This blog has been wasting bandwidth on WordPress.com for three years now, imagine that.
Archive for the Daily Rant Category
Yet another update regarding the ongoing Georgian cyber attacks. For those that don’t realize the significance of this some botherders and do-it-your-self hacktivists have pretty much succeeded in taking most of Georgia’s government news outlets off line. Most of the gov.ge sites have now regrouped on the Blogspot platform but there are some residing on other providers.
I have been following this very closely and working with others to get a better picture of what is happening. The results of those efforts are being updated over at the Shadowserver news wiki but I’ll repost it below for your convenience.
Here is the latest update:
Georgia and Estonia Have Something New in Common
Since last Friday (August 8, 2008) a large number of Georgian websites, both government and non-government alike, have come under attack. There has been a lot of speculation about whether or not foreign governments were involved in the attacks or if it is just the work of outraged citizens taking the action on their own. While no one could really say for sure who was behind the attacks, one thing was clear–the attacks were having a devastating impact on their targets. Even at this very moment, several Georgian websites are still unreachable.
We have been seeing constant distributed denial of service (DDoS) attacks against Georgian website from various command and control (C&C) servers since last Friday. In fact they were still on going. However, we have not observed an attacks against several of the different websites that are currently offline. While we of course do not have in sight into all DDoS attacks, we were still surprised to see these sites offline and not have observed any traffic destined for them. We were not real sure why this was until today.
Additional Attack Information
Shadowserver has received reliable information that one of the Georgian government websites was being attacked by dozens of Russian computers from several different ISPs throughout the country covering both dialup and broadband users. The traffic destined for the website is overwhelming ICMP traffic. Did we dare say Russian? Yes we did, however, let’s be clear here: we were not pointing fingers and we are absolutely not implicating any government involvement (no reason to suspect this).
What does it mean though? Lots of Russians host and lots of ICMP traffic. Could this be a botnet that instructed all of its hosts to send an ICMP flood to the destination? Possibly. However, usually botnets are widely dispeared in several geographic locations. Why on earth would be see such an overwhelming amount of Russian hosts?
Is it possible the same thing that happened to Estonia is happening to Georgia? To put it quite simply, the answer is yes.
The Grass Roots Effect
Lots of ICMP traffic and Russian hosts sounds a lot more like users firing off the ‘ping’ command and a lot less like some evil government controlled botnet. It did not take us long to find out what is going on. Much like in the attacks against Estonia, several Russian blogs, forums, and websites are spreading a Microsoft Windows batch script that is designed to attack Georgian websites. Basically people are taking matters into their own hands and asking others to join in by continually sending ICMP traffic via the ‘ping’ command to several Georgian websites, of which the vast majority are government.
The following text is a redacted version of the script being posted:
@echo Call this file (MSK) 18:00, 20:00
@echo Thanks for support of South Ossetia! Please, transfer this file to the friends!
We have removed the actual commands and parameters of the script to avoid being a distribution point for it. However, you can see the raw list of targets that are being spread across the websites. This script has been posted on several websites and is even being hosted as “war.rar” which contains “war.bat” within it on one site. It would appear that these cyber attacks have certainly moved into the hands of the average computer using citizen.
It appears evident that the average user is now getting involved and helping to attack Georgian websites. We do not know the size of the attack, but with many most likely sympathetic and the message spreading from blog to blog and forum to forum, it might not slow any time soon. Whether it is through the use of a botnet or a personal machine, it is quite clear what kind of effect these attacks can have on an infrastructure that is unable to fend them off. We will continue to monitor the situation and report back any developments we observe.
Cross Posted at The Jawa Report.
I posted about the ongoing attacks against Georgian resources on August 11th. Since that time a lot of the media have been getting on the “lets blame the Russian Business Network and Russian Government” bandwagon without really putting things into context. I mentioned the RBN in the original post as an unverified point of interest (RBN is worth reading up on whether involved in this or not).
To clarify a few points Shadowserver’s “Mike Johnson” has updated the wiki with a post titled “Georgian Websites Under Attack – Don’t Believe the Hype“. It warrants reading as it lays out a bit more historical information on the botnets involved.
An excerpt from that post is below.
We have been tracking these servers for a while now, some for a year or more (and before you ask, yes we’ve tried to get them shut down, but with little co-operation), so we know their history. We have seen many different DDoS attacks from these particular C&C servers, but there doesn’t seem to be any rhyme or reason to it. What does seem apparent is that the targeted sites don’t strike me as being something a government would go after. Without listing the actual targets, they fall into the following broad categories:* Adult video websites
* Prostitution websites
* White supremacy websites
* Carder websites (sites that trade in stolen credit card numbers)
* Online gambling websites
* Virtual currency websites (think PayPal, but not nearly that legitimate)
* Russian news websites
* Random Russian websites
* Many other websites
The ddos attacks appear to be ongoing as of this morning (13 August 2008) and it is of note that the botnets involved continue to simultaneously attack other web sites that do not belong to the Republic of Georgia.
Update: For more context see Popular Mechanics interview with RBNexploit’s Jart Armin.
Cross Posted at The Jawa Report
The Georgian Republics Parliament website has been defaced as well:
parliament.ge now shows:
Original post continues below:
Some of the Internet resources of the Georgian government have been the targets of fairly steady DDoS attack’s since early July of 2008. The website of the President of Georgia has been hit fairly heavily over the last few days and is currently going off line randomly as it is overcome by the attack (it was up this morning but has been down for several hours now).
The Threat Expert Blog had an article about similar attacks on president.gov.ge back on 20 July 2008. In that article they credited Steven Adair for the information regarding the botnet involved in the attack, likewise Steven gets credit for bringing the ongoing attacks to my attention this morning. Stevens latest post on this issue can be found at the Shadowserver website later today, I’ll update the link as that info becomes available.
True to form there’s appears to have been a cooperative effort between the cyber attacks and the military attacks on the ground in Georgia. Whether the attacks are the work of the Russian government or that of those sympathetic to their cause remains to be seen. Estonia recently suffered a similar fate less the actual physical invasion forces.
Here’s a sample of what we’re seeing regarding the attacks on Georgian resources, on and off, since mid July (source IP’s removed):
2008-07-20 15:15:14 18.104.22.168 president.gov.ge flood icmp http://www.president.gov.ge
2008-07-20 15:15:12 22.214.171.124 president.gov.ge flood tcp http://www.president.gov.ge
2008-07-20 15:15:08 126.96.36.199 president.gov.ge flood http http://www.president.gov.ge
2008-07-20 14:14:23 188.8.131.52 president.gov.ge flood icmp http://www.president.gov.ge
2008-07-20 14:14:20 184.108.40.206 president.gov.ge flood tcp http://www.president.gov.ge
2008-07-20 14:14:17 220.127.116.11 president.gov.ge flood http http://www.president.gov.ge
2008-07-20 13:13:33 18.104.22.168 president.gov.ge flood icmp http://www.president.gov.ge
2008-07-20 13:13:32 22.214.171.124 president.gov.ge flood tcp http://www.president.gov.ge
The RBNExploit blog claims that Internet routing for the Georgian Internet resources may have been under attack in an effort to stop proper routing to those services. The RBNExploit Blog claims the Russian Business Network is involved, I can’t verify that claim but if you don’t know what the RBN is you need to go find out. RBN is responsible for quite of bit of the nastiness on the Internet as far as cyber crime and fraud goes.
Additionally, the Georgian Office of Foreign Ministry was also defaced with images likening the Georgian President to Hitler, details are available at Interfax.
This article was cross posted at The Jawa Report.
Someone over at YouTube created a video with the Clutch song “Basket of Eggs” and excerpts from Ralph Bakshi’s 1977 animated film “Wizards“. Wizards is a cult classic and a must see for any animation fan. I think the two go together very nicely. If you haven’t seen Wizards, the entire film is available on YouTube in several parts.
Going to change up the look and feel of the blog a bit and get some information posted regarding my current projects.
While you wait on the updates feel free to enjoy some Clutch.
On January 31st this blog will be two years old, far older than I expected it ever would be.
I originally created this blog as a place for my “stuff”, mainly links to other sites that I wanted handy and a place to post a bit on IT Security stuff. Stuff I’ve posted here has helped solve technical problems for people that really needed it, I find that very rewarding as giving the advice really didn’t cost me anything at all but time. This blog has always been a casual effort for me, I have no advertisements or sponsors and no effort to make money or gain “fame”. That “crazy blog money” is harder to get than people think and it was never something I was going for. I really appreciate the people who link this site and throw some traffic my way and I’ve always tried to return the favor if I can.
I’ve met a few other bloggers, made a few friends along the way and have actually contributed in a published article or two. The now closed “Clarity & Resolve” was always an inspiration, I owe a thanks to Rusty, Howie and crew from TJR, Aaron at Internet Haganah, Velvet Hammer, Muslihuun, Bugs-n-Gas Gal, 3 Nails Ministries and many many more that I can’t possibly list here. Sorry if I missed you but I don’t want this to be a post full of hyperlinks, I’m sure everyone will understand. Rusty actually gave me an invite to guest blog at Jawa so you may see me pop up over there pretty soon (hey I need to post somewhere).
Now then, you’ve probably noticed that I tend to focus on cyber-crime, security and cyber-terrorism here. What you didn’t know is that I’ve always done other research behind the scenes on these same topics. Because of my training, personal interests and career path security research is only natural for me (I’m a security geek, what can I say). Unfortunately most of this is not stuff people talk about “publicly” that often due to the sensitivity of it all (full disclosure not withstanding). I was privileged enough to have received an invitation,a year or so ago, to do research with The Shadowserver Foundation, this is truly where the “dark arts” are studied and I consider myself very lucky to be able to work with that team of people. Some of my research over there is really starting to take off and I’m very pleased with that and really look forward to watching those efforts develop.
Additionally, I’ve recently made an upward career move and with that comes more responsibility, literally a 24 hour commitment (such is the way of IT staff). My beautiful wife and I are also expecting our second child in a couple of months which brings a set of challenges all it’s own (those of you with children know what I’m getting at here).
That being said, all this blogging and research takes time, lots of time, which I don’t currently have any of, so something has to give. That something is going to be the updating of The Black Flag, I’ll still be around and will always be available by email but updated posts here are going to be a lot less frequent. I have to make a sacrifice somewhere and this is going to be it, my “real life” and my research will continue on. Oh, I’ll still hit this site every day and clean up the comment spam but that’s about it for the next few months until things settle down again.
I check email daily so if you really need to get me thats the best way.
It is what it is, thanks for stopping by.