It’s now Lance James’ turn to shed light on the activity of booter services from a technical perspective to get a better understanding of who the adversary is.
Lance James: How is everybody so far? I’m Lance James, some of you know me. I work at Deloitte. Don’t ask, it’s cool. I get to do some fun stuff.We’re going to kind of go through this story here where I got involved. Krebs and I have been friends for years and have done some crazy cool stuff together. He’s taught me a lot of cool stuff, and I’ve taught him a lot of cool stuff, and we just kind of do cool stuff. So, basically, I’m going to go from the investigatorial perspective from a technical sense. I did this over pretty much, I think, my lunch break in some way although it was a lot of work. But it was fun stuff to me, so I was excited, in a bad way.
So I started looking at things from a psychological profile perspective first and then got into the computer stuff. We, obviously, know he was the target of attack; he provided probable links when I talked to him, related to SSNDOB.ru we saw in that fake FBI letter. Then we started to get it linked together. He had some information that the TWBooter service was being used in this attack.
I started looking at who does this type of stuff – we had swatting, we had DDoS. I’m used to profiling groups, and I have organized crime groups, I have Middle Eastern groups, I’ve got Anonymous and LulzSec chaotic organizations. So I was trying to figure out which group I might be thinking about here, what kind of adversary we’re dealing with. So I broke this down from a simple behavioral profile. The intent is obvious: disrupt Brian all day, make him have a shitty day. Basically, swatting and DDoS are usually fear tactics, really hostile. You know, the guys are sending a clear message how they feel about Brian, basically. They’re clever, tactical, capable. But we saw in the behavior that it’s short-sighted because they forget that Brian is friends with a good amount of information security professionals, and we like him. So one of the things I did was get coordination with some people, and people were ready to go – he’s a big voice for us.
We saw that this kid is short-sighted, like: “What were you thinking? You’re going to get exposed.” I also looked at the history of the arrest records of swatting and DDoS, and you’d see there from 12 to 20 years old. So I know what kind of adversary I’m dealing with, a typical kid hacker with anti-social behavior type mentality.Let me go into the actual looking at the terms of service (see right-hand image), because I look at things from a legal perspective as well. So, the terms of service are, literally: don’t use this to attack unless it’s your own site, things like that. They have all their plausible deniability, and in my opinion, working in cryptography for years, plausible deniability doesn’t really exist. And these terms of service are on almost every site.
When you look at breaking down the infrastructure, you have three big tiers. Now, even if CloudFlare is in front of it or just the ISP that they’re really hosted at, you don’t see that DDoS traffic going out of there. So the ISPs that are hosting the web service part are not aware of it because it’s not having any traffic going out, it’s just the web. And then they have these backend ISPs that are handling the actual weaponry, they have the proxies and all the stuff that’s actually hitting the servers. So, in a way, there’s no proof; it’s hard to take these things down and it gets a little difficult because you have to bring together an entire case.Obviously, HackForums.net is a very interesting site. There’re a lot of things that are going on over there. I kind of looked up about these booter services because, honestly, my focus wasn’t in this and I had to catch up. So I started trailing back and I found the TWBooter code leaked in the forums. We seem to see that all these kiddies – just like I’ve seen back in the early days of swatting – they swatted each other first. They weren’t hitting celebrities first, they were hitting each other. It was very much like a gang war.
So I joined the forum with not my real name obviously, grabbed a copy of the code. I did some code research; I’ve gotten pretty good at WebAppSec over years. I perused through the code and found some basic understanding of the web application and file structure. I even set up my own TWBooter locally, because it lets me understand how the system works, what’s available. This comes into some legal exploitation, because that’s important to me; it’s basically what I call ‘inferred access’ – I know there’s a file sitting on there, it may not be advertised that it’s there but it’s readable to me. So I study this code, and unknown files may be known. Incorrect Directory/File Permissions – that’s one thing a kiddie doesn’t know anything about; and publicly accessible files, including maybe Database Export scripts. That’s been kind of a fun thing.As Brian said, the SQL files keep getting hacked. It was a publicly accessible file when I found it, so I grabbed it. It was sitting on the backup directory of the booter site. I quickly did something so that we could confirm we’re on the right track. We searched for KrebsOnSecurity inside the booter file (see right-hand image); of course we’ve got a hit here, so it’s good for us. The dates are in Unix format, so this is something where we need to go technical (see left-hand image). I wrote quick conversion code and we started looking at the first date of the DDoS attack based on the story that occurred. And we see it’s Thursday, March 14, 13:13 EDT 2013. I worked with Brian to also work with Prolexic, and we all started looking at the correlation that was matching the time for the attacks that were occurring. Then I started looking at the SQL database itself and looked at the user IDs and stuff – there’s a table here (see right-hand image) where you can kind of get to learn this stuff. User ID 126 is where we started tracking from. Then we see this article on Ars Technica the next day, it made big news. And Brian is like: “Oh, shoot! They’re DDoS’ing the site.” Basically, we suspected the same motive – attack all things “Brian Krebs”. This also very much goes back into the psychological profile of “It’s likely a kid” because, again, that’s a very impulsive behavior. So, one problem is, my booter.sql file does not have historical logs, so we had to make an effort to change that.
So, we got to fear the foo but pity the foobar. I had these logs and did targeted analysis, basically I looked at Arstechnica.com, their IP address. And we have to do a couple of things. Date conversion – guess what? Friday, March 15, 11:54 EDT 2013. Epic fail for the bad guy, or win for us, obviously.
Read previous: Spy-jacking the Booters 4: The CloudFlare and PayPal Dilemma