Network News

X My Profile
View More Activity

Washington Post, White House, FAA, DoD, Others, Targeted in Online Attack

Washingtonpost.com and Security Fix readers may have noticed that our site was a bit slow and occasionally unreachable today. Turns out, the site has been under attack by about 60,000 compromised PCs around the globe for several hours now.

We weren't the only site reportedly picked on, though. According to several security researchers who asked to remain anonymous because they are still helping to investigate the assault, the same attackers targeted Web sites for the White House, the Department of Homeland Security, the Department of Defense and the Federal Aviation Administration, with varying success.

The culprit is a piece of malicious software that orders infected PCs to visit the Web sites on its hit list over and over again, all in an apparent bid to render the targets unreachable to legitimate visitors.

Joe Stewart, director of malware research at Atlanta-based SecureWorks, said he examined the attack software and found that it contained few clues about its origins, although a line of text buried within the malware carried the cryptic message "get/china/dns." He also said the attack is hitting various sites in the U.S. and South Korea simultaneously, including washingtonpost.com.

The information security researcher who runs this blog appears to have posted a full list of targeted domains.

The hit list is hard coded into the malicious software, but it appears the list can be updated. The Federal Trade Commission, which was targeted by this malware yesterday and was offline for at least part of the day, is not on the current list of targets.

Other targets on the current list include the Web sites for the New York Stock Exchange, NASDAQ, the U.S. Treasury and State Department.

One security researcher I spoke with who was familiar with this attack said there are at least 60,000 Microsoft Windows systems infected with the malware and besieging targets. The source said a large percentage of those compromised systems were located in South Korea. Indeed, among the sites on the malware's hit list are several South Korean commercial Web sites.

The attack statistics page hosted by Shadowserver.org, a volunteer group that tracks online attacks, indicates that a rather large-scale Internet attack has been underway for the past couple of days (see the graphic below, from their site).

ssddos.jpg

The Associated Press is also reporting the story here.

By Brian Krebs  |  July 7, 2009; 11:20 PM ET
Categories:  Fraud , U.S. Government  | Tags: ddos attack  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: High Crimes Using Low-Tech Attacks
Next: PCs Used in Korean DDoS Attacks May Self Destruct

Comments

So, what can be done to deal with this in the short term and the long term?

Posted by: edlharris | July 7, 2009 11:42 PM | Report abuse

Brian, your good reporting has made washingtonpost.com a target it looks like. Are kudos in order? Keep up the good work! Stop the SPAMMERS!!

Posted by: bbirdy202 | July 8, 2009 12:09 AM | Report abuse

Not only do I work at one of the government agencies that was hit by the denial of service attack but I have noticed that over the last several days Internet Explorer has been difficult to access at work and at home. I have noticed that IE takes a very long time to open and when I hit CTL, ATL, DEL to pull up the task manager to end the session, this command does not respond. Before IE got to the point where it would not open at all, it would never take me directly to the requested page. I would get a message giving me the choice of trying the URL using Yahoo's search engine or to try GOOGLE'S search engine again. It has gotten so bad that I've just started using Safari as my browser because IE has become exceptionally annoying. Has there been any mention of Internet Explorer being under attack?

Posted by: Kaynice | July 8, 2009 12:18 AM | Report abuse

@Kaynice

Browsers are not attacked by denial of service operations, and nobody in the malware community has no interest in slowing down your web browsing. If this behavior correlates to the DDOS attacks being reported here, it is more likely that you are an unwitting participant because your PC has been compromised, rather than your being a victim.

Posted by: conspirator5 | July 8, 2009 1:04 AM | Report abuse

Ew. Double negatives. My bad.

Posted by: conspirator5 | July 8, 2009 1:04 AM | Report abuse

Great reporting, BK!

Posted by: Russ_Walker | July 8, 2009 1:22 AM | Report abuse

Please Bomb North Korea back to the Stone Age so I can use the Internet to buy stuff and watch porn without network latency. Thank You.

Posted by: dennisl591 | July 8, 2009 10:36 AM | Report abuse

I can't help but wonder if AOL was affected as well? I was able to check mail this morning but have been able to reconnect ever since. I can't access AOL.com on my browser either. Maybe just a coincidence but...

Posted by: ecpindc | July 8, 2009 11:01 AM | Report abuse

Several years ago while taking an online course that required me to post to a website, I experienced the same sort of slow response that Kaynice described. I subsequently learned that the server in question had been the victim of a denial of service attack and - more subsequently - learned that the host company had been bought out. The timing suggests that the attack was part of the bargaining. I have also experienced a slow and frustrating response from IE, lately.

This gives me two questions for conspiracy5 (or anyone else): how do users discover if their PC was part of the problem; and what role do you think commercial espionage plays in the current attack?

Posted by: turpins | July 8, 2009 12:50 PM | Report abuse

The problem seems to go well beyond DDOS on the WPost and gov't agencies. Godaddy.com has been _down_ for hours with no ping response and no e-mail at all. (Maybe Godaddy hosts some gov't sites?) theplanet.com is a substantial webhost and also does not respond to pings. Just 2 examples.

Posted by: news81 | July 8, 2009 12:52 PM | Report abuse

UPDATE: I posted earlier that godaddy.com was not accessible. Based on some updated info, and reading twitter, _seems_ that a broad Verizon problem was blocking access to godaddy.com and other sites (e.g., speakeasy.net, secureworks.com, theplanet.com). That has now resolved. Whether that was/is related to the DDOS issue - i.e., maybe Verizon tried to play defense and there was collateral damage - I don't know. But the coincidence is intriguing.

Posted by: news81 | July 8, 2009 1:28 PM | Report abuse

Did the target the Post because they thought it was part of the Obama administration?

Posted by: Roamer1 | July 8, 2009 2:40 PM | Report abuse

AND THE ATTACK LIST IS :


- banking.nonghyup.com (농협 인터넷 뱅킹) - Banking.nonghyup.com (bank, internet banking)
- blog.naver.com (네이버 블로그) - Blog.naver.com (Naver blog)
- ebank.keb.co.kr (외환은행 인터넷 뱅킹) - Ebank.keb.co.kr (Korea Exchange Bank Internet Banking)
- ezbank.shinhan.com (신한은행 인터넷 뱅킹) - Ezbank.shinhan.com (Shinhan Bank, Internet Banking)
- mail.naver.com (네이버 메일) - Mail.naver.com (Naver Mail)
- www.assembly.go.kr (대한민국 국회) - Www.assembly.go.kr (Republic of Korea National Assembly)
- www.auction.co.kr (옥션) - Www.auction.co.kr (auction)
- www.chosun.com (조선일보) - Www.chosun.com (Chosun Ilbo)
- www.hannara.or.kr (한나라당) - Www.hannara.or.kr (GNP)
- www.mnd.go.kr (국방부) - Www.mnd.go.kr (Defense)
- www.mofat.go.kr (외교통상부) - Www.mofat.go.kr (Foreign Minister)
- www.president.go.kr (청와대) - Www.president.go.kr (Blue House)
- www.usfk.mil (주한 미군) - Www.usfk.mil (USFK)


미국 사이트도 있다. Is a U.S. site. (변형에 따라 공격 웹사이트가 다를 수 있음) (Transformation may vary depending on the attack website)

- finance.yahoo.com - Finance.yahoo.com
- travel.state.gov - Travel.state.gov
- www.amazon.com - Www.amazon.com
- www.dhs.gov - Www.dhs.gov
- www.dot.gov - Www.dot.gov
- www.faa.gov - Www.faa.gov
- www.ftc.gov - Www.ftc.gov
- www.nasdaq.com - Www.nasdaq.com
- www.nsa.gov - Www.nsa.gov
- www.nyse.com - Www.nyse.com
- www.state.gov - Www.state.gov
- www.usbank.com - Www.usbank.com
- www.usps.gov - Www.usps.gov
- www.ustreas.gov - Www.ustreas.gov
- www.voa.gov - Www.voa.gov
- www.voanews.com - Www.voanews.com
- www.whitehouse.gov - Www.whitehouse.gov
- www.yahoo.com - Www.yahoo.com
- www.washingtonpost.com - Www.washingtonpost.com
- www.usauctionslive.com - Www.usauctionslive.com
- www.defenselink.mil - Www.defenselink.mil
- www.marketwatch.com - Www.marketwatch.com
- www.site-by-site.com - Www.site-by-site.com


Posted by: brucerealtor@gmail.com | July 8, 2009 11:39 PM | Report abuse

The timing of these attacks is consistent with the ethnic unrest in Mainland China.

- blog.naver.com (네이버 블로그)Blog.naver.com (Naver blog) has been reporting the attacks in those portions of the front page that were readily translatable here.

This suggest to me that there is at a reasonable possibility that these attacks are somehow related to the ethnic unrest in China. Are we [is NSA, et. al.] also seeing any radio traffic that would confirm or refute such a possibility?

Posted by: brucerealtor@gmail.com | July 8, 2009 11:59 PM | Report abuse

Of course, I don't expect NSA to answer the above, but the attack list, while far from random, is likely overly broad intentionally.

I would suspect that some good technical and possibly collateral traffic analysis [on the RF side] of 'appropriate targets' should, even without HUMIT input substantially narrow the suspect activity, source and 'real target[s.]

Posted by: brucerealtor@gmail.com | July 9, 2009 12:08 AM | Report abuse

Kaynice

I suspect that SeaMonkey will not present the same problems. While all my other browsers were having 'issues' with the WaPo over the last several days, SeaMonkey didn't.

I did notice that I had been knocked offline this morning, but the connect feature in Control Panel -- Network Connections immediately restored connectivity.

Posted by: brucerealtor@gmail.com | July 9, 2009 12:15 AM | Report abuse

More Details: What kind of DDoS attack. SYN flood or something like it. Sock-stress?

Posted by: dward__ | July 9, 2009 12:25 AM | Report abuse

Brian -- with your indulgence ---

我知道中国有干扰G8会议的问题刚才,因此中国必须与日本一起可能也知道这些攻击的来源。 任何人关心评论匿名? 您有我的电子邮件。

Posted by: brucerealtor@gmail.com | July 9, 2009 2:08 AM | Report abuse

@turpins

To answer the first question - one of the definitive ways to know if your computer is involved in a DDoS attack is to watch the traffic coming from it from another computer on your network. You can use a tool like WireShark to analyse the traffic.

Now for the average home user, the answer is they may well not know. If they have their software and OS up to date with patches, anti-virus software up to date and a firewall that they can configure (and turned on), they will greatly minimize the risk.

As for the second question of commercial espionage, in the samples we've seen there's no proof of where the programs originated. That's not to say we haven't seen cases of espionage, but they have been few and far between. On a side note, we are detecting the files as:
Mal/Behav-104
Mal/Generic-A
Mal/Mdrop-Fam
Troj/Agent-KLG
Troj/Dropr-BH

(See www.sophos.com for more information)

Beth Jones, SophosLabs

Posted by: bethjones | July 9, 2009 1:35 PM | Report abuse

Thanks, Brian; a good read. In my opinion, two short-term fixes: (1) Report all custom malware to security software manufacturers and the CERT® Coordination Center at Carnegie Mellon. (2) Standardize on a multi-layered approach to security that puts Computer Emergency Response Teams (CERT) in a proactive versus a reactive mode.

Two long-term approaches: (1) Be vigilant about least-privilege policies, and (2) Commit to a well-educated workforce. If we all get on board with these simple best practices, my hope is we can develop a collective resolve for confronting this escalating issue.

Best Regards,
Dr. Stanton Sloane,
SRA International CEO & President

Posted by: SSloane09 | July 9, 2009 2:59 PM | Report abuse

Brian

On a slightly different attack subject ---

There is an 800 phone number that repeatedly calls people and then hangs up, If they try to call the number back, it does not identify itself but just says they are busy and please call back.

There are over 19 complaints about the number just by Goggling the number which is

++++++++ 8008879187 +++++++++

HOW CAN ONE GET THIS HARASSING CALL NUMBER DISCONNECTED ?????

Posted by: brucerealtor@gmail.com | July 9, 2009 7:35 PM | Report abuse

While everyone is wringing their hands about this DDoS attack, I hope those in federal law enforcement will take a minute to think, "What were the 60,000 computers in that botnet doing *last* week, before they started carrying out this attack?"

They -- and thousands like them -- were already under the control of criminals. And they were probably being rented out to spammers to send emails, to host spamvertised websites and phishing sites, or to distribute trojans to infect other computers. The money they scammed out of internet users around the world made it financially attractive to build this botnet in the first place.

The vast majority of spam comes from criminals using other people's compromised computers. Almost every spam in your inbox provides evidence of their crimes: For every spam, there is one hijacked computer that was the source of the spam and at least one other hijacked computer that is hosting the site being promoted. Once a computer is observed sending spam, of course, its IP address is added to spam filter definitions. So the spammers need to spread themselves over a huge network of similarly compromised machines in order to avoid being blocked. There are hundreds of thousands of computers in botnets, and all the evidence of it is pouring into your inbox every day.

Why is there still the mentality that spam is just a silly annoyance, and anyone who doesn't like it should just get better spam filters? Why is it acceptable for an ISP to ignore reports that a customer's computer is under control of criminals -- or to refuse to even accept such reports?

That mind set needs to change. We need to expect prompt responses at every level to isolate and disinfect trojan-infested computers, and we need to expect legitimate internet firms to stop passively assisting criminals by their inaction. The inboxrevenge forum members elaborated further on this at ksforum.inboxrevenge.com/viewtopic.php?p=35072

Oh, and @brucerealtor: I doubt Seamonkey has some ability to avoid being slowed down during the current attack. But if you use Seamonkey instead of Internet Explorer, you're less likely to have picked up any drive-by downloads, and your computer is less likely to be one of the ones participating in the attack. I've found a lot of malicious websites will even block visits from Seamonkey users, presumably because SM users are more knowledgable about security and more likely to be visiting with the purpose of getting the site shut down.

Posted by: AlphaCentauri | July 10, 2009 12:36 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company