Botnets for hire likely used in attacks against US banks, security firm says

Evidence collected from a website that was recently used to flood U.S. banks with junk traffic suggests that the people behind the ongoing DDoS attack campaign against U.S. financial institutions — thought by some to be the work of Iran — are using botnets for hire.

The compromised website contained a PHP-based backdoor script that was regularly instructed to send numerous HTTP and UDP (User Datagram Protocol) requests to the websites of several U.S. banks, including PNC Bank, HSBC and Fifth Third Bank, Ronen Atias, a security analyst at Web security services provider Incapsula, said Tuesday in a blog post.

Atias described the compromised site as a “small and seemingly harmless general interest UK website” that recently signed up for Incapsula’s services.

An analysis of the site and the server logs revealed that attackers were instructing the rogue script to send junk traffic to U.S. banking sites for limited periods of time varying between seven minutes and one hour. The commands were being renewed as soon as the banking sites showed signs of recovery, Atias said.

During breaks from attacking financial websites the backdoor script was being instructed to attack unrelated commercial and e-commerce sites. “This all led us to believe that we were monitoring the activities of a Botnet for hire,” Atias said.

“The use of a Web Site as a Botnet zombie for hire did not surprise us,” the security analyst wrote. “After all, this is just a part of a growing trend we’re seeing in our DDoS prevention work.”

“In an attempt to increase the volume of the attacks, hackers prefer web servers over personal computers,” Atias said. “It makes perfect sense. These are generally stronger machines, with access to the high quality hoster’s networks and many of them can be easily accessed through a security loophole in one of the sites.”

Another interesting aspect of the PHP-based backdoor analyzed by Incapsula is that it had the ability to multiply on the server in order to take full advantage of its resources, Atias said. “Since this is a server on the hoster’s backbone, it was potentially capable of producing much more traffic volume than a regular ‘old school’ botnet zombie.”

In addition, the backdoor script provided an API (application programming interface) through which attackers could inject dynamic attack code in order to quickly adapt to changes in the website’s security, Atias said.

The attack script on the compromised U.K. website was being controlled through another website in Turkey that belongs to a Web design company. Incapsula’s researchers believe that the Turkish site had been compromised as well and was serving as a bridge between the real attackers and their website-based botnet.

A group calling itself the “Izz ad-Din al-Qassam Cyber Fighters” has taken responsibility for the recent wave of attacks against the U.S. financial websites that started in December. The same group claimed responsibility for similar attacks launched against the same financial institutions in September.

The group claims that its DDoS campaign is in response to a film trailer mocking the prophet Muhammad not being removed from YouTube. However, some U.S. government officials and security experts are convinced that the attacks are actually the work of the Iranian government, The New York Times reported Tuesday.

The possibility of Iran being behind the attacks has been advanced before. In September, former U.S. Senator Joe Lieberman, an Independent from Connecticut, who was chairman of the Senate Committee on Homeland Security and Governmental Affairs at the time, blamed the Iranian government for the attacks against U.S. banks and said that they were probably launched in retaliation for the economic sanctions imposed on Iran.

The Iranian government officially denied its involvement and the U.S. government has not yet released any evidence that supports this claim.

That said, the sophistication of the tools used in the attacks, as well as their unprecedented scope and effectiveness, have been advanced as arguments that this DDoS attack campaign might be state sponsored.

The attacks against the U.S. financial industry from the past few months are unique in scale, organization, innovation and scope, Carl Herberger, vice president of security solutions at Israel-based network security vendor Radware, said Wednesday via email.

The company cannot comment on the origin of the attacks, because it only focuses its resources on attack detection and mitigation, Herberger said. However, in Radware’s view, the DDoS attack campaign against U.S. banks has represented the longest persistent cyberattack on a single industrial sector in history, he said.

If someone in the U.S. government is indicating that the Iranians are doing it, like Lieberman did a few months ago, they’re probably spot on, Scott Hammack, the CEO of DDoS mitigation vendor Prolexic, said Wednesday.

These attackers are not using the traditional “pull” command and control technology where the botnet clients periodically connect to a server to check if new instructions are available. Instead, they are using a “push” technology to send instructions in a matter of seconds to hundreds of compromised servers, Hammack said.

This allows for more dynamic attacks, but also leaves the attackers open to being identified a lot easier, Hammack said. The U.S. government is monitoring some of the compromised servers used in the attacks and can see exactly where those instructions are coming from, he said.

Herberger described the DDoS attacks as well-organized and innovative in the sense that they use newly uncovered vulnerabilities and attack origins. One example is that they leverage the infrastructure of cloud providers instead of the resources of consumer-oriented computers.

The attacks are definitely very sophisticated, Hammack said. The attackers know exactly what weak spots to hit and target them in rotation. They’ve obviously done a lot of research into the infrastructure of the banks and how it’s configured, he said.

“These attacks have, almost simultaneously, been launched on nearly every major commercial bank in the U.S.,” Herberger said. However, not all of the targeted banks have suffered outages, which suggests that some effective defenses do exist, he said.