Monthly Archives: February 2015

Black hole routing: Not a silver bullet for DDoS protection

As ISPs, hosting providers and online enterprises around the world continue suffering the effects of DDoS attacks, often the discussions that follow are, “What is the best way to defend our networks a…

Read this article:
Black hole routing: Not a silver bullet for DDoS protection

DDoS Exploit Targets Open Source Rejetto HFS

Apparently no vulnerability is too small, no application too obscure, to escape a hacker’s notice. A honeypot run by Trustwave’s SpiderLabs research team recently snared an automated attack targeting users of the open source Rejetto HTTP File Server (Rejetto HFS). Someone was trying to exploit a vulnerability—which has since been patched—and install the well-known distributed denial-of-service tool IptabLes (unrelated to the Linux tool), also known as IptabLex. Rejetto HFS has been downloaded more than 24,000 times in the last seven days and according to the project’s website has an estimated 12,500 users and is used as a file-sharing application as well as a webserver. It also runs on Wine, the Windows emulator for Linux systems. “This is just one snapshot, one request. This is one example to extrapolate and take a higher level view; there’s likely a lot more activity out there,” said Ryan Barnett, SpiderLabs lead researcher. It’s likely the attackers have simply incorporated this exploit into a larger attack platform, Barnett said. “That’s the value of honeypots, spotting automated tools scanning the Internet shot-gunning exploits, and hoping it works,” Barnett said. The exploit, sent from a possible compromised IP address in China, was targeting CVE-2014-6287, a remote code execution bug in Rejetto. Specifically, the vulnerability affects Rejetto versions prior to 2.3c; the vulnerability is in the findMacroMarker function. Barnett said the exploit relies on a null byte character to trigger the attack code, which is written in Microsoft VBScript. Once the exploit executes, it tries to connect to a pair of IP addresses hosted in Paris (123[.]108.109.100 and 178[.]33.196.164) on three ports: 80 (HTTP); 53 (DNS); and 443 (HTTPS). Barnett said only 178[.]33.196.164 remains online and is a malware repository responding to XML HTTP Requests (XHR) from the exploit. The exploit tries to infect Rejetto users with the IptabLes DDoS tool. via @Threatpost Tweet A file called getsetup.exe is sent to the compromised server along with another executable, ko.exe, which drops IptabLes. Barnett said detection rates are high for the hash of getsetup.exe. IptabLes is a troublesome DDoS tool, capable of synflood and DNSflood attacks. It installs itself into boot for persistence, according to the SpiderLabs research, which added that IptabLes has been widely reported targeting Linux and Unix servers. The vulnerability being targeted was submitted last September. “It’s not very sophisticated, and a lot of times these types of attacks don’t have to be,” Barnett said. “These guys are concerned with scale because they’re running botnets. What makes botnets so nice to the criminals running them is that they don’t care to be stealthy. They can send attacks blindly, and if they’re shut down, they just move on.” Source: http://threatpost.com/ddos-exploit-targets-open-source-rejetto-hfs/111286

Originally posted here:
DDoS Exploit Targets Open Source Rejetto HFS

Companies expects others to protect them against DDoS attacks

One in five businesses surveyed believe that their online services should be protected against DDoS attacks by their IT service providers (in particular, network providers). However, this responsibili…

More:
Companies expects others to protect them against DDoS attacks

New York City hit with DDoS attacks, government email service knocked out

Unknown hackers knock out New York City governments email system For whole of last week and uptil Monday, unknown hackers had knocked of New York City government’s emailing system. The attack was pretty ferocious according to a City Hall source who said that the “universal” denial of service attack had now been contained but there was still “ongoing malicious activity” as recently as Monday. Almost all government agencies in New York City were unable to send or receive messages for the past week due to this attack. Some agencies such as the Department of Transportation set up temporary Gmail accounts to send and receive emails. Sources said that inbound and outbound emails were affected while intra-agency emails were not affected by the attack Speaking about the DDoS attack, Jackie Albano, a spokeswoman for the city’s Department of Information Technology and Telecommunications, said that the attack which started last Tuesday, had been resolved last week. He  also added that the efforts taken to mitigate the attack may have slowed the email servers resulting in slowed emails. It is not known whether New York City government websites were under DDoS attack or were hacked because Albano added that no sensitive information or data was compromised during the attack. He however said that this was a “big attack” but downplayed its impact on New York City government services. “It is a big deal but….it’s like a lot of mosquitoes buzzing around you,” said Albano. “The nature of the attack is only designed to interfere with service, not to steal or access any private information. It’s designed to slow down email. On the scale of cyber incidences it’s kind of low.” Albano said that MSISAC, New York Police Department and FBI were all investigating the incident and it is still not clear who initiated the attack of why. Source: http://www.techworm.net/2015/02/new-york-city-hit-with-ddos-attacks-government-email-service-knocked-out.html

More here:
New York City hit with DDoS attacks, government email service knocked out

New DDoS attack and tools use Google Maps plugin as proxy

Attackers are using Joomla servers with a vulnerable Google Maps plugin installed as a platform for launching DDoS attacks. A known vulnerability in a Google Maps plugin for Joomla allows the plugi…

More:
New DDoS attack and tools use Google Maps plugin as proxy

3 million strong RAMNIT botnet taken down

The National Crime Agency’s National Cyber Crime Unit (NCCU) worked with law enforcement colleagues in the Netherlands, Italy and Germany, co-ordinated through Europol’s European Cybercrime Centre (EC…

Taken from:
3 million strong RAMNIT botnet taken down

Read() or alive, you’re coming with me: Feds offer $3m reward for ‘CryptoLocker baron’

Evgeniy Bogachev accused of GameOver ZeuS botnet crimes The US State Department and the FBI, have stumped up $3m in reward money for the arrest of Evgeniy Mikhailovich Bogachev, the 30-year-old Russian man accused of stealing over $100m with his malware.…

View post:
Read() or alive, you’re coming with me: Feds offer $3m reward for ‘CryptoLocker baron’

Red or alive, you’re coming with me: Feds offer $3m reward for ‘CryptoLocker baron’

Evgeniy Bogachev accused of GameOver ZeuS botnet crimes The US State Department and the FBI, have stumped up $3m in reward money for the arrest of Evgeniy Mikhailovich Bogachev, the 30-year-old Russian man accused of stealing over $100m with his malware.…

Link:
Red or alive, you’re coming with me: Feds offer $3m reward for ‘CryptoLocker baron’