The latest war.

Discussion in 'other security issues & news' started by spy1, Feb 29, 2004.

Thread Status:
Not open for further replies.
  1. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Okay, with all the recent, on-going attacks against a lot of the major "anti-spyware" sites, it seems as though it's all-out war now between those who would have your information and track you - and those that would prevent that.


    SpywareInfo on and off, Net-Integration totally down - where will it all end and how can it be stopped?

    The anti-scumware forces are fighting for their very lives here.

    So, what's the attack mechanism?

    It would seem to me that it would almost have to be a variant of the CoolWebSearch stuff designed specifically for this task.

    IOW, the CWS people have come up with something that doesn't try to track you or change your homepage or search engine - whatever they've come up with has been designed to remain very stealthy on your machine.

    And its' only purpose is to enable the CWS people to make a "bot" out of your computer so that they can direct it to attack anti-spyware websites( and multiple, switchable sites at that!).

    This is where the fact that everyone on the net is not a security nut is killing everyone - of the millions and millions of users out there, the pickings are fat for anyone gathering machines to be used in attacks - and, sadly, that's not going to change.

    So, what are the anti-spyware sites going to do?

    Would requiring registration and logging in to post help? Especially if you had to use a "Human Interface Device" (like on ComputerCops) both to log in and to initially register? With no requests permitted that didn't come from such a "registered" source?

    Or would that even help?

    This latest round of stuff is not looking good for the "good guys", although I'm sure a lot of ISP's that are hosting these kinds of sites are having a real learning experience (which may not be a bad thing).

    So, where's all the brains at around here when you need them? What's being done to combat the situation and what can we do to help? Pete
     
  2. controler

    controler Guest

    Hi Pete

    Thaanks for the heads up.

    Appears there is a fix on computer cops site now.

    parinoidpete started it lol

    http://computercops.biz/article-4680-nested-0-0.html
     
  3. JayK

    JayK Poster

    Joined:
    Dec 27, 2002
    Posts:
    619
    The antispyware field is still young (dating back to Gibon's optout?) , so perhaps we can look at the more established antivirus field for answers.

    Have such tactics being used against Antivirus sites? How do they stand up to DDOS attacks?

    Is it simply a matter of deep pockets? The antispyware area is unusual in the sense that it's still dominated by volunteers and freeware products so perhaps that why they are vulnerable, without the finanical muscle behind it?

    PS The current attack doesn't seem to taget Lavasoft at all which arguably is still the most popular antispyware scanner..... Concindence?
     
  4. jvmorris

    jvmorris Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    618
    The info there is getting a bit long in the tooth and it hasn't solved the problem, apparently. There were threads far more recent on net-integration (now apparently down from the DDoS) and currently on the LavaSoft forums about this issue.
     
  5. JayK

    JayK Poster

    Joined:
    Dec 27, 2002
    Posts:
    619
    Well, Wilders might be next on the target list, but I supposed Paul had considered that already. I think he mentioned experiencing this once before?
     
  6. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    I guess what I'm trying to bear down more on here is - what's the answer?

    The sites being DDos'd must have logs of the requesting addresses, right? Is there a method of filtering those logs to compare registered user requests from requests coming from addresses that haven't ever before even visited the sites in question?

    If there is a way to do that, couldn't some of the people at those addresses be contacted and urged to scan their computers for whatever's causing the requests to be generated from those computers?

    Maybe ask those people to run HijacjkThis and submit their logs?

    Get them to d/l and run AutoStart Viewer from DCS and check for unknown start-ups? Pete
     
  7. jvmorris

    jvmorris Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    618
    Since its a DDoS, in the first place, the bandwidth available is definitely an issue (and that means money), AV vendors have it (for the most part); AT/anti-spyware/anti-keylogger vendors have far less.

    In the second place, if the current DDoS is being sponsored by CWS (or someone similar), they are far more concerned about the latter than the former.
    I can tell you that there is an extended discussion in the Lavasoft forums regarding this very issue at the moment. They know they are not immune. As to whether they have far more bandwidth than the others, I do not know.
     
  8. controler

    controler Guest

    Interesting since this is what computer cops lists as targeted host file addys. and JVM are you saying the file Hostsfilereader posted from my link doesn't do anygood?

    "The current (partial) list of sites blocked by this latest malicious hosts file is:

    www.spywareinfoforum.com
    www.spywareinfoforum.com
    www.merijn.org
    merijn.org
    spywareinfoforum.com
    www.computercops.biz
    computercops.biz
    dslreports.com
    www.dslreports.com
    www.lavasoftsupport.com
    lavasoftsupport.com
    forums.net-integration.net
    www.tomcoyote.org
    tomcoyote.org
    www.wilderssecurity.com
    wilderssecurity.com
    www.lavasoftusa.com
    lavasoftusa.com
    security.kolla.de
    www.security.kolla.de
    www.lavasoft.de
    lavasoft.de"
     
  9. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Apparently the F.B.I. is having a little problem getting off-the-stick and helping.

    Perhaps this little message I just sent them will inspire them:

    "It kind of amazes me that you aren't all over the web-site attacks against the Net-Integration and SpywareInfo sites.

    Whatever the method of attack is that's being used could just as easily be directed against YOU and YOUR sites as against them (or ANY OTHER government agency_ so it seems to me as though it would behoove you (<g>) to get involved, find out what's happening and HELP THEM STOP IT!

    It's not like you couldn't use some GOOD press for a change!

    Here's the background on the attack at NI:

    http://www.wilderssecurity.com/showthread.php?t=21950;start=60#msg137547

    and here's the time-line and developement of the attack on SI:

    http://www.lavasoftsupport.com/index.php?showtopic=20306

    I notice that it's been said that Mike healan's already contacted you and that you're playing "phone tag" with him - quit screwing around and DO something! Pete

    Anyone wishing to add their sentiments to mine can do so by going to this site: http://www.fbi.gov/ and click on the "Submit a tip" link on the left-hand side of the page. Pete
     
  10. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Don't be a tease, JayK - what are you referring to? Pete
     
  11. jvmorris

    jvmorris Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    618
    Ah, yes, the question! ;)

    It's actually two questions:

    The first is how do the small (and often independent) vendors protect themselves against DDoS targeting like this? At times, it is easy to forget that Steve Gibson effectively got DDoSed by one single thirteen-year old kid -- or so the story goes. (And I most assuredly want them to do this, because I don't care to be wholely dependent on the megacorporations for my security software. We already know what that leads to.)

    The second question goes a good deal further. Last time I heard, these guys still have no idea of exactly how the DDoS is being launched against them. They haven't identified it, they can't tell people what to look for, they can't put detection for it into their own products, and (last time I heard) nothing currently available (well, as of several days ago) seems yet capable of detecting, cleaning, or inoculating a system against this particular threat. This needs to be solved and sooner rather than later.
    In an effective DDoS, this is not necessarily so. When the pipe jams, it jams. (Paul, is that correct?)
    Now, Pete, we all should know by now that this doesn't work. :doubt: From the few details I've seen, it seems to be only a few thousand machines involved. I'm willing to bet that many of them are on dynamically assigned IP addresses, so this is like looking for a few thousand needles in a few acres of haystacks. (And, to make matters worse, the needles get up and move around every few hours!) And, I might point out that the MyDoom attack on SCO was much larger, but, since it was a worm, it could be identified and protected against (eventually) in time. These, on the other hand, seem to be a few thousand carefully placed bots.
    Again, based on second-hand information, it appears that HJT does not pick this up (and that is informative, at least to me). This is not surprising since HJT seems to be one of the targets!
    That might work, but I suspect there's another mechanism at work here, one we have yet to cotton on to.
     
  12. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    How about making the anti-spyware sites secure ( https ) sites? Pete
     
  13. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Where is that pesky wabbit when you need him? ZX! Has your method of allowing people access to ComputerCops enhanced your ability to defend against DDos attacks? Pete
     
  14. jvmorris

    jvmorris Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    618
    First, that was a first guess, as I understand it. Tom Coyote published that on 15 Feb. I don't know a single soul who's found this in their hosts file. (But if I'm right that this is originating primarily from clueless users who are only online occasionally and use dynamically assigned IP addresses, and probably have absolutely no security measure in places, what would you expect?)

    Actually, that little utility sounds sort of cute, but most of the people who're going to read about it don't need it in the first place.

    I think this is turning into another comedy of errors, sort of like watching Inspector Clouseau in "A Shot in the Dark", only in actuality it's only funny to the perps, not us.

    Another lesson in unintended consequences. Remember when CR II started generated all those ARPs that effectively DDoSed a lot of cable subscribers? (There's no indication the author realized that was going to happen.) Remember when Tom Liston (Handler on duty at Internet Storm Center at the time) had to send out a rather nasty message to those ISPs that were automatically generating "E-Mail Rejected" messages to what were actually spoofed IP addresses in the first place in the recent MyDoom.A episode? (Again, there's no indication that the author realized that this was going to happen, but it simply made a bad situation worse.) Something similar has happened here.

    Two things happened here:

    First, apparently, some of the affected sites started redirecting these probes to 127.0.0.1 . This was done in response to MSBlast last year and -- just like the solution then -- this has now led to unanticipated consequences. Long before I ever heard about this current episode, I noticed that my router logs were again being heavily populated with "Spoofed IP" messages, all identifying the bogus source as 127.0.0.1:80 (Care to wonder what those might have been?) These are INBOUND to my Internet WAN IP, for those who may wonder from OUTSIDE the router.

    Well, second, it got worse. Somehow (and I don't understand the mechanism involved to date) some of these redirections actually ended up assigning 127.0.0.1 to www.merijn.org (for one). And, somehow, a lot of recent releases of NIS/NPF (2003/2004, in particular) ended up identifying 127.0.0.1 as www.merijn.org rather than as localhost. That created a second panic. (And there are one helluva lot of new NIS/NPF firewalls out there.) Suddenly what were basic loopback connections started being identified as connections from merijn.org to merijn.org (that's the tip-off, incidentally). (I believe that very few other software firewalls actually have a connections log in addition to the firewall log and that even fewer probably automatically resolve IP addresses to URLs in the log displayed to the end-user.) And I think this is where the 'false lead' to hosts files being tampered with came from.

    Life goes on. Time to get back to work on this one.
     
  15. jvmorris

    jvmorris Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    618
    Quite true. I know at least one knowledgable individual who went out of their way to telephonically contact the FBI groups involved with this issue when they noted a number of contacts going out to www.merijn.org in their logs. In a nutshell, the response they received was "Gee, sorry to hear that; have a nice day. Call us if you find something."

    Thanks, I'd not seen either of those links before. I think I'd best go read them.
     
  16. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    If it is indeed a bot that somehow gets installed and evades detection - what about something simple to find it?

    Like: IRCBot Detector 1.0 from Jason Levine?

    http://www.jasons-toolbox.com/programs.asp?Program=IRCBot%20Detector

    We don't need anyone who's harboring the bot to have to learn to do anything complicated to uncover it - probably just being able to discover it and get a clue as to where/how it's hiding would be sufficient to uncover it, wouldn't it? Pete
     
  17. Vorpal

    Vorpal Registered Member

    Joined:
    Jun 24, 2003
    Posts:
    11
    Location:
    Los Angeles, CA
    @ SPY 1

    I agree with your attempt to urge the FBI to action, though sometimes justice works slowly, the balance is that is a very large, powerful mass, once
    But, I would caution that phrasing is very important, especially in the post 9/11 world. Having worked in the legal arena for almost 20 years now, I guarantee that soft encouragement will generate more results than sharp admonitions.
    Also, from what you posted, (and I know this was not intended)your words could be taken to be threatening a DOS, as opposed to drawing their attention to their own weakness. Please don't take this as criticism, but friendly advice! :)
    **************
    Has anyone else noticed the almost complete absence of news coverage on this (outside of anti-spyware sites?) Seems odd considering the way they jump on virus coverage etc.

    just my two cents+ for now.
     
  18. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Vorpal - The F.B.I. is very well-acquainted with me and they deeply appreciate my puckish sense-of-humor. :D

    They are supposed to be working for us (tax-paying United States citizens) - but thank you anyway. Pete
     
  19. Vorpal

    Vorpal Registered Member

    Joined:
    Jun 24, 2003
    Posts:
    11
    Location:
    Los Angeles, CA
    I agree they are supposed to be working for us, and as citizens, we should expect it.

    Just in my dealings with court personnel and sheriffs (yep, I'm one of those lawyer guys, but hold the jokes!), I have success with letting them think they came up with the idea and that its a big favor to share it with you. :)
    Judges, well, they tend to be a different story. :rolleyes:

    But, very cool the FBI is used to you, I hope they listen as well.

    Would any of the Net statistic orgs be of use (NameIntelligence and the like)? I almost suggested ICANN, but if speed is of the essence....
     
  20. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    I'll let you know when they get back to me. Pete
     
  21. Zhen-Xjell

    Zhen-Xjell Security Expert

    Joined:
    Feb 8, 2002
    Posts:
    1,397
    Location:
    Ohio
    Thanks Pete for pointing me here. I've come to realize that there are a number of combinations to help prevent DOS attacks while maintaining http://computercops.biz and http://nukecops.com. They don't just include prevention against automated script bots for posting and registering (about to be enhanced), they also include filters on port 80, not just the rest of the ports.

    I've been under medium size DOS attacks before that would last about 2 days, and the pages were still accessible -- albeit, with slow page generation times.

    So yes, the methods I've used have most of the time been successful against attackers.

    I've only recently implemented a new filter system for both my sites that monitors against port 80 attacks specific to the CMS itself. It hasn't yet been activated, as I'm working out the code. I want to ensure that all the good bots, like googlebot, are excluded from tracking (however, other measures are in place).

    And lets not forget, hardware is a big one too. Do you own a high performance server or does one share out the resources with others?

    Pete, off topic, I increased the sig space at CCSP a month or two ago per your request from last year.

    Obviously I don't want to get into too much here since I think this is a public forum?
     
  22. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    A very interesting thread this is - and a serious one as well.

    Some remarks:

    - yes, we are aware of the fact our server could be next in line as for attacks are concerned. Although we do have quite alot of bandwidth available, we and our host are aware of this - no further comment ;)

    - as far as we know (see the comments from Joseph Morris), at this very moment, there's no way to grab and determine a (possible) bot involved.

    - JayK and Joseph do have a strong case in regard to the essence of all this: funding/money is the real issue here. No doubt, the money is on the attacker(s) side.

    - in this context, it's plain for all to see non profit domains/servers are a target first and foremost - and this does make sense: individual non-profit sites are in fact sitting ducks in the end. They do lack the money and therefore are no game in the end. For that reason joining forces is the only way to go - divided we are weak, assembled we are strong.

    I for one am a strong believer in joining forces. That said, I'm fully aware this is a very different point of view for fairly all site/server owners picking up the fight; they are used to run their own business, no matter what. I can understand their point of view. Nevertheless, in the end there's just one approach here: joing forces and funds. In case "we" want to combat, we will have to organize and drop the "individual approach" to a certain extend.

    Bottom line: IMO it's time to go proffessional - the one's targetting us are pro's as well for sure. The question is: are we willing to join forces and funds. We are.

    regards.

    paul
     
  23. jvmorris

    jvmorris Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    618
    Well said, Paul.

    With a bit of luck, that may be on the way.
     
  24. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Well, - no offense intended! - I for one do believe it's rather a big step to join forces. It will take more then luck to accomplish this - looking at the overall picture in the long(er) term, and take it from there. Most site owners at this very moment are still more focussed on running their own - small and/or vulnerable - business rather then looking upon this from a professional point of view. That said: We are open for discussion on this topic. My addy is in my profile ;)

    regards.

    paul
     
  25. Eagle1

    Eagle1 Security Expert

    Joined:
    Feb 10, 2002
    Posts:
    206
    Location:
    Rio Rancho NM - Nevis, West Indies
    What I can tell you about this attack on NI is the IPs are spoofed in every case as far as I can tell at the moment. Filtering has been nearly impossible because of the constant changing of targeting IPs. The get HTTP header is not like anything I've seen before and provides no clues I can find. The attacks on the others are similar. IMO any further discussions on this need to be out of the public IMO.

    I've contacted the FBI and CERT with my info. The FBI is unlikely to get involved unless a very strong concerted voice is spoken on behalf of all anti-spyware/adware vendors/supports/providers. Individually these attacks don't even constitute a crime in the US. Again, because we aren't big business.

    I agree with Paul that its time to go professional. A few tiny steps have been made in that direction but a long road is left to hoe.

    I've begun to take some steps to set up proxies again. Only this time they are going to be much stronger machines. The process has begun but may take awhile to determine success as we are going to have to wait for the NI DNS to propagate again.

    In the meantime I'm making my net stat logs available to any experts who wish to review them. There has got to be a way to determine the source of this garbage.
     
Loading...
Thread Status:
Not open for further replies.