Defense in Depth

Several groups of Internet organizers plan to show on Saturday that they can mobilize patriotic Chinese Internet users and wield their influence worldwide against what they say is anti-Chinese media in the Western world.

The Dark Visitor, a site that tracks the activities of Chinese computer hackers, is reporting that a distributed denial-of-service (DDoS) attack on CNN.com is planned for 8 p.m. Beijing time, or 5 a.m. PT in the United States.

But the organizers themselves (Google translated page) appear to be waffling, and Jose Nazario of Arbor Networks reports that there has been little preattack activity within the last 24 hours.

Calling their action the "Revenge of the Flame," a group of computer protesters in China appears to have learned from both last year's cyberattacks on Estonia and the more recent anonymous attacks on the Church of Scientology. But Revenge of the Flame organizers stress that their attacks will not be a crime.

"We want to be patriotic," one organizer wrote, arguing that they intend to link Chinese Internet users together against one target: CNN.com. Should the attack be successful, the Revenge of the Flame planners will then consider immediately dissolving the flame of revenge ("after all, cybercrime is cybercrime," says the organizer), continue to attract more users, and "enhance the people's awareness of network security."

In the real world, a separate, perhaps unrelated, group is planning (Google translated page) for simultaneous protests on Saturday in Berlin, Amsterdam, London, and Paris.

Meanwhile, yet another Internet site, Anti-CNN.com, claims that protests in favor of China have not been published fairly by Western media in Germany, France, Canada, and the United States.

A banner on the Anti-CNN.com says (translated from the Chinese), "We are not against the Western media, but against the lies and fabricated stories in the media." The site includes example headlines from Der Spiegel, The Washington Post, and Fox News, in which it claims that photos of the police attacking the Monks are Napalese, not Tibetan.

(Credit: Jose Nazario, Arbor Networks)

Don't click on that silly April Fools' Day e-mail, says one security expert.

In a blog, Arbor Networks' Jose Nazario reports that within the last 24 hours he's seeing new releases of the Storm worm designed to take advantage of the first day of April. This new spam campaign is a lure to infect new computers that will become part of the larger Storm worm botnet.

The e-mail body is spartan: the words "Doh! April Fools" followed by a numeric URL. If a user clicks on that URL, the default Internet browser will open to a page with a cartoon character. A download is supposed to start within five seconds and, according to the message, "If your download does not start, click here and then press 'Run.'"

The compromised computer will then install the downloaded file as C:\WINDOWS\aromis.exe. Nazario reports that the botnet file opens the firewall using the netsh firewall set command, makes a lot of outbound connections, then listens on a random UDP port.

The FBI is warning that Valentine's Day e-mails you see this year might be coming not from loved ones, but from the Storm worm botnet. In a press release Tuesday, the FBI warns users to be on the lookout for e-mail that "directs the recipient to click on a link to retrieve the electronic greeting card (e-card). Once the user clicks on the link, malware is downloaded to the Internet-connected device and causes it to become infected and part of the Storm worm botnet."

Dr. Jose Nazario of Arbor Networks said the authors of Storm have launched a carefully orchestrated series of lure campaigns to bring new members into the network. One of them is Valentine's Day-themed. Nazario said the creators of Storm have in recent weeks "grown the network by as much as 50 percent."

Nazario blamed fresh spam and incomplete antivirus protection on users' desktops for the new botnet infections.

"Generally speaking, when you only have something like 25 percent or less who are updated with the current patches and Best Practices in AV software, it doesn't really matter. You can be caught up with the latest AV fix, but if other people aren't really applying it, it doesn't really matter."

If you don't have antivirus protection, get some. See CNET's latest antivirus performance test results here. If you already have an antivirus product installed, make sure your subscription and the data files are both up to date.

This week we've seen two Internet events that are more alike than dissimilar. On Wednesday, an Estonian court convicted a 20-year Russian for his part in last spring's distributed denial-of-service (DDoS) attacks on that nation. On Thursday, word of mounting DDoS attacks on the Church of Scientology spread. Ultimately, both events could have larger repercussions.

The attack on the Estonian Web sites was prompted by an Estonian government plan to move a statue and grave sites honoring Russian-Estonians who died fighting the Nazis. Gadi Evron of Beyond Security said at last year's Black Hat USA that he found only one case of unique code used in the attacks which lasted from April 27 through mid-May. Evron said the attack had the appearance of an Internet flash mob, and now, with the conviction, it appears to have been loosely organized by a group of college kids. Evron cited evidence of at least one e-mail inciting Internet action on a particular date at a particular time during Estonian attacks.

A similar event is happening now. DDoS attacks against the Church of Scientology appear to be coming from a loosely organized group of individuals calling themselves Anonymous or Anon. The attacks, according to Jose Nazario of Arbor Networks, appear to use common code and early attacks originated from one IP address.

As with the events in Estonia, as news spread, more individuals may now be targeting the Church of Scientology in a sort of "me too" frenzy. A Web site called Project Chanology continues to detail present and future actions by Anonymous and others.

The idea that a handful of skilled individuals could decide to "take out" a particular group or company or government for any reason is a very disturbing one indeed.

Dr. Jose Nazario of Arbor Networks has been looking at the technical side of the distributed denial of service (DDoS) attacks upon domain registered to the Church of Scientology International. In general he finds that while there have been a lot of DDoS attacks, the early ones were mild. They were, however, stronger than the DDoS attacks upon various Estonian sites last spring. As a protective measure, the Church of Scientology has since moved its domain to a more protected space.

Prior to the move, Nazario found that on January 19, there were 488 DDoS events, all of which appear to come from one IP address, "indicating," said Nazario, "that this is not a huge, broadly sourced attack (i.e. it may not have registered on other ISPs systems)." He also notes that the types of attacks he saw on Saturday were "common, garden-variety DDoS attacks."

Nazario's other findings include:

Maximum PPS rates seen: nearly 20,000 pps (packets per second), with an average attack size of 15,000 pps.

Maximum bandwidth seen per attack: 220 Mbps, with an average attack size of 168 Mbps. This is on the high side of an attack, but significantly smaller than the largest ones we commonly see nowadays.

Maximum duration of a single attack: 1.8 hours, which is on the long end of common, but the average attack lasted just under half an hour.

On January 21, the Church of Scientology moved its domain to Prolexic Technologies, a company that protects Web sites from DDoS attacks. Attacks against the site have increased, with a major assault on Thursday night at 6 p.m. EST.

Nazario says "I went looking and was unable to detect attacks against the Scientology Web site in particular. The new IP address of the CoS Web site is located within the Prolexic DDoS service network. It's difficult for (Arbor Networks) to detect these attacks in particular from the milleiu of DDoS attacks" inside the Prolexic service.

Last week, the FBI announced the end of the second phase of Operation Bot Roast, an ongoing investigation into botnets, and the criminal activity associated with them. I recently asked Dr. Jose Nazario of Arbor Networks where in the world the bot herders, the people who control the botnets, might be. Here are some excerpts:

We see a few major groups. We see Americans and Western Europeans often interested in using the botnet to make money either directly or indirectly by selling services, or stealing information from those botnets to sell and use credit card information bank information, etc.

There are some botnets out of South America, but mostly South America seems dominated by the Brazilian, what folks used to call the banker Trojan, the browser helper object that steals information right out of the browser from banks from online banking or e-commerce transactions. Some of the more high-profile botnets we've dubbed TeamUSA and Peruvian Power. These have been long running and relatively successful. But they're not exactly household names.

The botnet community is also taking off in the Russian language part of the Internet. Lately I've been watching a lot of DDoS attacks come out of Russia, commanded by Russians. Possibly for pay, as retribution, or as punishment to those who try an stop some of the other illegal activities, such as fraud and theft.

I have been tracking lately Russian DDoS bot code run by different groups. The code itself is bought and shared between them. One of the big ones is a code base called Black Energy. The author is a Russian language speaker who offers his help files and other things in the Russian language and sells it on the Russian language forums anywhere from $40 on up. Black Energy is strictly a DDoS botnet

We have watched some botnets from China but I don't see a whole lot of botnet activity coming out of there.

You can read more of Nazario's comments in this Security Watch column. And you hear more of my interview with Dr. Nazario in this Security Bites podcast.