Shadowserver Foundation Blog: DDoS for Hire – More cooperation, or new competition?

by

Shadowserver Foundation – Calendar – 2010-01-09

Saturday, 9 January 2010
DDoS for Hire – More cooperation, or new competition?

I’ve always been interested in DDoS attacks, not only for their technical aspects, but also their social, economic, or political aspects. This past summer, several of us were closely watching a DDoS group that was fairly aggressive and diverse in its attack targets. This group, known as the “hack-off” group used the domains ‘hack-off.ru” & “hack-off.info” for their command and control. What was particularly interesting about ‘hack-off’ was their attack campaigns on targeted industries and groups. Such industries included:

hack-off DDoS targeted industries

* Online pharmacies
* Porn sites
* Automotive parts suppliers
* Replica Watches
* Online Gambling
* Logo Design companies
* Sporting goods and sportswear
* Healthcare products
* Electronics vendors

Many of the attacks victims were fairly high profile, and law enforcement agencies from at least 5 different countries became involved. Eventually, with the assistance of cert-ru and Affilias, the domains were suspended and by October 2009, the ‘hack-off’ crew was offline.

Recently while looking through some of our data sets, I again noticed aggressive DDoS attacks against targeted industry groups. In this case, four domains are seen being used for command and control:

New DDoS controllers
853c9e57.biz
atatatata.org
http://www.atatata.org
goog-le.ru

Over 250 different sites were targeted for DDoS from these controllers since November, 2009. The victim sites were fairly diverse, but were seen predominately in the following industries:

Industries targeted by atatata and friends

* Car buying sites
* Footwear
* Sporting goods
* Jewelry
* Gambling and Lottery
* Watches
* Appliances
* Travel and Tourism

The domains used by these controllers have been run on various hosting providers as described below. atatata.org has also been seen dropping FakeAv as well as other malware. Another active botnet domain on the same IP as atatata.org, is dia2.cn, however I haven’t yet seen DDoS related activity from them.

The top IP address prefaced is the currently active IP for that domain. The listing below also shows the nameserver history for each domain.
Domain information

853c9e57.biz

* 193.104.94.117 – AS50033 – GROUP3-AS GROUP 3 LLC.
* 91.196.138.97 – AS15756 -CARAVAN
* 91.212.220.242 – ??

Registrar: ONLINENIC, INC. D/B/A CHINA-CHANNEL.COM
Nameserver: Dns-diy.net

atatatata.org

* 115.100.250.107 – AS4837 – CHINA169-Backbone
* 210.51.166.229 – AS9929 – China Netcom Corp.
* 61.235.117.76 – AS9394 – CHINA RAILWAY Internet

Registrar:Directi Internet Solutions
Nameserver: Everydns.net

http://www.atatata.org

* 115.100.250.107 – AS4837 – CHINA169-Backbone
* 210.51.166.229 – AS9929 – China Netcom Corp.
* 61.235.117.76 – AS9394 – CHINA RAILWAY Internet
* 174.37.235.32 – AS36351 – SoftLayer
* 174.36.195.197 – AS36351 – SoftLayer
* 91.212.198.137 – AS49314 – NEVAL PE Nevedomskiy Alexey Alexeevich

Registrar: Privacy Protected
Nameservers:

* 8/22/09 Everydns.net
* 8/29/09 Slavhost.com
* 9/5/09 Agava.net.ru
* 9/6/09 Slavhost.com
* 9/7/09 Intdelivery.com
* 9/11/09 Everydns.net

goog-le.ru

* 91.212.198.171 – AS49314 – NEVAL PE Nevedomskiy Alexey Alexeevich

Registrar: NAUNET-REG-RIPN
Nameserver: freedns.ws

While DDoS for hire is nothing new, these particular attacks and the activity behind them remain interesting. Are these new criminal groups rising up to compete in the lucrative world of DDoS? Or are we just seeing more cooperation and consolidation of efforts among the usual and familiar players?

We’ll continue to keep an eye on any new attacks from these controllers as well as the providers from where they are hosted.

=>Posted January 09, 2010, at 10:25 AM by Andre’ – Semper_Securus

(Via DDoS for Hire – More cooperation, or new competition?.)

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: