A new Distributed Denial of Service (DDoS) crimeware bot known as “Zemra” and detected by Symantec as Backdoor.Zemra. Lately, this threat has been observed performing denial-of-service attacks against organizations with the purpose of extortion. Zemra first appeared on underground forums in May 2012 at a cost of €100.

This crimeware pack is similar to other crime packs, such as Zeus and SpyEye, in that is has a command-and-control panel hosted on a remote server. This allows it to issue commands to compromised computers and act as the gateway to record the number of infections and bots at the attacker’s disposal.

Similar to other crimeware kits, the functionality of Zemra is extensive:

• 256-bit DES encryption/decryption for communication between server and client
• DDoS attacks
• Device monitoring
• Download and execution of binary files
• Installation and persistence in checking to ensure infection
• Propagation through USB
• Self update
• Self uninstall
• System information collection

However, the main functionality is the ability to perform a DDoS attack on a remote target computer of the user’s choosing.

Initially, when a computer becomes infected, Backdoor.Zemra dials home through HTTP (port 80) and performs a POST request sending hardware ID, current user agent, privilege indication (administrator or not), and the version of the OS. This POST request gets parsed by gate.php, which splits out the information and stores it in an SQL database. It then keeps track of which compromised computers are online and ready to receive commands.

Inspection of the leaked code allowed us to identify two types of DDoS attacks that have been implemented into this bot:

• HTTP flood
• SYN flood

Symantec added detection for this threat under the name Backdoor.Zemra, which became active on June 25, 2012. To reduce the possibility of being infected by this Trojan, Symantec advises users to ensure that they are using the latest Symantec protection technologies with the latest antivirus definitions installed.

THC-SSL-DOS is a tool to verify the performance of SSL.

Establishing a secure SSL connection requires 15x more processing power on the server than on the client.

THC-SSL-DOS exploits this asymmetric property by overloading the server and knocking it off the Internet.

This problem affects all SSL implementations today. The vendors are aware of this problem since 2003 and the topic has been widely discussed.

This attack further exploits the SSL secure Renegotiation feature to trigger thousands of renegotiations via single TCP connection.

Download:
Windows binary : thc-ssl-dos-1.4-win-bin.zip
Unix Source : thc-ssl-dos-1.4.tar.gz

Use “./configure; make all install” to build.

Usage:
./thc-ssl-dos 127.3.133.7 443
Handshakes 0 [0.00 h/s], 0 Conn, 0 Err
Secure Renegotiation support: yes
Handshakes 0 [0.00 h/s], 97 Conn, 0 Err
Handshakes 68 [67.39 h/s], 97 Conn, 0 Err
Handshakes 148 [79.91 h/s], 97 Conn, 0 Err
Handshakes 228 [80.32 h/s], 100 Conn, 0 Err
Handshakes 308 [80.62 h/s], 100 Conn, 0 Err
Handshakes 390 [81.10 h/s], 100 Conn, 0 Err
Handshakes 470 [80.24 h/s], 100 Conn, 0 Err

Comparing Flood DDoS vs. SSL-Exhaustion Attack:
A traditional flood DDoS attack cannot be mounted from a single DSL connection.
This is because the bandwidth of a server is far superior to the bandwidth of a DSL connection: A DSL connection is not an equal opponent to challenge the bandwidth of a server.

This is turned upside down for THC-SSL-DOS: The processing capacity for SSL handshakes is far superior at the client side: A laptop on a DSL connection can challenge a server on a 30Gbit link.

Traditional DDoS attacks based on flooding are sub optimal: Servers are prepared to handle large amount of traffic and clients are constantly sending requests to the server even when not under attack.

The SSL-handshake is only done at the beginning of a secure session and only if security is required. Servers are _not_ prepared to handle large amount of SSL Handshakes.

The worst attack scenario is an SSL-Exhaustion attack mounted from thousands of clients (SSL-DDoS).

Tips & Tricks for WhiteHats:
– The average server can do 300 handshakes per second. This would require 10-25% of your laptops CPU.
– Use multiple hosts (SSL-DOS) if an SSL Accelerator is used.
– Be smart in target acquisition: The HTTPS Port (443) is not always the best choice. Other SSL enabled ports are more unlikely to use an SSL Accelerator (like the POP3S, SMTPS, … or the secure database port).

Counter measurements:
No real solutions exists. The following steps can mitigate (but not solve) the problem:
– Disable SSL-Renegotiation
– Invest into SSL Accelerator

Either of these countermeasures can be circumventing by modifying THC-SSL-DOS. A better solution is desireable. Somebody should fix this.

Google’s servers can be used by cyber attackers to launch DDoS attacks, claims Simone “R00T_ATI” Quatrini, a penetration tester for Italian security consulting firm AIR Sicurezza.

Quatrini discovered that two vulnerable pages – /_/sharebox/linkpreview/ and gadgets/proxy? – can be used to request any file type, which Google+ will download and show – even if the attacker isn’t logged into Google+.

By making many such request simultaneously – which he managed to do by using a shell script he’s written – he practically used Google’s bandwidth to orchestrate a small DDoS attack against a server he owns.

He points out that his home bandwidth can’t exceed 6Mbps, and that the use of Google’s server resulted in an output bandwidth of at least 91Mbps.

“The advantage of using Google and make requests through their servers, is to be even more anonymous when you attack some site (TOR+This method); The funny thing is that apache will log Google IPs,” says Quatrini. “But beware: igadgets/proxy? will send your IP in apache log, if you want to attack, you’ll need to use /_/sharebox/linkpreview/.”

He says he has discovered the flaws that allow the attack on August 10 and that he contacted Google’s Security center about it. After 19 days of receiving no reply from Google, he published his findings.

According to Daniel Krebs an independent security researcher, hackers have started contending among themselves openly by providing DDoS (distributed denial-of-service) services that can help in causing websites to collapse. Signalnews reported this on August 2, 2011.

Apparently, several secret forums exist on which subscribers canvass their skills for carrying out devastating DDoS assaults in return for a payment.

Krebs writes that all services for distributed denial-of-service assault are priced an identical value, with the mean price charged for deactivating an Internet site astonishingly affordable. The prices for DDoS attack services are $5-$10 every hour; $40-$50 daily; $350 to $400 every week; and $1,200 and above every month. InfoSecurity published this on August 2, 2011.

Moreover, for their assaults, the hackers chiefly utilize botnets, while ignorant operators of computers remain unaware that they’ve gotten contaminated with malware as also being controlled remotely. A certain DDoS attackers’ gang canvasses a DIY (do-it-yourself) DDoS toolkit that explains how users can effortlessly assemble their own bot-infected PCs to create a network, which’s complete with an administration panel that’s Web-based to be utilized for remotely monitoring and regulating the compromised PCs i.e. the bots.

A particular Russian gang estimates that 15-30 bots are required for destabilizing small-sized websites, 250-280 for medium-sized ones and 750 to 800 for big websites. If the websites are still larger then 2,000 to 2,500 bots can cripple DDoS safeguards on them, while 15,000 to 20,000 bots can crash nearly all web-pages despite any number of security precautions on them.

Overall, services of DDoS attacks are available for sale pertaining to websites of the above sizes. These attacks are executed via botnets i.e. networks of malware-infected PCs. When contaminated, an average computer operator mayn’t be aware that his PC has been converted into a zombie under a hacker’s control and being used for a DDoS.

Krebs writes that one DDoS gangsters’ group, which has been around for no less than 3-years, has a DIY DDoS toolkit for sale, teaching how one can make his own network of bots, while the kit contains one bot builder along with an admin panel that’s web-based.

After 7 days of speculation-ridden downtime, Sony has finally announced that the PlayStation Network (PSN) outage was due to a massive hack that exposed the names, birthdays, email addresses, passwords, security questions, and maybe credit card details, of all PSN users.

At first, the most likely explanation for the PSN’s downtime was a continuation of Anonymous’s DDoS reprisal for Sony’s persecution of PlayStation 3 jailbreaker, George Hotz (geohot). Then, as the outage extended past a few days, and Sony announced that it was “rebuilding” its network due to an “external intrusion,” it became apparent that this was much more than a simple, brute force denial of service attack. Today’s announcement by Sony confirms that the PlayStation Network’s security mechanisms were fully circumvented, and that at least one of its most sensitive databases was breached and accessed sometime between April 17 and 19.

How was the PlayStation Network hacked, though? Ironically, for security reasons, and because Sony is historically very tight-lipped on such matters, we will probably never know the exact attack vector — but we can certainly make some well-educated guesses about how the PlayStation Network was hacked. First, given its proximity to Anonymous’s recent attacks, it’s likely that the database breach is somehow related. It’s safe to assume that Anonymous could have learned about a weakness in the PSN’s security mechanisms, and then passed that data on to another group of hackers — and from there, if the hole was big enough, the attackers might have been able to simply step right in with an SQL injection attack.

Moving forward, there’s no indication of when the PlayStation Network will return. Sony has warned its users to look out for mail or telephone scams, and to lodge a “fraud alert” with credit bureaus like Experian and and Equifax, which should prevent your credit card from being used by the hackers. If you’re a PlayStation Network user, check the PlayStation Blog for more information.

As we move towards a lifestyle that is dominated by cloud-based services like Gmail, Steam, Xbox Live, and Netflix, these attacks will become more and more commonplace. It’s infinitely convenient to have your data all in one place and accessible from any net-connected computer — but likewise, these services represent the juiciest imaginable hacking target. A large database of email addresses is worth millions if sold to a spam baron!