected approximately 100,000 computers across the world, creating what is known as a “botnet.” Expert witnesses explained that a botnet is a collection of victim computers that are remotely controlled to accomplish tasks such as sending out e-mail spam or, as in this case, attacking websites.

Raisley used the botnet to launch distributed denial of service attacks. Such attacks caused the 100,000 computers to repeatedly attempt to access any websites that posted the two articles in an effort to overwhelm the computers that hosted the websites and shut down the websites. The effect of denial of service attacks is akin to an “all circuits are busy” message—making it impossible for Internet users to access the content of the victim websites, including, of course, the two articles.

Evidence admitted at trial demonstrated that Raisley targeted and attacked a number of websites, including those of Rolling Stone, Radar, Nettica, Corrupted Justice, and the Rick Ross Institute of New Jersey. In total, those websites suffered damages in excess of $100,000 in lost revenues and mitigation.

In addition to the prison term, Judge Kugler sentenced Raisley to three years of supervised release and ordered him to pay $90,386.34 in restitution.

Hacktivist Maintains Attack on Westboro Baptist Church

The denial of service (DoS) attack initiated by The Jester (th3j35t3r) against websites operated by the controversial Westboro Baptist Church (WBC) have now exceeded four full weeks in duration. 

The sustained DoS attacks which began on February 21st represent a duration record for the hacktivist who is best known for his regular attacks on militant Jihadi websites as well as for an attack on the WikiLeaks website in late November of 2010 that forced the organization to shuffle Internet hosting providers.

The Jester uses a DoS tool he calls XerXeS (video) to perform an application level attack which can be performed by a single low-spec machine with relatively few packets, whereas traditional TCP-based DoS attacks require multiple machines.

The XerXeS tool has been employed to disable multiple WBC websites in a relentless campaign to hamper the church’s continued use of the Internet to broadcast hate speech.

The Westboro Baptist Church has made a name for itself by staging vocal protests at the funerals of U.S. military members killed in action, and often uses shocking tactics and inflammatory language to gain the attention of the media.

The Jester posted the following update on the attacks at Pastebin earlier this week:

GODHATESFAGS.COM – Tango down 1 Month and counting. (THAT’S 4 WEEKS)

Also all of the Westboro Baptist Church secondary domains (listed below) – Also their 3rd party hosted blog hosted at:

http://blogs.sparenot.com/index.php/godsmacks – TANGO DOWN

That’s one whole month WBC???? I thought you guys were just rebooting? Also why did ya remove all ya websites from your official letterhead:

http://twitter.com/#!/th3j35t3r/status/48508992082808833

Americaisdoomed.com     – TANGO DOWN

priestsrapeboys.com     – TANGO DOWN

godhatesireland.com     – TANGO DOWN

godhatesmexico.com      – TANGO DOWN

godhatescanada.com      – TANGO DOWN

Godhatesfags.com        – TANGO DOWN

sparenot.com            – TANGO DOWN

thebeastobama.com       – TANGO DOWN

yourpastorisafrak.com  – TANGO DOWN

godhatestheworld.com    – TANGO DOWN

godhatessweden.com      – TANGO DOWN

Jewskilledjesus.com     – TANGO DOWN

godistheterrorist.com   – TANGO DOWN

godhatesamerica.com     – TANGO DOWN

godhatesthemedia.com    – TANGO DOWN

signmovies.com          – TANGO DOWN

signmovies.net          – TANGO DOWN#

fredthemovie.com        – TANGO DOWN

hatemongers.com         – TANGO DOWN

stay frosty

th3j35t3r

There’s an unequal amount of good and bad in most things. Trick is to figure out the ratio and act accordingly.
The Westboro Baptist Church has made some other powerful enemies in the hacktivist community this year as well.

Rumors had circulated in February that the rogue movement Anonymous may target the WBC after the posting of a press release that was purported to be from an Anonymous supporter.

The press release was dispelled as a hoax by the hacktivist group who insisted the text was a publicity stunt executed by WBC members.

Supporters of the Anonymous movement did however end up defacing a WBC website during the course of a live radio interview (video) after representatives of the church taunted the group repeatedly in the media.

As for The Jester’s continued DoS attacks, it looks as if the hacktivist is committed to keeping the WBC’s online outlets for hate speech down indefinitely.