Botnets for hire likely used in attacks against US banks, security firm says

The attacks are very sophisticated, security researchers say

Evidence collected from a website that was recently used to flood U.S. banks with junk traffic suggests that the people behind the ongoing DDoS attack campaign against U.S. financial institutions -- thought by some to be the work of Iran -- are using botnets for hire.

The compromised website contained a PHP-based backdoor script that was regularly instructed to send numerous HTTP and UDP (User Datagram Protocol) requests to the websites of several U.S. banks, including PNC Bank, HSBC and Fifth Third Bank, Ronen Atias, a security analyst at Web security services provider Incapsula, said Tuesday in a blog post.

Atias described the compromised site as a "small and seemingly harmless general interest UK website" that recently signed up for Incapsula's services.

An analysis of the site and the server logs revealed that attackers were instructing the rogue script to send junk traffic to U.S. banking sites for limited periods of time varying between seven minutes and one hour. The commands were being renewed as soon as the banking sites showed signs of recovery, Atias said.

During breaks from attacking financial websites the backdoor script was being instructed to attack unrelated commercial and e-commerce sites. "This all led us to believe that we were monitoring the activities of a Botnet for hire," Atias said.

"The use of a Web Site as a Botnet zombie for hire did not surprise us," the security analyst wrote. "After all, this is just a part of a growing trend we're seeing in our DDoS prevention work."

"In an attempt to increase the volume of the attacks, hackers prefer web servers over personal computers," Atias said. "It makes perfect sense. These are generally stronger machines, with access to the high quality hoster's networks and many of them can be easily accessed through a security loophole in one of the sites."

Another interesting aspect of the PHP-based backdoor analyzed by Incapsula is that it had the ability to multiply on the server in order to take full advantage of its resources, Atias said. "Since this is a server on the hoster's backbone, it was potentially capable of producing much more traffic volume than a regular 'old school' botnet zombie."

In addition, the backdoor script provided an API (application programming interface) through which attackers could inject dynamic attack code in order to quickly adapt to changes in the website's security, Atias said.

The attack script on the compromised U.K. website was being controlled through another website in Turkey that belongs to a Web design company. Incapsula's researchers believe that the Turkish site had been compromised as well and was serving as a bridge between the real attackers and their website-based botnet.

A group calling itself the "Izz ad-Din al-Qassam Cyber Fighters" has taken responsibility for the recent wave of attacks against the U.S. financial websites that started in December. The same group claimed responsibility for similar attacks launched against the same financial institutions in September.

The group claims that its DDoS campaign is in response to a film trailer mocking the prophet Muhammad not being removed from YouTube. However, some U.S. government officials and security experts are convinced that the attacks are actually the work of the Iranian government, The New York Times reported Tuesday.

The possibility of Iran being behind the attacks has been advanced before. In September, former U.S. Senator Joe Lieberman, an Independent from Connecticut, who was chairman of the Senate Committee on Homeland Security and Governmental Affairs at the time, blamed the Iranian government for the attacks against U.S. banks and said that they were probably launched in retaliation for the economic sanctions imposed on Iran.

The Iranian government officially denied its involvement and the U.S. government has not yet released any evidence that supports this claim.

That said, the sophistication of the tools used in the attacks, as well as their unprecedented scope and effectiveness, have been advanced as arguments that this DDoS attack campaign might be state sponsored.

The attacks against the U.S. financial industry from the past few months are unique in scale, organization, innovation and scope, Carl Herberger, vice president of security solutions at Israel-based network security vendor Radware, said Wednesday via email.

The company cannot comment on the origin of the attacks, because it only focuses its resources on attack detection and mitigation, Herberger said. However, in Radware's view, the DDoS attack campaign against U.S. banks has represented the longest persistent cyberattack on a single industrial sector in history, he said.

If someone in the U.S. government is indicating that the Iranians are doing it, like Lieberman did a few months ago, they're probably spot on, Scott Hammack, the CEO of DDoS mitigation vendor Prolexic, said Wednesday.

These attackers are not using the traditional "pull" command and control technology where the botnet clients periodically connect to a server to check if new instructions are available. Instead, they are using a "push" technology to send instructions in a matter of seconds to hundreds of compromised servers, Hammack said.

This allows for more dynamic attacks, but also leaves the attackers open to being identified a lot easier, Hammack said. The U.S. government is monitoring some of the compromised servers used in the attacks and can see exactly where those instructions are coming from, he said.

Herberger described the DDoS attacks as well-organized and innovative in the sense that they use newly uncovered vulnerabilities and attack origins. One example is that they leverage the infrastructure of cloud providers instead of the resources of consumer-oriented computers.

The attacks are definitely very sophisticated, Hammack said. The attackers know exactly what weak spots to hit and target them in rotation. They've obviously done a lot of research into the infrastructure of the banks and how it's configured, he said.

"These attacks have, almost simultaneously, been launched on nearly every major commercial bank in the U.S.," Herberger said. However, not all of the targeted banks have suffered outages, which suggests that some effective defenses do exist, he said.

Join the CSO newsletter!

Error: Please check your email address.

Tags NetworkingsecurityProlexicfinanceradwaregovernmentindustry verticalsIncapsula

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts