<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-56W9VX" height="0" width="0" style="display:none;visibility:hidden">

Nexusguard Blog

Cybersecurity best practices and DDoS defence strategies

Latest Stories

Featured Stories

Blog Home
Ka Lau
November 03, 2015

CCTV Camera DDoS Botnet & the Rise of Smoke-Screening

Welcome to Nexusguard’s DDoS Digest: This Week’s Distributed Denial. We know that many people in the IT security, tech, and business communities are busy, so we filter the news for the most interesting and critical stories.


In this week’s installment, we look at four top DDoS headlines:

  • Botnet made up of almost 1000 security cameras
  • Ransom demand met with $23,000 bounty
  • XOR DDoS hitting nearly 2 dozen targets daily
  • Smoke-Screening: DDoS as a bait-and-switch


Botnet made up of almost 1000 security cameras

More than 900 CCTV security cameras are now slaves of a worldwide botnet that is being used as a weapon by cybercriminals.


One thing that was not difficult for those creating the botnet was finding some cameras. There are nearly a quarter of a billion around the world, according to Charlie Osborne of Zero Day http://www.zdnet.com.



Image source from Charbel Akhras on Flickr


Hackers wanting to disrupt online services have increasingly realized that these cameras are easy to exploit, using the zombies to inundate servers and lead to denial-of-service for a website’s true users.


When security analysts looked at a recent HTTP Get Flood attack that maxed out at 20,000 requests per second, they noticed a significant portion of the IP addresses that made up the botnet corresponded to CCTV surveillance cameras.


The hackers took advantage of a specific security weakness of many cameras: they still had the default, out-of-the-box credentials that were never updated by the owners.


“Once an attacker gained access to a camera through the default credentials,” wrote Osborne on October 26, “they installed a variation of the ELF Bashlite malware, a type of malicious code which scans for network devices running BusyBox,” a Unix software bundle.


After locating the devices, the malware variant began directing them toward DDoS targets.


Ransom demand met with $23,000 bounty

As with many displays of brute force, with DDoS, money is part of the problem. However, sometimes, it is also the solution.


Aria Technology founder Aria Taheri said that his site was blasted with a DDoS on Monday, October 19. The attackers demanded about $4400 in bitcoin – 16.66 of them (perhaps so they could have the proverbial “666” in the ransom?). Rather than paying the chump change, Taheri offered more than five times that amount as a bounty to catch the perpetrators.


“The message to the hackers is that I will spend a significant amount of money to bring them to justice,” Taheri told CoinDesk http://www.coindesk.com/e-tailer-offers-23000-to-catch-ddos-attackers-demanding-bitcoin/ on October 21. “Our track record shows that we have done that before, and based on that track record I am fairly confident we can do that [again].”


Interestingly enough, the threatening party was all bark and no bite. They said that if the ransom wasn’t paid, they were going to drive Aria Technology off-line for the entirety of October 21. But they didn’t do that.


XOR DDoS hitting nearly 2 dozen targets daily

There is now a network of Linux computers that is being used to hit gaming and academic sites with DDoS attacks as powerful as 150 gigabits per second.


The botnet, which is known both as Xor.DDoS (with the period) and XOR DDoS, goes after as many as 20 online services daily, according to a recent industry report.


9 out of 10 targets are in Asia. Sometimes the attackers spoof their IP addresses so that the DDoS machines seem to be a legitimate part of the gaming or education network.


In a summary report on the topic, security analyst Bart Blaze noted that XOR is identifiable by the software injected on the machines, a Linux trojan that is a type of ELF (Executable and Linkable Format) malware.


“In short: Xor.DDoS is a multi-platform, polymorphic malware for Linux OS, and its ultimate goal is to DDoS other machines,” Blaze was quoted in Ars Technica http://arstechnica.com on October 21. “The name Xor.DDoS stems from the heavy usage of XOR encryption in both malware and network communication to the C&Cs (command and control servers).”


Smoke-Screening: DDoS as a Bait-and-Switch

DDoS may seem to be hacking for dummies, since it’s such a simple premise: massive amounts of server requests. However, the attack is now increasingly a decoy, a distraction, a bait-and-switch.


Businesses that get targeted by DDoS are now standardly experiencing simultaneous security events, according to a survey released October 13. Called “smoke-screening,” three out of four corporate-sector organizations (74%) say that this combination attack was used against them.


“[G]lobally, DDOS attacks often coincide with malware incidents (in 45% of all cases), and corporate network intrusions (in 32% of all cases),” Admire Moyo reported in ITWeb http://www.itweb.co.za on October 14.


More on smoke-screening and vulnerability

For further information on smoke-screening, our exclusive whitepaper “The Hidden Dangers Behind DDoS Attacks” discusses http://hello.nexusguard.com/whitepaper-hidden-danger-behind-ddos how these assaults are used to mask more sinister activities.

Collectively equipped with over 1.44Tbps of capacity, Nexusguard's global DDoS mitigation cloud infrastructure is highly redundant and scalable, with scrubbing centers strategically deployed around the world to eliminate attacks closest to their sources. It employs global BGP Anycast to disperse and mitigate.

Comments Form: