ILL_Natured_gr’s team Weblog

ILL_Natured_gr’s team Weblog at WordPress

Archive for the ‘PC Security’ Category

Another inconvenient truth: Al Gore’s Web site hacked

Posted by ILL Natured_gr on November 28, 2007

Noone’s safe these days…

Another inconvenient truth: Al Gore’s Web site hacked
The Web site for Al Gore’s film, ‘An Inconvenient Truth,’ has been hacked.

Robert McMillan (IDG News Service) 27/11/2007 12:24:32

A blog set up to promote former US Vice President Al Gore’s film, “An Inconvenient Truth,” has been hacked and is hosting links to Web sites hawking online pharmaceuticals.

The links appear to have been created as part of a scheme to boost the Web traffic for sites that promote the drugs, security experts said Monday. They contain titles such as “Xanax On Line,” “Viagra,” and “Buy Valium Online.”

Cyber scammers have been using this technique for months now, packing hacked Web sites with links to their products in hopes of bumping up their rankings on search engines such as Google and Another similar tactic, known as “comment spam,” involves flooding the comment sections of Web sites with these types of links.

Because search engines give priority to pages that are linked to by very popular pages, adding links from the Inconvenient Truth blog would be a bonanza for scammers, according to Adam Thomas, a malware researcher at Sunbelt Software. The film’s blog has “such a high page ranking that they use that as sort of conduit to … gain a really high Google page rank, and hope that they can find some suckers to buy some medications online,” he said.

The domain, which hosts the blog, is registered to Al Gore, the star of the 2006 Academy Award-winning documentary on global warming. Not all pages on the site appear to have been compromised, security experts say; just those associated with the blog.

Though the drug-promoting links can be seen by the crawler software used by search engines, most visitors wouldn’t even know that they exist. On Monday, they couldn’t be seen on the Web page itself, but were visible in the blog’s source code — which only the people who maintain the Web site should be able to alter. The links point to Web pages on a site run by Westmont College, a small Christian college based in Santa Barbara, California. The Westmont College Web site also appears to have been hacked, Thomas said.

The hacked Westmont pages are in an early stage of development, but some of them were hosting blog pages that could ultimately be used to host ads for the drugs or even to link to other sites that actually sold the pharmaceuticals, Thomas said.

Thomas said attackers were most likely able to gain access to the blog by exploiting flaws in the WordPress Web publishing software used by both the Inconvenient Truth blog and Westmont College. Representatives for Al Gore and Westmont College could not be reached immediately for comment.

Once they gained access to the site, criminals could have easily added malicious exploit code to the blog, and that code could have been used to infect visitors’ PCs with computer viruses, said Roger Thompson, chief technology officer of Exploit Prevention Labs. “It just shows how tricky it is to secure a Web site,” he said. “I think we’re a bit lucky it’s not shooting exploits.”

Linus Larsson of Computer Sweden contributed to this story.

Source :

Posted in Internet, News, PC Security | Tagged: , , , | Leave a Comment »

MySpace hacked, exploits target Alicia Keys’ page and others

Posted by ILL Natured_gr on November 10, 2007

MySpace hacked, exploits target Alicia Keys’ page and others

By Thomas Claburn
9 November 2007 12:47PM

Avoid Alicia Keys’ Web page on MySpace. It’s been hacked..

Roger Thompson, CTO at Exploit Prevention Labs, has found multiple hacked MySpace pages, including the page for Alicia Keys, the social networking site’s fourth most popular music artist.

In keeping with what appears to be a new trend among security researchers, Thompson has released a video depicting the hack on YouTube. He has also posted details on his blog.

Visiting the page exposes the visitor to an exploit that installs malware unless the user is fully patched against the most recent security vulnerabilities. “They’re using an exploit to install software in the background,” Thompson explains in the video.

Even those with patched systems are vulnerable. The hackers have found a way to associate their malicious URL with what would normally be a non-clickable background area on the Web page. The result is that clicks outside specific clickable controls get captured and interpreted as a click on the malicious URL.

“If you click anywhere outside a given control, [the malicious URL] will be the default control that it goes to,” Thompson explains. “It’s a really interesting technique and it’s going to catch a lot of people.”

“What’s not clear at this point is how they’re doing it, and how widespread it is,” Thompson says on his blog. “Neither Google nor MySpace seems to be indexing the critical bit of HTML. If you search for the exploit site (, the only results seem to be victims, or people talking about victims.”

In a conversation via instant message, Thompson said that social networking sites are increasingly become vectors of attack. “The whole point of browser stuff is that it bypasses the firewall,” he explained.

A spokesperson for MySpace was not immediately available to comment on the attack.

Source :

Posted in Internet, News, PC Security | Tagged: , , , , | 1 Comment »

Cyber criminals building more but smaller botnets

Posted by ILL Natured_gr on October 2, 2007

Cyber criminals building more but smaller botnets
By Gemma Simpson, Special to ZDNet Asia
Monday, October 01 2007 07:48 AM

Cyber criminals are downsizing their botnets to try and trick software security companies.

Computers infected with a virus unknowingly become ‘zombies’ in a botnet–which is a network used to send out spam and to mount further attacks on other machines. The zombie army can be controlled remotely with the botnet creators usually trying to build the largest possible botnet of compromised computers to rent out to gangs for as little as US$100 for a couple of hours.

But researchers at antivirus company F-Secure have reported seeing these large networks being broken down into smaller groups of compromised computers because the creation of large botnets is not creating as much revenue for such cyber criminals.

Mika Stahlberg, program manager of the security response team at F-Secure, said the company is still seeing very big botnets around the world but coders are no longer trying to build as big a botnet as they can because that does not make any more money than a collection of smaller botnets.

The botnet bandits are also erring on the side of caution by steering away from larger botnets because if the central server controlling such a network goes down then the whole of the botnet is lost, according to F-Secure.

Stahlberg added: “These people don’t want to put all their eggs in one basket and are therefore running smaller botnets.”

The malware writers are also getting lazy, according to F-Secure, and are no longer attempting to catch out companies by using increasingly complex viruses.

Sean Sullivan, technical expert at F-Secure, said virus writers can no longer beat security companies with complex codes and are therefore trying to do it through creating “malware factories” which swamp the security companies.

Sullivan added: “It used to be a big event when a virus came along but now we get 10,000 [malware samples] a day, most of which are variations on the same code.”

Gemma Simpson of reported from London.

Source :

Posted in Internet, News, PC Security | Tagged: , , , , | Leave a Comment »

Gmail’s Zero-Day Flaw Allows Attackers to Steal Messages

Posted by ILL Natured_gr on September 28, 2007

Gmail’s Zero-Day Flaw Allows Attackers to Steal Messages
Gmail can be easily hacked, allowing any past–and future e-mail messages–to be forwarded to the attacker’s own in-box, a vulnerability researcher said Tuesday.

Gregg Keizer, Computerworld
Wednesday, September 26, 2007 4:00 PM PDT

Accounts on Google Inc.’s Gmail can be easily hacked, allowing any past — and future e-mail messages — to be forwarded to the attacker’s own in-box, a vulnerability researcher said Tuesday.

Dubbed a “cross-site request forgery” (CSRF), the Gmail bug was disclosed Tuesday by Petko Petkov, a U.K.-based Web vulnerability penetration tester who has made a name for himself of late. In the past two weeks, Petkov has publicly posted information about critical, zero-day bugs in Apple Inc.’s QuickTime, Microsoft Corp.’s Windows Media Player and Adobe Systems Inc.’s Portable Document Format (PDF).

According to Petkov, who declined to release details about the vulnerability, attackers can use Gmail’s filtering feature to exploit the bug. An attack, he said, would start with a victim visiting a malicious Web site while also still logged into his Gmail account. The malicious site would then perform what Petkov called a “multipart/form-date POST” — an HTML command that can be used to upload files — to one of the Gmail application programming interfaces, then inject a rogue filter into the user’s filter list.

Petkov posted a series of screenshots on the site that illustrated one possible attack. “In the example, the attacker writes a filter, which simply looks for e-mails with attachments and forwards them to an e-mail of their choice,” Petkov said. “This filter will automatically transfer all e-mails matching the rule.

“Keep in mind that future e-mails will be forwarded as well. The attack will remain present for as long as the victim has the filter within their filter list, even if the initial vulnerability, which was the cause of the injection, is fixed by Google,” he added.

Google did not immediately reply to questions about whether it had confirmed the vulnerability, and if so, when it would patch the problem.

At least one user commenting on Petkov’s posting, however, claimed that a Firefox extension could block exploits of the Gmail bug. Giorgio Maone, the creator of the popular NoScript add-on, said that his extension blocks CSRF attacks from untrusted sites, which a malicious page likely would be. (NoScript blocks JavaScript, Java, other scripting and executable content from running from untrusted sites; Firefox users can download it from the Mozilla add-on site.)

As he did last week when he disclosed a major bug in Adobe’s pervasive PDF file format, Petkov again defended his decision to post information about the Gmail flaw without first reporting the vulnerability to Google. The reasoning, however, was oblique: “Let’s say that it is just one of my social experiments.”

Jeremy Grossman, the chief technology officer at San Jose-based WhiteHat Security Inc., said that the Gmail flaw is “especially scary.” In an entry to his blog, Grossman explained further: “Web mail accounts are in many ways more valuable than a banking account because they maintain access to many other online accounts (blog, banking, shopping, etc.). [Attacks exploiting this vulnerability would be] simple, silent and extremely clever.”

Petkov added his own two cents on the bug’s implications. “In an age where all the data is in the cloud, it makes no sense for the attackers to go after your box,” he said. “It is a lot simpler to install one of these persistent backdoor/spyware filters. Game over! They don’t own your box, but they have you, which is a lot better.”

Source :

Posted in Internet, PC Security | Tagged: , , , | Leave a Comment »

Five of the Dirtiest Malware Tricks

Posted by ILL Natured_gr on September 28, 2007

Five of the Dirtiest Malware Tricks
From disguising applets to look like part of Windows to co-opting security tools, Web crooks use a variety of methods to bypass your system’s safeguards.

Erik Larkin
PC World
Thursday, September 27, 2007; 12:19 AM

If the crooks behind viruses, Trojan horses, and other malicious software were as stupid as they are scummy, we’d have a lot less to worry about. But as protective measures get better at stopping the obvious attacks, online creeps respond with underhanded moves to invade your PC. Here are five of their dirtiest tricks, all based on Trojan horses.

Don’t mind me–I’m only here to break your PC: It’s like sending in a different scout each time to open the gate for the rest of the invaders. The “Glieder Trojan” and many others use a multistage infection process whose first step is a tiny program that the crooks can change constantly so your antivirus watchdog is less likely to recognize it. Once it gets in, the downloader tries to disable your security before pulling down the real payload, which could be a data stealer or anything else the attacker wants.

Locked and encrypted Web sites? No problem: Web sites can and should use secure socket layer (SSL) to encrypt and protect sensitive data such as bank account log-ins. (When a lock icon appears in the address bar, that indicates the site is using SSL.) But the “Gozi Trojan” and its ilk evade SSL protections by making Windows think they’re part of the process, so your data leaves IE and goes through Gozi before it’s encrypted and sent out on the network. Instead of spying on your keyboard, which many security programs watch for, these apps roll into the OS as fake layered-service providers (LSPs).

The SpamThru, SpyAgent, and Jowspry Threats

Malware that scans your PC for malware: An extra antivirus scan can only be a good thing, right? Not when it just gets rid of rivals to the “SpamThru Trojan.” This nasty introduced a pirated, pared-down version of Kaspersky AntiVirus (which Kaspersky has since shut down) to delete other malware so it could have the victim PC to itself to use as a spam sender. If the PC had a real antivirus app, SpamThru would attempt to block its updates, preventing it from identifying new threats.

Equal-opportunity encryption: Encrypting sensitive data and protecting it with a password helps shield it from prying eyes. But the “SpyAgent Trojan” enters the encryption game, too. When installed on a Windows PC with the Encrypting File System (which is included in Windows 2000, XP Pro, 2003 Server, and 2005 Media Center), SpyAgent establishes its own administrator-level user account and uses this account to encrypt its files. You–or your antivirus software–would have to guess the account’s random password to decrypt and scan the malicious files to confirm they weren’t supposed to be there.

Hi, firewall. I’m Windows Update. Honest: Firewalls protect computers and networks from bad guys’ efforts to go in or out. So the “Jowspry Trojan” masquerades as something known and approved–Windows Update. The crafty malware makes its connections look like the Background Intelligent Transfer Service used by Windows Update, and unsuspecting firewalls let it download more attack programs to your PC.

To pull off these sneaky ploys, malware first has to get on your PC. If you keep Windows and other programs up-to-date, avoid opening attachments or clicking links in unsolicited e-mail, and use a good antivirus program, you won’t give the crooks a chance to put their Trojan horses to work.

Descriptions based on research and analysis from Peter Gutmann at the University of Auckland, Craig Schmugar and Aditya Kapoor at McAfee’s Avert Labs, and Joe Stewart at SecureWorks.

For an inside look at the way Internet attackers buy and sell their insidious tools, read “An Inside Look at Internet Attackers’ Black Markets.” To ensure that you’ve closed critical software holes, read “Close the Holes Targeted by the MPack Attack Kit.”

Source :

Posted in Internet, PC Security | Tagged: , , , | Leave a Comment »

C-level employees targeted in trojan attack

Posted by ILL Natured_gr on September 26, 2007

C-level employees targeted in trojan attack
Liam Tung, ZDNet Australia

25 September 2007 01:43 PM

C-level employees of publicly listed companies are being targeted by cybercriminals using malware-infected RTF (Rich Text File) documents disguised as recruitment letters.

Security vendor MesssageLabs reported that 1,100 e-mails containing malware-infected RTF attachments have been recorded over a 16-hour period this month. Four separate waves appeared between 13 and 14 September, the company said.

“All [the emails] were going after C-level management. The e-mails included the company name in subject field, purporting to be a recruitment company. What it had in the attachment is an executable RTF file,” a MessageLabs spokesperson said.

Similar e-mails were noticed in June this year, he said.

The e-mail, which contained no body text, included an .SCR screen saver dummy file within an executable RTF file, the spokesperson said. When recipients attempt to open the file, a message is displayed stating: “Microsoft has encountered an error and had to close.” The recipient is then advised: “To view this, double click on the message.”

Once activated, the RTF file starts a chain of downloads which establish a secure connection between the attacker’s server and the infected computer.

The C-level nature of the targets clearly indicates that the attackers are after information, MessageLabs spokesperson said, but the greater concern is the social engineering technique used to spread the trojan-harbouring e-mail.

“The way that this works has the potential to be so effective. You are getting that top down approach — if they forward that e-mail on internally, that e-mail is coming from a trusted source,” he said.

The spokesperson added that all the e-mails were addressed to a single person, which helps diminish their conspicuousness.

F-Secure security expert Patrik Runald recently postulated that the perfect attack would be a zero-day attack using a rootkit-cloaked trojan sent to an HR manager who, due to company policy, would be compelled to open the document.

He told ZDNet Australia: “These are scary cases because it’s really hard to protect yourself against. We have to run Office and we have to allow Word, RTF, PowerPoint and Excel files through. It shows that signature based antivirus is not enough; you need more technology than that.”

Runald said there is little organisations can do to protect against these threat types besides educating users of the risks because banning the receipt of common file types is impractical.

Heuristic or behavioural-based monitoring is proving to be more effective at blocking these attacks since the behaviour of the file remains the same despite different signatures being used, he said.

Source :

Posted in Internet, News, PC Security | Tagged: , , , | 2 Comments »

Hackers welcome

Posted by ILL Natured_gr on September 20, 2007

Hackers welcome
Andy Greenberg,
Posted: 18 September 2007 1549 hrs

In the summer of 2005, Michael Lynn discovered a dangerously exploitable flaw in an older version of Cisco routers, one that could shut down or hijack wide swaths of the Internet if it fell into the wrong hands. Lynn, a researcher with Internet Security Systems, immediately told Cisco’s security team about the bug.

But when Cisco showed no signs of informing customers who used the outdated hardware, Lynn put his discovery in front of a more responsive audience: the thousands of hackers attending the Black Hat security conference in Las Vegas.

Slideshow: Hackers Welcome at Software Companies

In Pictures: Hacking Outside the Box

In Pictures: America’s Hackable Backbone

In Pictures: Seven Habits Of Highly Insecure Employees

In Pictures: Software Bug Blowups

Cisco’s next reaction was swift: It sued Lynn, even though his presentation hid details of his exploit. The episode became a public relations blow up for Cisco and a legal morass for Lynn.

That kind of stonewalling, enmity and miscommunication has long characterised relations between hackers and software developers, says Jennifer Granick, a cyber-law attorney who represented Lynn in his legal battles.

“There’s been a lot of bad blood,” she says. “Companies have a hard time acting grateful when some punk kid is lording over them that they found something wrong with their software.”

But that attitude is now changing. Software developers are learning that cooperating with hackers is better than ignoring or attacking reports of exploitable holes in software.

At the same time, a growing number of security companies are willing to pay for information about software vulnerabilities. That has nudged more software makers to treat independent security less like bandits and more like helpful volunteers.

“Essentially, we’re doing free quality assurance work for software vendors,” says a hacker who goes by the handle “Dead Addict,” and who spoke on unexpected bug disclosures at the DefCon hacker conference last month.

“Companies’ first reaction is often: ‘What can we do to stop this from going on?’ But they’re learning that that’s counterproductive.”

To the surprise of many, Microsoft has become one of the most hacker-friendly software developers, says Dead Addict, who also works for a major mobile hardware company. He recalled how several of his hacker friends were hired as contractors to test the security of Microsoft’s Vista operating system in the months before it was released.

Microsoft is proving equally enthusiastic when it hears about hackable flaws in its software from people not on the software giant’s payroll. “We’ve learned a lot about how to work with independent researchers, and we’re always trying to make it easier,” says Mark Miller, director of Microsoft’s Security Response Team.

Miller says that 70 per cent of the security flaws discovered in Microsoft’s products last year were reported directly to the company by “volunteers.”

Cisco has also “moved on” since its highly publicised spat with Michael Lynn, says Mike Caudill, the company’s product security incident manager. “We’ve worked with independent researchers for years, and we welcome them contacting us,” he says.

Cisco has a 24/7 hotline and a secure system that hackers can use to send encrypted messages to the company about sensitive vulnerabilities.

But convincing hackers to give away information about bugs – some of which could easily help unscrupulous hackers spy, steal bank codes or hijack computers to issue spam or “malware” – is also getting trickier.

Companies, including 3Com’s TippingPoint division and iDefense, offer to buy vulnerabilities from hackers for several thousand dollars apiece, promising to inform the vendor of exploitable flaws.

Other bug buyers, including Netragard and Immunity, pay hundreds of thousands of dollars for details of vulnerabilities that security researchers use to test how easily hackers can penetrate a system – and they don’t always share the information immediately with the software’s manufacturer.

In July, a Switzerland-based web site called Wabisabilabi began auctioning bugs in an eBay-style marketplace. Among the items up for bid were detailed descriptions of bugs in 3Com file transfer protocol servers, WordPress software and SAP’s graphical user interface. An unidentified bidder is currently offering 5,000 euros (about $6,900) for information about one SAP bug.

Software vendors have hesitated to offer money for vulnerabilities in their own software, for fear that such bounties would only attract attention to their products’ flaws and invite extortion.

One rare exception was Netscape’s bug bounty program in the late 1990s, which paid hackers $1,000 for significant discoveries.

Neither Microsoft nor Cisco offer bounties, but they do give credit in their security bulletins to hackers who offer up bugs.

Given that Netragard can pay hackers as much as $200,000 for information about vulnerabilities, Adriel Desaultels, the company’s chief technology officer, says that the least software vendors can do is to avoid a hostile response to hackers.

“Vendors really can’t compete with us in terms of paying for vulnerabilities,” he says. “And when they try to quash research, it only takes a quick post to ruin their reputation as a company that makes secure software.”

Some companies have yet to learn that lesson. Diebold Election Systems, recently renamed as Premier Election Solutions, unsuccessfully issued legal threats to dozens of individuals in 2003 for publicising security problems found in their voting machines.

Last year, Princeton University Professor Ed Felten and two of his graduate students found a method to infect Diebold voting machines with a virus that communicated from machine to machine via removable memory cards, potentially enabling the wholesale theft of votes.

Felten says Diebold ignored the academicians’ entreaties to patch the flaw. A Premier spokesman denies that Felten’s research pinpointed real vulnerabilities and says that the company is cooperating with all ongoing investigations and working to create a secure product.

In early August, however, the California secretary of state’s office decertified electronic voting machines built by three companies – including Diebold – because of concerns about security vulnerabilities.

“Had (Diebold) engaged with us, they’d have a reasonably secure system,” says Felten. “Instead, they stonewalled, and look where it got them.”

But that hardliner attitude is increasingly becoming the exception rather than the typical corporate reaction, Felten says.

“Companies are already making sure that vulnerabilities get fixed and that hackers get credit,” he says. “And now that there’s competition from third parties who buy vulnerabilities, they’ll have to move even faster.”

Source :

Posted in News, PC Security | Leave a Comment »

Malware becoming more sophisticated, warns IBM

Posted by ILL Natured_gr on September 19, 2007

Malware becoming more sophisticated, warns IBM
“Exploits as a service” industry continues to thrive
Computerworld UK staff (Computerworld UK) 18/09/2007 08:24:39

IBM has reported an increase in malware volume and sophistication as part of its security statistics report for the first half of the year.

So far this year, its X-Force research and development team has identified and analyzed more than 210,000 new malware samples, which is more than the total number of malware samples observed over the entirety of last year.

According to IBM, the “exploits as a service” industry continues to thrive, with the new practice of “exploit leasing” added to the repertoire of criminals. By leasing an exploit, attackers can now test exploitation techniques with a smaller initial investment, making this underground market an even more attractive option for malicious perpetrators.

According to the report, Trojans (seemingly legitimate files that are actually malware) are the most common form of malware this year, accounting for 28 percent of all malware. Last year, by contrast, Downloaders was the most common category — a low-profile piece of malware that installs itself so that it can later download and install a more sophisticated malware agent.

“The X-Force security statistics report for 2006 predicted a continued rise in the sophistication of targeted, profit-motivated cyber attacks,” said Kris Lamb, director of X-Force. “This directly correlates to the rise in popularity of Trojans that we are witnessing this year, as Trojans are often used by attackers to launch sustained, targeted attacks.”

But running counter to historical trends, X-Force reports a slight decrease in the overall number of vulnerabilities uncovered in the first half of 2007 versus the first half of 2006. A total of 3,273 vulnerabilities were identified in the first half of this year, down 3.3 percent year-on-year. However, the percentage of high impact vulnerabilities has gone up since 2006 from 16 percent to 21 percent for the first half of 2007.

A similarly unexpected trend in the report is the decrease in spam message size. IBM said the fall corresponded with a decrease in image-based spam.

“The decrease in spam message size and image-based spam is a result of spammers adopting and experimenting with newer techniques, such as PDF- and Excel-based spam, as a means to more successfully evade detection by anti-spam technologies,” said Lamb.

Source :

Posted in Internet, News, PC Security | Leave a Comment »

Ad-based Trojan hits MySpace, Bebo and others

Posted by ILL Natured_gr on September 14, 2007

Ad-based Trojan hits MySpace, Bebo and others
Malware hidden in adverts

Matt Chapman, 11 Sep 2007

Users of high profile sites including MySpace, The Sun, Bebo and PhotoBucket have been exposed to a Trojan hidden within adverts.

The sites all ran advertising in recent weeks from the Right Media online ad exchange which were unknowingly infected with the Downloader.VBS.Agent.n Trojan.

“This is another example of how legitimate ‘trusted’ websites can unknowingly host malware,” said Dan Nadir, vice president of product strategy at ScanSafe.

“Online ads have become a primary target for malware authors because they offer a stealthy way to distribute malware to a wide audience.”

Nadir explained that the malware was particularly dangerous because it required no user interaction for infection to take place.

ScanSafe estimates that up to 12 million ads may have been delivered, exposing a large number of users to the Trojan.

The security vendor saw a surge in blocks of the Trojan beginning on 8 August and continuing until early September.

Nadir added that it will be very difficult to track down the source of the malware because the hacker used the distributed nature of online advertising to spread the code to hundreds of sites.

One of the infected adverts used a Flash file to generate an invisible iFrame. This was linked to an IP address containing obfuscated visual basic script that used the well-known MDAC exploit to download a Trojan executable.

ScanSafe believes that the malicious script inside the Flash ad avoided detection by Right Media because of the clever use of a referrer check. This meant that the advert only became active when delivered by a particular ad server.

The Downloader.VBS.Agent.n malware downloads other programs which are launched on the victim’s machine without knowledge or consent.

ScanSafe said that several well known sites, including TomsHardware, have unwittingly hosted malware that was inserted via infected online ads.

Source :

Posted in Internet, PC Security | Leave a Comment »

Online Thugs Assault Sites That Specialize in Security Help

Posted by ILL Natured_gr on September 13, 2007

Online Thugs Assault Sites That Specialize in Security Help and similar good-guy sites are hard hit by distributed denial-of-service attacks.

Erik Larkin, PC World

Tuesday, September 11, 2007 5:00 PM PDT

The good guys are taking a hit in the ongoing online war between the thugs who profit from phishing and malware, and those who work to stop them.

For two weeks, Web sites like, which offers help to those hit by malware and also actively works to shut down malicious Web sites, have been under attack. In what’s known as a distributed denial of service, black hats are flooding CastleCops with a barrage of garbage data in an attempt to overwhelm the site and knock it offline.

“It’s the folks who are out there in the trenches getting hit,” says Paul Laudanski, who founded CastleCops five and a half years ago

Attack Spreads

When the attack on began on August 29, Laudanski says, the site went down for a few hours as he scrambled to apply countermeasures. His site came back up, but the attack soon spread to other helpful sites such as,,,, and Most of these sites are currently unresponsive.

When the hosting provider for another site,, dropped the site because the attack became too much for the provider, CastleCops gave a home. CastleCops went down again under the combined attack, but is back up again.

The sites are all being hit by botnets, corralled networks of malware-infected computers that can be issued commands by a central controller, or botherder. Botnets are most often used to send money-making spam, but they can also launch denial-of-service attacks where each infected PC sends a steady stream of traffic at a victim site. CastleCops is shouldering the brunt of 20,000 bots as of today, and more than 1,000 additional bots join the fray each day.

Mystery Motive

Laundanski says he and others who work at these sites, many of which are not-for-profit, are still unsure about the attack’s rationale. And he’s likewise uncertain about whether it’s one group or many behind it all. He’s been able to gather some details, but doesn’t want to share them while the threat continues and let his attackers know what he’s been able to find out.

But Paul Sop, CTO of Prolexic, a company that defends clients against DDoS attacks, says “the prevailing street theory is that these guys are having an effect.” Their advice is helping malware or phishing victims, and their investigations are helping to shut down criminal operations

“So the botnet guys are targeting them,” he says.

Security sites, including CastleCops, have been targeted in the past, but attacks are on the rise, Sop says. In the past five months, he says, there has been an increased focus on attacking organizations on the front lines who try to fight back against the crooks.

Strengthened Resolve

But according to Laudanski, who has started a new online forum documenting the ongoing battles, the attacks may backfire.

“The criminals are in it for the money,” he says. “It’s a huge business for them. [But] we’re in it for the feeling that we get being on the side of right.”

So this assault shows that “these sites are definitely doing something right,” he says, “because we’ve got the attention of these scammers. It gives us greater resolve.”

Source :

Posted in PC Security | Leave a Comment »