Cyber criminals are finding new ways of launching denial of service (DoS) attacks, according to security company Prolexic, which says it recently “mitigated” a huge peer-to-peer (P2P) DoS attack using 200,000 computers.

Botnets (explained below) are usually the preferred means of launching DoS attacks, but Prolexic says hackers have now found new ways of seizing control of computers, without the need of first infecting them with traditional botnet malware.

“Attackers now are increasingly focusing on taking control of popular internet servers and fooling the clients that connect or visit into attacking other hosts in the background, without the knowledge of the user, in ways anti-virus or anti-malware systems don’t stop,” notes Prolexic in its latest Zombie Report.

The individual computers in the peer-to-peer attack detected by Prolexic were each only sending small amounts of data, but at any given time, up to 80,000 connections were being opened.

“Analysis of the attack showed that the attacking computers were not a normal botnet,” Prolexic said. 

“Instead, the attacking computers were simply running a popular peer-to-peer file sharing client that had been told by the P2P hub server to also connect to a victim.

A vulnerability in the hub server software protocol allowed hackers to instruct clients connected to the hub to also connect to the victim’s server. According to Prolexic, it’s unlikely that the users of the P2P client would notice a slowdown or any other indication that their computer was involved in a DoS attack.

A typical hub usually manages between 20,000 to 25,000 clients, and so by using a number of hubs, an attacker can very quickly unleash a massive attack on his or her victim.

“Suddenly a victim may find hundreds of thousands of IP addresses ‘attacking’ at maddening speed,” noted Prolexic.

Prolexic also reported that there has been a significant increase in browser based malware, where hackers compromise web servers, and then use those web servers to embed “light-weight” malware, written in JavaScript or Flash.

“Unlike traditional ‘full-stack’ malware, which often infects users using sophisticated heap and buffer overflows, Browser Malware can be delivered as simple JavaScript just by visiting a web site,” said Prolexic.

The company believes that Vista’s improved resilience against traditional infection methods, such as buffer/heap overflows, has led to the growth of browser-based malware.

“Since the vast majority of users have JavaScript active, if an attacker inserts their malware into a popular web site (say 100k visitors/day), each visitor could receive the malware and a DoS with millions of connections could be launched very easily,” said Prolexic.

The bad news for computer users is that with both peer-to-peer and web-based malware DoS attacks, anti-virus and anti-malware protection does not work.

What’s a botnet?

Botnets are networks made up of computers — the zombies – that are infected with bots. Bots often reach computers in emails that use social engineering or exploit system vulnerabilities. The aim is for them to be installed silently and to operate for long periods of time without users or security companies realizing.

The botnets are used to facilitate crimes such as identity theft, denial of service attacks, phishing, click fraud, and the mass distribution of spam, adware and spyware.

Related:

Entry was posted on Friday, July 20th, 2007 at 1:40 pm under Malware, Security.

Read more entries by John Pospisil.
Stumble It!