Posts tagged: DoS

Jun 27 2012

The Zemra Bot – New DDoS Attack Pack

Zemra BotA new Distributed Denial of Service (DDoS) crimeware bot known as “Zemra” and detected by Symantec as Backdoor.Zemra. Lately, this threat has been observed performing denial-of-service attacks against organizations with the purpose of extortion. Zemra first appeared on underground forums in May 2012 at a cost of €100.

This crimeware pack is similar to other crime packs, such as Zeus and SpyEye, in that is has a command-and-control panel hosted on a remote server. This allows it to issue commands to compromised computers and act as the gateway to record the number of infections and bots at the attacker’s disposal.

Similar to other crimeware kits, the functionality of Zemra is extensive:

  • 256-bit DES encryption/decryption for communication between server and client
  • DDoS attacks
  • Device monitoring
  • Download and execution of binary files
  • Installation and persistence in checking to ensure infection
  • Propagation through USB
  • Self update
  • Self uninstall
  • System information collection

However, the main functionality is the ability to perform a DDoS attack on a remote target computer of the user’s choosing.

Initially, when a computer becomes infected, Backdoor.Zemra dials home through HTTP (port 80) and performs a POST request sending hardware ID, current user agent, privilege indication (administrator or not), and the version of the OS. This POST request gets parsed by gate.php, which splits out the information and stores it in an SQL database. It then keeps track of which compromised computers are online and ready to receive commands.

Inspection of the leaked code allowed us to identify two types of DDoS attacks that have been implemented into this bot:

  • HTTP flood
  • SYN flood

Symantec added detection for this threat under the name Backdoor.Zemra, which became active on June 25, 2012. To reduce the possibility of being infected by this Trojan, Symantec advises users to ensure that they are using the latest Symantec protection technologies with the latest antivirus definitions installed.

Oct 24 2011

THC SSL DOS Tool Released

THC-SSL-DOS is a tool to verify the performance of SSL.

Establishing a secure SSL connection requires 15x more processing power on the server than on the client.

THC-SSL-DOS exploits this asymmetric property by overloading the server and knocking it off the Internet.

This problem affects all SSL implementations today. The vendors are aware of this problem since 2003 and the topic has been widely discussed.

This attack further exploits the SSL secure Renegotiation feature to trigger thousands of renegotiations via single TCP connection.

Windows binary :
Unix Source : thc-ssl-dos-1.4.tar.gz

Use “./configure; make all install” to build.

./thc-ssl-dos 443
Handshakes 0 [0.00 h/s], 0 Conn, 0 Err
Secure Renegotiation support: yes
Handshakes 0 [0.00 h/s], 97 Conn, 0 Err
Handshakes 68 [67.39 h/s], 97 Conn, 0 Err
Handshakes 148 [79.91 h/s], 97 Conn, 0 Err
Handshakes 228 [80.32 h/s], 100 Conn, 0 Err
Handshakes 308 [80.62 h/s], 100 Conn, 0 Err
Handshakes 390 [81.10 h/s], 100 Conn, 0 Err
Handshakes 470 [80.24 h/s], 100 Conn, 0 Err

Comparing Flood DDoS vs. SSL-Exhaustion Attack:
A traditional flood DDoS attack cannot be mounted from a single DSL connection.
This is because the bandwidth of a server is far superior to the bandwidth of a DSL connection: A DSL connection is not an equal opponent to challenge the bandwidth of a server.

This is turned upside down for THC-SSL-DOS: The processing capacity for SSL handshakes is far superior at the client side: A laptop on a DSL connection can challenge a server on a 30Gbit link.

Traditional DDoS attacks based on flooding are sub optimal: Servers are prepared to handle large amount of traffic and clients are constantly sending requests to the server even when not under attack.

The SSL-handshake is only done at the beginning of a secure session and only if security is required. Servers are _not_ prepared to handle large amount of SSL Handshakes.

The worst attack scenario is an SSL-Exhaustion attack mounted from thousands of clients (SSL-DDoS).

Tips & Tricks for WhiteHats:
– The average server can do 300 handshakes per second. This would require 10-25% of your laptops CPU.
– Use multiple hosts (SSL-DOS) if an SSL Accelerator is used.
– Be smart in target acquisition: The HTTPS Port (443) is not always the best choice. Other SSL enabled ports are more unlikely to use an SSL Accelerator (like the POP3S, SMTPS, … or the secure database port).

Counter measurements:
No real solutions exists. The following steps can mitigate (but not solve) the problem:
– Disable SSL-Renegotiation
– Invest into SSL Accelerator

Either of these countermeasures can be circumventing by modifying THC-SSL-DOS. A better solution is desireable. Somebody should fix this.

Aug 13 2011

DDoS and Hacking Services for Sale

Hacking ServicesAccording to Daniel Krebs an independent security researcher, hackers have started contending among themselves openly by providing DDoS (distributed denial-of-service) services that can help in causing websites to collapse. Signalnews reported this on August 2, 2011.

Apparently, several secret forums exist on which subscribers canvass their skills for carrying out devastating DDoS assaults in return for a payment.

Krebs writes that all services for distributed denial-of-service assault are priced an identical value, with the mean price charged for deactivating an Internet site astonishingly affordable. The prices for DDoS attack services are $5-$10 every hour; $40-$50 daily; $350 to $400 every week; and $1,200 and above every month. InfoSecurity published this on August 2, 2011.

Moreover, for their assaults, the hackers chiefly utilize botnets, while ignorant operators of computers remain unaware that they’ve gotten contaminated with malware as also being controlled remotely. A certain DDoS attackers’ gang canvasses a DIY (do-it-yourself) DDoS toolkit that explains how users can effortlessly assemble their own bot-infected PCs to create a network, which’s complete with an administration panel that’s Web-based to be utilized for remotely monitoring and regulating the compromised PCs i.e. the bots.

A particular Russian gang estimates that 15-30 bots are required for destabilizing small-sized websites, 250-280 for medium-sized ones and 750 to 800 for big websites. If the websites are still larger then 2,000 to 2,500 bots can cripple DDoS safeguards on them, while 15,000 to 20,000 bots can crash nearly all web-pages despite any number of security precautions on them.

Overall, services of DDoS attacks are available for sale pertaining to websites of the above sizes. These attacks are executed via botnets i.e. networks of malware-infected PCs. When contaminated, an average computer operator mayn’t be aware that his PC has been converted into a zombie under a hacker’s control and being used for a DDoS.

Krebs writes that one DDoS gangsters’ group, which has been around for no less than 3-years, has a DIY DDoS toolkit for sale, teaching how one can make his own network of bots, while the kit contains one bot builder along with an admin panel that’s web-based.

Nov 15 2010

DDOSIM – Layer 7 DDoS Simulator

ddosim is a tool that can be used in a laboratory environment to simulate a distributed denial of service (DDOS) attack against a target server. The test will show the capacity of the server to handle application specific DDOS attacks. ddosim simulates several zombie hosts (having random IP addresses) which create full TCP connections to the target server. After completing the connection, ddosim starts the conversation with the listening application (e.g. HTTP server).

ddosim is written in C++ and runs on Linux. Its current functionalities include:

  • HTTP DDoS with valid requests
  • HTTP DDoS with invalid requests (similar to a DC++ attack)
  • TCP connection flood on random port

In order to simulate such an attack in a lab environment we need to setup a network like this:


Download : ddosim-0.2.tar.gz

More Info :
1) DDOSIM at Sourceforge
2) Application Layer DDoS Simulator

Sep 13 2010

Security firm warns of commercial, on-demand DDoS botnet

IMDDOS, which is mainly based in China, has grown to become one of the largest active botnets.

The security firm Damballa is warning of a large and fast growing botnet created specifically to deliver distributed denial of service (DDoS) attacks on demand for anyone willing to pay for the service.

The IMDDOS botnet is operated out of China and has been growing at the rate of about 10,000 infected machines every day for the past several months, to become one the largest active botnets currently, Damballa says.

Gunter Ollman, vice president of research at Damballa, said that what makes IMDDOS significant is its openly commercial nature. The botnet’s operators have set up a public Web site potential attackers can use to subscribe for the DDoS service, and to launch attacks against targets.

The site offers various subscription plans and attack options, and provides tips on how the service can be used to launch effective DDoS attacks. It even provides customers with contact information for support and customer service.

Anyone with knowledge of Chinese can essentially subscribe to the service and use it to initiate DDoS attacks against targets of their choice, anywhere around the globe and with next to no effort, Ollman said.

Paid subscribers are provided with a unique alias and a secure access application which they download on to their systems. Users wishing to launch an attack use the application to log into a secure area on the Web site where they can list the hosts and servers they want to attack and submit their request.

The command and control-server behind the botent receives the target list and instructs the infected host machines, or botnet agents, to start launching DDoS attacks against the target site. “Depending on your level of subscription you will be provided a commensurate number of DDoS agents to use” in launching at attack, he said.

A vast majority of the infected machines that are part of the IMDDOS botnet are based on China, however, a significant number of infected machines in the U.S are part of it as well, Ollman said. Law enforcement authorities in the U.S. have been notified of the problem, he added.

The IMDDOS botnet provides another example of what many analysts say is the open and easy availability of sophisticated malware tools and services in China these days.

Source: ComputerWorld