Investigative reporter Brian Krebs and cybersecurity expert Lance James taking the floor at Black Hat to dissect the infrastructure of DDoS-for-hire industry.
Brian Krebs: Hey everyone! My name is Brian Krebs, I’m an independent investigative reporter at Krebsonsecurity.com. I think this is my fifth or sixth Black Hat – I can’t remember at this point – as a journalist. I’m kind of used to being where you guys are, in the audience and heckling the speakers, so it’s kind of a thrill to be up here. Hopefully you’ll be kind to me, and I guess, karmically, it’s okay if you’re not. I’ve got a lot of stuff to cover in a very short period of time, and my buddy Lance James here, who I’m sure is no stranger to a lot of you in the room, is going to be bringing up the second part of the talk, talking about some of the more technical aspects. So, if I blaze through this stuff real quickly I think we’re going to have hopefully a little time at the end for Q&A. But if you guys think I talk fast, wait till Lance gets up here – holy crap, he makes me look like I’m slow in the brain.
This talk is about a pretty active area of the underground, or semi-underground, or whatever you want to call it – it’s about a proliferation of DDoS-for-hire sites that are basically springing up left and right. For the most part, they are run by teenagers or young men here in the United States who, frankly, aren’t doing a whole lot to hide their identities, or even trying that much, it seems. I want to state upfront what this talk is not about: it’s not about mysterious organized Russian cybercriminal hacker gangs or anything near that level of scariness; although the script kiddies that are running these sites do certain things to try to make themselves seem a little more leet, like, you know, their DDoS-for-hire sites could be .su or .ru domain names – that makes them a little more leet than they are.What we’re dealing with here in this talk is, for the most part, admittedly a bunch of script kiddies, or what my friend and collaborator Allison Nixon likes to call the ‘noob persistent threat (NPT)’. Actually, most of these guys are so noobish that calling them script kiddies is probably an insult to the script kiddies of old. I mean, at least those guys could open up a command line and do their script from the command line.
That being said, I think that there’s a general tendency to dismiss the activities of script kiddies, because maybe they are not leet enough or scary enough to help companies sell security products. But I think it’s a mistake to discount these guys because some of the stuff they’re coming up with is pretty ingenious stuff. One of the hack forums I’m going to talk about today – a lot of these guys are selling their services on there, but they are selling things like remote access Trojans, they are selling things like botnet code, and this stuff is showing up in some really scary places, like the DarkComet RAT showing up in the Syrian government to target activists.
You can go to these sites and create an account, and once you funded it you just put in the IP address or the hostname of the site you want to attack – and you’re off to the races. And the best part is there’s no need to deal with WebMoney and all these other virtual currencies, Bitcoin and crap like that. You can pay for it with PayPal. That means you can just launch DDoS attacks with your credit card.