Spy-jacking the Booters

Investigative reporter Brian Krebs and cybersecurity expert Lance James taking the floor at Black Hat to dissect the infrastructure of DDoS-for-hire industry.

Brian Krebs Brian Krebs: Hey everyone! My name is Brian Krebs, I’m an independent investigative reporter at Krebsonsecurity.com. I think this is my fifth or sixth Black Hat – I can’t remember at this point – as a journalist. I’m kind of used to being where you guys are, in the audience and heckling the speakers, so it’s kind of a thrill to be up here. Hopefully you’ll be kind to me, and I guess, karmically, it’s okay if you’re not. I’ve got a lot of stuff to cover in a very short period of time, and my buddy Lance James here, who I’m sure is no stranger to a lot of you in the room, is going to be bringing up the second part of the talk, talking about some of the more technical aspects. So, if I blaze through this stuff real quickly I think we’re going to have hopefully a little time at the end for Q&A. But if you guys think I talk fast, wait till Lance gets up here – holy crap, he makes me look like I’m slow in the brain.

This talk is about a pretty active area of the underground, or semi-underground, or whatever you want to call it – it’s about a proliferation of DDoS-for-hire sites that are basically springing up left and right. For the most part, they are run by teenagers or young men here in the United States who, frankly, aren’t doing a whole lot to hide their identities, or even trying that much, it seems. I want to state upfront what this talk is not about: it’s not about mysterious organized Russian cybercriminal hacker gangs or anything near that level of scariness; although the script kiddies that are running these sites do certain things to try to make themselves seem a little more leet, like, you know, their DDoS-for-hire sites could be .su or .ru domain names – that makes them a little more leet than they are.

New 'interpretation' of the NPT concept

New ‘interpretation’ of the NPT concept

What we’re dealing with here in this talk is, for the most part, admittedly a bunch of script kiddies, or what my friend and collaborator Allison Nixon likes to call the ‘noob persistent threat (NPT)’. Actually, most of these guys are so noobish that calling them script kiddies is probably an insult to the script kiddies of old. I mean, at least those guys could open up a command line and do their script from the command line.

That being said, I think that there’s a general tendency to dismiss the activities of script kiddies, because maybe they are not leet enough or scary enough to help companies sell security products. But I think it’s a mistake to discount these guys because some of the stuff they’re coming up with is pretty ingenious stuff. One of the hack forums I’m going to talk about today – a lot of these guys are selling their services on there, but they are selling things like remote access Trojans, they are selling things like botnet code, and this stuff is showing up in some really scary places, like the DarkComet RAT showing up in the Syrian government to target activists.

DDoS attacks are not only becoming more prevalent and more damaging, but a lot more powerful.

DDoS attacks are on the rise

DDoS attacks are on the rise

So, just a little bit of background on the DDoS-for-hire industry: this is not a new industry, I’m sure most of you understand that. Just about everyone you ask who monitors DDoS attacks these days are noticing they are not only becoming more prevalent and more damaging, but a lot more powerful. More importantly, while the targets of these DDoS attacks have traditionally been sort of the e-commerce sites, the banks, etc. – these days, if it has an IP address, somebody is going to packet it, they are going to get attacked at some point.

The Darkness DDoS kit

The Darkness DDoS kit

Some of the increase that we’re seeing on the DDoS attacks is, no doubt, automated build-your-own DDoS kits like BlackEnergy, Dirt Jumper, Darkness which make it stupid easy to build your own DDoS army. But even if you can’t be bothered to do this, to build your own DDoS, there have always been services that you can hire in the underground and go to in order to take somebody offline.

Ad for a DDoS-for-hire service

Ad for a DDoS-for-hire service

These commercial DDoS services typically have a few qualities that really limit their client base. #1 – a lot of them don’t have websites. Some guy who has put up an ad like this (see left-hand image) – you have to know where on the forum to find the guy, you have to chat him up in ICQ or Jabber, and if you don’t speak Russian it might not be the easiest thing to do. And at the end of the day, if you want to pay for one of these attacks, you’re not going to use your credit card, you’re going to use something like WebMoney. For the average Western guy who wants to take a website offline, he’s not going to have a WebMoney account or want to deal with that whole thing.

A heck of a name for a stresser

A heck of a name for a stresser

What’s interesting about these booter services I’m going to talk about today is they don’t have any of those shortcomings. They call them ‘stressers’, they call them ‘stress testing sites’, because nobody uses it to take any other site offline except their own… And they are designed for use by U.S. citizens. I didn’t make this up (see right-hand image). These booter services cost pennies per attack, so some of the other DDoS-for-hire sites can cost 5-50 bucks a day. That may sound like not a lot of money, but for the guys who really want to pay for this stuff it tends to be.

You can go to these sites and create an account, and once you funded it you just put in the IP address or the hostname of the site you want to attack – and you’re off to the races. And the best part is there’s no need to deal with WebMoney and all these other virtual currencies, Bitcoin and crap like that. You can pay for it with PayPal. That means you can just launch DDoS attacks with your credit card.

Read next: Spy-jacking the Booters 2: Swatting as a Retaliation

Like This Article? Let Others Know!
Related Articles:

Leave a comment:

Your email address will not be published. Required fields are marked *

Comment via Facebook: