The latest war.

Okay, with all the recent, on-going attacks against a lot of the major "anti-spyware" sites, it seems as though it's all-out war now between those who would have your information and track you - and those that would prevent that.


SpywareInfo on and off, Net-Integration totally down - where will it all end and how can it be stopped?

The anti-scumware forces are fighting for their very lives here.

So, what's the attack mechanism?

It would seem to me that it would almost have to be a variant of the CoolWebSearch stuff designed specifically for this task.

IOW, the CWS people have come up with something that doesn't try to track you or change your homepage or search engine - whatever they've come up with has been designed to remain very stealthy on your machine.

And its' only purpose is to enable the CWS people to make a "bot" out of your computer so that they can direct it to attack anti-spyware websites( and multiple, switchable sites at that!).

This is where the fact that everyone on the net is not a security nut is killing everyone - of the millions and millions of users out there, the pickings are fat for anyone gathering machines to be used in attacks - and, sadly, that's not going to change.

So, what are the anti-spyware sites going to do?

Would requiring registration and logging in to post help? Especially if you had to use a "Human Interface Device" (like on ComputerCops) both to log in and to initially register? With no requests permitted that didn't come from such a "registered" source?

Or would that even help?

This latest round of stuff is not looking good for the "good guys", although I'm sure a lot of ISP's that are hosting these kinds of sites are having a real learning experience (which may not be a bad thing).

So, where's all the brains at around here when you need them? What's being done to combat the situation and what can we do to help? Pete

 

Hi Pete

Thaanks for the heads up.

Appears there is a fix on computer cops site now.

parinoidpete started it lol

http://computercops.biz/article-4680-nested-0-0.html

 

The antispyware field is still young (dating back to Gibon's optout?) , so perhaps we can look at the more established antivirus field for answers.

Have such tactics being used against Antivirus sites? How do they stand up to DDOS attacks?

Is it simply a matter of deep pockets? The antispyware area is unusual in the sense that it's still dominated by volunteers and freeware products so perhaps that why they are vulnerable, without the finanical muscle behind it?

PS The current attack doesn't seem to taget Lavasoft at all which arguably is still the most popular antispyware scanner..... Concindence?

 

The info there is getting a bit long in the tooth and it hasn't solved the problem, apparently. There were threads far more recent on net-integration (now apparently down from the DDoS) and currently on the LavaSoft forums about this issue.

 

Well, Wilders might be next on the target list, but I supposed Paul had considered that already. I think he mentioned experiencing this once before?

 

I guess what I'm trying to bear down more on here is - what's the answer?

The sites being DDos'd must have logs of the requesting addresses, right? Is there a method of filtering those logs to compare registered user requests from requests coming from addresses that haven't ever before even visited the sites in question?

If there is a way to do that, couldn't some of the people at those addresses be contacted and urged to scan their computers for whatever's causing the requests to be generated from those computers?

Maybe ask those people to run HijacjkThis and submit their logs?

Get them to d/l and run AutoStart Viewer from DCS and check for unknown start-ups? Pete

 

Since its a DDoS, in the first place, the bandwidth available is definitely an issue (and that means money), AV vendors have it (for the most part); AT/anti-spyware/anti-keylogger vendors have far less.

In the second place, if the current DDoS is being sponsored by CWS (or someone similar), they are far more concerned about the latter than the former.

I can tell you that there is an extended discussion in the Lavasoft forums regarding this very issue at the moment. They know they are not immune. As to whether they have far more bandwidth than the others, I do not know.

 

Interesting since this is what computer cops lists as targeted host file addys. and JVM are you saying the file Hostsfilereader posted from my link doesn't do anygood?

"The current (partial) list of sites blocked by this latest malicious hosts file is:

www.spywareinfoforum.com
www.spywareinfoforum.com
www.merijn.org
merijn.org
spywareinfoforum.com
www.computercops.biz
computercops.biz
dslreports.com
www.dslreports.com
www.lavasoftsupport.com
lavasoftsupport.com
forums.net-integration.net
www.tomcoyote.org
tomcoyote.org
www.wilderssecurity.com
wilderssecurity.com
www.lavasoftusa.com
lavasoftusa.com
security.kolla.de
www.security.kolla.de
www.lavasoft.de
lavasoft.de"

 

Apparently the F.B.I. is having a little problem getting off-the-stick and helping.

Perhaps this little message I just sent them will inspire them:

"It kind of amazes me that you aren't all over the web-site attacks against the Net-Integration and SpywareInfo sites.

Whatever the method of attack is that's being used could just as easily be directed against YOU and YOUR sites as against them (or ANY OTHER government agency_ so it seems to me as though it would behoove you (<g>) to get involved, find out what's happening and HELP THEM STOP IT!

It's not like you couldn't use some GOOD press for a change!

Here's the background on the attack at NI:

http://www.wilderssecurity.com/showthread.php?t=21950;start=60#msg137547

and here's the time-line and developement of the attack on SI:

http://www.lavasoftsupport.com/index.php?showtopic=20306

I notice that it's been said that Mike healan's already contacted you and that you're playing "phone tag" with him - quit screwing around and DO something! Pete

Anyone wishing to add their sentiments to mine can do so by going to this site: http://www.fbi.gov/ and click on the "Submit a tip" link on the left-hand side of the page. Pete

 

Don't be a tease, JayK - what are you referring to? Pete

 

Ah, yes, the question!

It's actually two questions:

The first is how do the small (and often independent) vendors protect themselves against DDoS targeting like this? At times, it is easy to forget that Steve Gibson effectively got DDoSed by one single thirteen-year old kid -- or so the story goes. (And I most assuredly want them to do this, because I don't care to be wholely dependent on the megacorporations for my security software. We already know what that leads to.)

The second question goes a good deal further. Last time I heard, these guys still have no idea of exactly how the DDoS is being launched against them. They haven't identified it, they can't tell people what to look for, they can't put detection for it into their own products, and (last time I heard) nothing currently available (well, as of several days ago) seems yet capable of detecting, cleaning, or inoculating a system against this particular threat. This needs to be solved and sooner rather than later.

In an effective DDoS, this is not necessarily so. When the pipe jams, it jams. (Paul, is that correct?)

Now, Pete, we all should know by now that this doesn't work. From the few details I've seen, it seems to be only a few thousand machines involved. I'm willing to bet that many of them are on dynamically assigned IP addresses, so this is like looking for a few thousand needles in a few acres of haystacks. (And, to make matters worse, the needles get up and move around every few hours!) And, I might point out that the MyDoom attack on SCO was much larger, but, since it was a worm, it could be identified and protected against (eventually) in time. These, on the other hand, seem to be a few thousand carefully placed bots.

Again, based on second-hand information, it appears that HJT does not pick this up (and that is informative, at least to me). This is not surprising since HJT seems to be one of the targets!

That might work, but I suspect there's another mechanism at work here, one we have yet to cotton on to.

 

How about making the anti-spyware sites secure ( https ) sites? Pete

 

Where is that pesky wabbit when you need him? ZX! Has your method of allowing people access to ComputerCops enhanced your ability to defend against DDos attacks? Pete

 

First, that was a first guess, as I understand it. Tom Coyote published that on 15 Feb. I don't know a single soul who's found this in their hosts file. (But if I'm right that this is originating primarily from clueless users who are only online occasionally and use dynamically assigned IP addresses, and probably have absolutely no security measure in places, what would you expect?)

Actually, that little utility sounds sort of cute, but most of the people who're going to read about it don't need it in the first place.

I think this is turning into another comedy of errors, sort of like watching Inspector Clouseau in "A Shot in the Dark", only in actuality it's only funny to the perps, not us.

Another lesson in unintended consequences. Remember when CR II started generated all those ARPs that effectively DDoSed a lot of cable subscribers? (There's no indication the author realized that was going to happen.) Remember when Tom Liston (Handler on duty at Internet Storm Center at the time) had to send out a rather nasty message to those ISPs that were automatically generating "E-Mail Rejected" messages to what were actually spoofed IP addresses in the first place in the recent MyDoom.A episode? (Again, there's no indication that the author realized that this was going to happen, but it simply made a bad situation worse.) Something similar has happened here.

Two things happened here:

First, apparently, some of the affected sites started redirecting these probes to 127.0.0.1 . This was done in response to MSBlast last year and -- just like the solution then -- this has now led to unanticipated consequences. Long before I ever heard about this current episode, I noticed that my router logs were again being heavily populated with "Spoofed IP" messages, all identifying the bogus source as 127.0.0.1:80 (Care to wonder what those might have been?) These are INBOUND to my Internet WAN IP, for those who may wonder from OUTSIDE the router.

Well, second, it got worse. Somehow (and I don't understand the mechanism involved to date) some of these redirections actually ended up assigning 127.0.0.1 to www.merijn.org (for one). And, somehow, a lot of recent releases of NIS/NPF (2003/2004, in particular) ended up identifying 127.0.0.1 as www.merijn.org rather than as localhost. That created a second panic. (And there are one helluva lot of new NIS/NPF firewalls out there.) Suddenly what were basic loopback connections started being identified as connections from merijn.org to merijn.org (that's the tip-off, incidentally). (I believe that very few other software firewalls actually have a connections log in addition to the firewall log and that even fewer probably automatically resolve IP addresses to URLs in the log displayed to the end-user.) And I think this is where the 'false lead' to hosts files being tampered with came from.

Life goes on. Time to get back to work on this one.

 

Quite true. I know at least one knowledgable individual who went out of their way to telephonically contact the FBI groups involved with this issue when they noted a number of contacts going out to www.merijn.org in their logs. In a nutshell, the response they received was "Gee, sorry to hear that; have a nice day. Call us if you find something."

Thanks, I'd not seen either of those links before. I think I'd best go read them.

 

If it is indeed a bot that somehow gets installed and evades detection - what about something simple to find it?

Like: IRCBot Detector 1.0 from Jason Levine?

http://www.jasons-toolbox.com/programs.asp?Program=IRCBot%20Detector

We don't need anyone who's harboring the bot to have to learn to do anything complicated to uncover it - probably just being able to discover it and get a clue as to where/how it's hiding would be sufficient to uncover it, wouldn't it? Pete

 

@ SPY 1

I agree with your attempt to urge the FBI to action, though sometimes justice works slowly, the balance is that is a very large, powerful mass, once
But, I would caution that phrasing is very important, especially in the post 9/11 world. Having worked in the legal arena for almost 20 years now, I guarantee that soft encouragement will generate more results than sharp admonitions.
Also, from what you posted, (and I know this was not intended)your words could be taken to be threatening a DOS, as opposed to drawing their attention to their own weakness. Please don't take this as criticism, but friendly advice!
**************
Has anyone else noticed the almost complete absence of news coverage on this (outside of anti-spyware sites?) Seems odd considering the way they jump on virus coverage etc.

just my two cents+ for now.

 

Vorpal - The F.B.I. is very well-acquainted with me and they deeply appreciate my puckish sense-of-humor.

They are supposed to be working for us (tax-paying United States citizens) - but thank you anyway. Pete

 

I agree they are supposed to be working for us, and as citizens, we should expect it.

Just in my dealings with court personnel and sheriffs (yep, I'm one of those lawyer guys, but hold the jokes!), I have success with letting them think they came up with the idea and that its a big favor to share it with you.
Judges, well, they tend to be a different story.

But, very cool the FBI is used to you, I hope they listen as well.

Would any of the Net statistic orgs be of use (NameIntelligence and the like)? I almost suggested ICANN, but if speed is of the essence....

 

I'll let you know when they get back to me. Pete

 

Thanks Pete for pointing me here. I've come to realize that there are a number of combinations to help prevent DOS attacks while maintaining http://computercops.biz and http://nukecops.com. They don't just include prevention against automated script bots for posting and registering (about to be enhanced), they also include filters on port 80, not just the rest of the ports.

I've been under medium size DOS attacks before that would last about 2 days, and the pages were still accessible -- albeit, with slow page generation times.

So yes, the methods I've used have most of the time been successful against attackers.

I've only recently implemented a new filter system for both my sites that monitors against port 80 attacks specific to the CMS itself. It hasn't yet been activated, as I'm working out the code. I want to ensure that all the good bots, like googlebot, are excluded from tracking (however, other measures are in place).

And lets not forget, hardware is a big one too. Do you own a high performance server or does one share out the resources with others?

Pete, off topic, I increased the sig space at CCSP a month or two ago per your request from last year.

Obviously I don't want to get into too much here since I think this is a public forum?

 

Well said, Paul.

With a bit of luck, that may be on the way.

 

What I can tell you about this attack on NI is the IPs are spoofed in every case as far as I can tell at the moment. Filtering has been nearly impossible because of the constant changing of targeting IPs. The get HTTP header is not like anything I've seen before and provides no clues I can find. The attacks on the others are similar. IMO any further discussions on this need to be out of the public IMO.

I've contacted the FBI and CERT with my info. The FBI is unlikely to get involved unless a very strong concerted voice is spoken on behalf of all anti-spyware/adware vendors/supports/providers. Individually these attacks don't even constitute a crime in the US. Again, because we aren't big business.

I agree with Paul that its time to go professional. A few tiny steps have been made in that direction but a long road is left to hoe.

I've begun to take some steps to set up proxies again. Only this time they are going to be much stronger machines. The process has begun but may take awhile to determine success as we are going to have to wait for the NI DNS to propagate again.

In the meantime I'm making my net stat logs available to any experts who wish to review them. There has got to be a way to determine the source of this garbage.