Greenguy's Board - View Single Post

cd34 · 2005-06-01, 03:33 PM

Actually, I would bet that these are copycats or the same guys that were taking down the offshore gambling and bookmaker sites.

The concept behind it is: Pay us $40000 or we will crash your server. Obviously, $40k isn't much money to the bookmaker/gambling site/processor, but, the loss in revenue is much greater. They keep the payout small enough so that the transaction can be handled quickly. So, someone pays, they are financed again to run their attack on someone else. The person that pays is supposedly 'whitelisted' and won't get attacked again. I firmly believe that they just wait 3 months and attack again under the guise of some other group. Once a payer, always a payer.

I think Barclays bank was hit a few months back as well as another financial institution.

Their zombies do use IRC to do most of the communications and it is quite a subculture.

As for getting the FBI involved, the FBI shows up in their suits, takes the info, you give them everything including address, cell phone numbers, locations, logs, city/state/zip/country on a few CDs and 26 months later they say, are the attacks still going on? Uhh, no, he was captured 11 months after I gave the attacker's info to another FBI task group.

It would be so easy for the FBI to fix things if they wanted to, but, they really have very little clue as to how to mitigate and identify the attacker. There is no quick way to deal with the FBI since they don't/can't use email. FBI charter states that all email must be printed by a dedicated workstation, sealed and delivered via departmental mail. You can send them CDs worth of data, mysql dumps of IPs, raw logs, etc, but, it goes to a group that has a handful of people that are able to do the analysis. If you're not directly impacted with substantial financial burden, and aren't someone that they can champion in the papers by helping, you are really put at the bottom of the stack.

And by being a civilian, we're quite limited in our ability to track things. These attacks come from hijacked machines that run a little bot that checks in with an irc network. The last attack I dealt with had machines from Cisco, government offices, foreign governments and thousands of other machines from around the world. Cisco did help immensely by logging the packets from the machine inside their network and handing me some of the logs. The government offices shut down the identified machine for a few days and bam, when they turned it back on, hey, its baaaack.

The FBI has a lot to learn, which regrettably makes it very easy for extortion on the net to work. Witness the little $200 extortions for documents that have been encrypted by virus/trojan horses.

2005-06-01, 03:33 PM	#21
cd34 a.k.a. Sparky Join Date: Sep 2004 Location: West Palm Beach, FL, USA Posts: 2,396	Actually, I would bet that these are copycats or the same guys that were taking down the offshore gambling and bookmaker sites. The concept behind it is: Pay us $40000 or we will crash your server. Obviously, $40k isn't much money to the bookmaker/gambling site/processor, but, the loss in revenue is much greater. They keep the payout small enough so that the transaction can be handled quickly. So, someone pays, they are financed again to run their attack on someone else. The person that pays is supposedly 'whitelisted' and won't get attacked again. I firmly believe that they just wait 3 months and attack again under the guise of some other group. Once a payer, always a payer. I think Barclays bank was hit a few months back as well as another financial institution. Their zombies do use IRC to do most of the communications and it is quite a subculture. As for getting the FBI involved, the FBI shows up in their suits, takes the info, you give them everything including address, cell phone numbers, locations, logs, city/state/zip/country on a few CDs and 26 months later they say, are the attacks still going on? Uhh, no, he was captured 11 months after I gave the attacker's info to another FBI task group. It would be so easy for the FBI to fix things if they wanted to, but, they really have very little clue as to how to mitigate and identify the attacker. There is no quick way to deal with the FBI since they don't/can't use email. FBI charter states that all email must be printed by a dedicated workstation, sealed and delivered via departmental mail. You can send them CDs worth of data, mysql dumps of IPs, raw logs, etc, but, it goes to a group that has a handful of people that are able to do the analysis. If you're not directly impacted with substantial financial burden, and aren't someone that they can champion in the papers by helping, you are really put at the bottom of the stack. And by being a civilian, we're quite limited in our ability to track things. These attacks come from hijacked machines that run a little bot that checks in with an irc network. The last attack I dealt with had machines from Cisco, government offices, foreign governments and thousands of other machines from around the world. Cisco did help immensely by logging the packets from the machine inside their network and handing me some of the logs. The government offices shut down the identified machine for a few days and bam, when they turned it back on, hey, its baaaack. The FBI has a lot to learn, which regrettably makes it very easy for extortion on the net to work. Witness the little $200 extortions for documents that have been encrypted by virus/trojan horses. __________________ SnapReplay.com a different way to share photos - iPhone & Android