Feeds

US gov blames Iran for cyberattacks on American banks

Itsoknoproblembro and the bRobots

Next gen security for virtualised datacentres

Denial-of-service attacks against US banks' web systems were the work of Iran rather than Islamic activists, says a former American government official.

A group called the Izz ad-Din al-Qassam Cyber Fighters claimed responsibility for two waves of cyber-attacks against US banks including US Bancorp, Bank of America, Citigroup, Wells Fargo that took place in September and December. The stated reason for the "protest" attacks was religious outrage over the continuing presence on YouTube of the inflammatory Innocence of Muslims video on YouTube.

James A Lewis of the Center for Strategic and International Studies in Washington told the New York Times that the attacks were actually the work of Iran, rather than outraged hacktivists. He reckons the aim was actually retaliation over the deployment of Stuxnet and other cyberweapons against Iran as well as economic sanctions.

Security researchers at Arbor Networks concluded last month that in both cases attack traffic was launched from insecure websites rather than malware-infected PCs. Compromised PHP web applications and insecure Wordpress installation were pressed into service as part of a PHP Web server botnet, controlled by tools such as bRobot.

The skill involved in putting together the attacks as well as the use of server based resources has apparently convinced US government official that a state-sponsored entity, namely Iran, rather than hacktivists are behind the attacks. "“There is no doubt within the US government that Iran is behind these attacks,” Lewis, a former official in the state and commerce departments, told the NYT. Lewis points to the volume of traffic involved in the US bank attacks (“multiple times” the amount that Russia directed at Estonia in 2007) in attempting to substantiate his arguments but as the NYT points out "American officials have not offered any technical evidence to back up their claims".

Security vendors are able to say that the attacks against US banks are fairly sophisticated but cannot pinpoint who developed them. “The scale, the scope and the effectiveness of these attacks have been unprecedented,” said Carl Herberger, vice president of security solutions at Israeli-based security firm Radware told the NYT. “There have never been this many financial institutions under this much duress.”

Researchers at Radware discovered that cloud services and public web hosting servers* had been infected with a strain of malware, called Itsoknoproblembro. "The malware has existed for years, but the banking attacks were the first time it used data centers to attack external victims," the NYT reports, adding that Itsoknoproblembro was designed to be difficult if not impossible to trace back to command and control systems. Attackers used infected servers to disgorge attack traffic at each banking site until it slowed or collapsed, according to Radware. Peak attack traffic against US banks hit 70 Gbps.

An entry on Radware's website that Itsoknoproblembro is a PHP-based hacker tool that has recently been customised to serve in DDoS attacks.

The 'itsoknoproblembro' tool was designed and implemented as a general purpose PHP script injected into a victim’s machine allowing the attacker to upload and execute arbitrary Perl scripts on the target’s machine.

The 'itsoknoproblembro' script injects an encrypted payload, in order to bypass IPS and Malware gateways into the website main file index.php, allowing the attacker to upload new Perl scripts at any time.

Initial server infection is usually done by using the well known Remote File Inclusion (RFI) technique. By uploading Perl scripts that run different DOS flood vectors, the server might act as a bot in a DDOS botnet army.

Although originally designed for general purpose, some variants of this tool found in the wild were customized to act as a proprietary DDOS tool, implementing the flood vector logics inside without the need to upload additional scripts.

DDoS protection service firm Prolexic launched a suite of SNORT rules and a log analysis tool to defend against itsoknoproblembro last week.

It also links the threat to attacks against the US banking industry. But the tool has also been used against the energy and hosting provider industries. "The attack vectors include POST, GET, TCP and UDP floods, with and without proxies, including a so-called Kamikaze GET flood script that can repeatedly relaunch automated attacks," according to a statement by Prolexic.

Using a cloud-based system to launch denial of service attacks rather than botnet networks of compromised PCs shows that whoever is behind the attacks is keeping up with the latest trends in technology. It's hardly evidence of state involvement, at least by itself. There's nothing in what either Prolexic, Radware or Arbor are saying to suggest the latest attacks are state-sponsored much less pointing the finger of blame towards Iran.

Nonetheless, unnamed US intelligence officials appear adamant that the Izz ad-Din al-Qassam Cyber Fighters is actually a cover for Iran. ®

Bootnote

Infected web servers are called bRobots by both Radware and Prolexic. This naming convention differentiates paned servers from the compromised PCs (zombies, bots or drones) in conventional botnet networks.

The essential guide to IT transformation

More from The Register

next story
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
prev story

Whitepapers

Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up distributed data
Eliminating the redundant use of bandwidth and storage capacity and application consolidation in the modern data center.
The essential guide to IT transformation
ServiceNow discusses three IT transformations that can help CIOs automate IT services to transform IT and the enterprise
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.