Javascript DDoS Tool Analysis

Published: 2012-01-22
Last Updated: 2012-01-23 18:16:34 UTC
by Johannes Ullrich (Version: 1)
4 comment(s)

 

  Last week's denial of service attack agains the Department of Justice (justice.gov), the FBI (fbi.gov) and other sites didn't just rely on Anonymous's favorite tool Low Orbit Ion Canon. Instead, a new method was employed to recruit denial of service clients.

  The new method uses some pretty simple javascript to launch the attack. The folowers are usually requested to visit a particular web page. The page includes a simple form to adjust the denial of service attack parameters but just launches the attack with default parameters as the page is opened in the browser.

  IMPORTANT: The script will start running as soon as the user vists the page. You do not have to press the "fire" button.

  Javascript code retrieving the parameters:

var fireInterval;
var isFiring = false;
var currentTime = new Date()
var lastSuccess = currentTime.getTime();
var requestedCtrNode = document.getElementById("requestedCtr"),
succeededCtrNode = document.getElementById("succeededCtr"),
failedCtrNode = document.getElementById("failedCtr"),
targetURLNode = document.getElementById("targetURL")
...

   an unused part of the code hints at plans to implement a hash table, likely to exploit the recently discussed hashtable denial of service vulnerability

var requestsHT = {}; // requests hash table, may come in handy later

  Originally, I figured the attack may take advantage of XMLHTTPRequest. Instead, the code takes a simpler route. It just changes an image URL to a URL on the attacked page. I suspect that this method is more reliable as it does not require the client to implement XMLHTTPrequest Level 2 or XDomainrequest but should work with pretty much any client.

It will not necessarily retrieve an actual image, but just whatever URL was targeted, followed by an "id" parameter and a "msg" (which is also set by the user). This format should make it pretty easy to filter the attacks at a web application firewall. Even other content sensitive firewalls should be able to deal with this.

Sample weblog:

GET /?id=1327271393334&msg=No%20A%20la%20CENSURA%20EN%20INTERNET%A1%A1%A1 
 HTTP/1.1" 200 8395 

  In order to prevent crashing the browser, the script will limit the number of outstanding requests. The script attempts to send 5,000 requests per second. I tested it directing my requests to a lab web server across a pretty slow VPN connection. It managed to create about 5 requests per second. The referer for the request will be the URL of the attack page. The user's user agent is not altered. 

 Update: Spiderlabs did a nice analysis of this tool, including other "LOIC" variants just about a year ago: blog.spiderlabs.com/2011/01/loic-ddos-analysis-and-detection.html

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

4 comment(s)

Mailbag - "Attacks"

Published: 2012-01-22
Last Updated: 2012-01-23 05:25:39 UTC
by Lorna Hutcheson (Version: 1)
11 comment(s)

We got an email to the list today that got me to thinking.  Alyce was concerned because of "Attacks" toward her computer that were being logged by the firewall that is part of the locally installed antivirus suite.  Alyce wisely checks the history and logs section on a fairly regular basis but admits to being a novice.  Recently Alyce observed that about every ten minutes the same IP was trying different attacks to gain access to the computer.  As was stated in the email "I know that no one is going to jump through my computer screen, but it is scaring me..."

It is scary to know traffic coming toward your system is not friendly.  The internet is not a safe, nice place where you can leave your computer open and no one will bother it.  However, if you keep your system patched, run antivirus software and have your firewall turned on, you are pretty safe from the externally initiated attacks that are aimed at your system.  Most tools are automated and are looking for home systems with vulnerabilities.  There are far to many open and unprotected system's out there to go after then trying to compromise one that takes effort.

The bigger worry actually comes from what the user at the keyboard is doing.  Currently as I write this, I have to make a decision as to whether I should rebuild my box.  I keep it patched and locked down to what I need.  I don't run as administrator and I run a firewall and antivirus software.  All of this it seems, could not save my computer from one of my kids who got on it to surf around the internet. It appears they have picked up something on their travels as my computer is not running right.  Even through all the lectures of not clicking on every link out there just because Google returned it, the message still did not get through.  The attackers don't have to break in if you open the door for them. 

Trying to teach the user community to be careful of where they go and what they click on seems to be a never ending saga.  How many years have we spent trying to educate the end users?  I have a couple of family members that unintentionally keep creating their own malware zoo on their computers.  No matter how much I try to caution and explain, it obviously isn't getting through.  I'm sure many of you have the same problem and similar users.  The problem is trying to bridge the gap between those who work in the computer world and those who just use it.  So, I would like to compile a simple, best practice list for safe internet travels for the "non computer savvy" home/work user.  If you have any recommendations for best practices/advice for this list, please send them in and I will compile the results.  I'll post the results of this in a diary next week.      

 

Keywords: mailbag
11 comment(s)

Comments

What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
https://defineprogramming.com/
https://defineprogramming.com/
Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
Enter corthrthmment here...

Diary Archives