US gov blames Iran for cyberattacks on American banks
Itsoknoproblembro and the bRobots
Denial-of-service attacks against US banks' web systems were the work of Iran rather than Islamic activists, says a former American government official.
A group called the Izz ad-Din al-Qassam Cyber Fighters claimed responsibility for two waves of cyber-attacks against US banks including US Bancorp, Bank of America, Citigroup, Wells Fargo that took place in September and December. The stated reason for the "protest" attacks was religious outrage over the continuing presence on YouTube of the inflammatory Innocence of Muslims video on YouTube.
James A Lewis of the Center for Strategic and International Studies in Washington told the New York Times that the attacks were actually the work of Iran, rather than outraged hacktivists. He reckons the aim was actually retaliation over the deployment of Stuxnet and other cyberweapons against Iran as well as economic sanctions.
Security researchers at Arbor Networks concluded last month that in both cases attack traffic was launched from insecure websites rather than malware-infected PCs. Compromised PHP web applications and insecure Wordpress installation were pressed into service as part of a PHP Web server botnet, controlled by tools such as bRobot.
The skill involved in putting together the attacks as well as the use of server based resources has apparently convinced US government official that a state-sponsored entity, namely Iran, rather than hacktivists are behind the attacks. "“There is no doubt within the US government that Iran is behind these attacks,” Lewis, a former official in the state and commerce departments, told the NYT. Lewis points to the volume of traffic involved in the US bank attacks (“multiple times” the amount that Russia directed at Estonia in 2007) in attempting to substantiate his arguments but as the NYT points out "American officials have not offered any technical evidence to back up their claims".
Security vendors are able to say that the attacks against US banks are fairly sophisticated but cannot pinpoint who developed them. “The scale, the scope and the effectiveness of these attacks have been unprecedented,” said Carl Herberger, vice president of security solutions at Israeli-based security firm Radware told the NYT. “There have never been this many financial institutions under this much duress.”
Researchers at Radware discovered that cloud services and public web hosting servers* had been infected with a strain of malware, called Itsoknoproblembro. "The malware has existed for years, but the banking attacks were the first time it used data centers to attack external victims," the NYT reports, adding that Itsoknoproblembro was designed to be difficult if not impossible to trace back to command and control systems. Attackers used infected servers to disgorge attack traffic at each banking site until it slowed or collapsed, according to Radware. Peak attack traffic against US banks hit 70 Gbps.
An entry on Radware's website that Itsoknoproblembro is a PHP-based hacker tool that has recently been customised to serve in DDoS attacks.
The 'itsoknoproblembro' tool was designed and implemented as a general purpose PHP script injected into a victim’s machine allowing the attacker to upload and execute arbitrary Perl scripts on the target’s machine.
The 'itsoknoproblembro' script injects an encrypted payload, in order to bypass IPS and Malware gateways into the website main file index.php, allowing the attacker to upload new Perl scripts at any time.
Initial server infection is usually done by using the well known Remote File Inclusion (RFI) technique. By uploading Perl scripts that run different DOS flood vectors, the server might act as a bot in a DDOS botnet army.
Although originally designed for general purpose, some variants of this tool found in the wild were customized to act as a proprietary DDOS tool, implementing the flood vector logics inside without the need to upload additional scripts.
DDoS protection service firm Prolexic launched a suite of SNORT rules and a log analysis tool to defend against itsoknoproblembro last week.
It also links the threat to attacks against the US banking industry. But the tool has also been used against the energy and hosting provider industries. "The attack vectors include POST, GET, TCP and UDP floods, with and without proxies, including a so-called Kamikaze GET flood script that can repeatedly relaunch automated attacks," according to a statement by Prolexic.
Using a cloud-based system to launch denial of service attacks rather than botnet networks of compromised PCs shows that whoever is behind the attacks is keeping up with the latest trends in technology. It's hardly evidence of state involvement, at least by itself. There's nothing in what either Prolexic, Radware or Arbor are saying to suggest the latest attacks are state-sponsored much less pointing the finger of blame towards Iran.
Nonetheless, unnamed US intelligence officials appear adamant that the Izz ad-Din al-Qassam Cyber Fighters is actually a cover for Iran. ®
Infected web servers are called bRobots by both Radware and Prolexic. This naming convention differentiates paned servers from the compromised PCs (zombies, bots or drones) in conventional botnet networks.