English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1
Latest posting
By rating
By popularity

Join our blog

You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.

Events|NSAccess Control Lists

Roel
Kaspersky Lab Expert
Posted August 13, 20:31  GMT
Tags: Conferences, DDoS, Cyber weapon, Cyber espionage
0
 

Last week, I attended the International Conference on Cyber Security at Fordham University in NYC. This event brought together participants from government, the private sector and academia. The closing session was a panel featuring the directors of the CIA, FBI and NSA which drew a lot of attention.

FBI Director Robert Mueller speaking at the closing panel

Throughout the conference, there was a strong push for more cooperation internationally and between different sectors. While cooperation has come a long way, we still have a long way to go.

The topic of cyber-espionage didn't come up as much as I've been used to in recent times. Instead, there was more talk on cyber-sabotage with several presentations talking about this problem.

Incidents|The Biggest DDoS Ever that "Almost Broke the Internet"?

Roel
Kaspersky Lab Expert
Posted March 30, 04:25  GMT
Tags: DDoS
Kurt Baumgartner
Kaspersky Lab Expert
Posted March 30, 04:25  GMT
Tags: DDoS
0.5
 

"If the Internet felt a bit more sluggish for you over the last few days in Europe, this may be part of the reason why." Well, "a bit more sluggish" for limited sets of communications in parts of Europe for a few days is not a broken internet, and is certainly not close to a critical infrastructure disaster.

There's been a lot of attention for the recent reports regarding a DDoS attack against Spamhaus which reached a peak of 300gbps. Yes, such enormous amount of throughput definitely makes this one of the biggest DDoS attacks ever seen. DDoS attacks have seen an increase in popularity in recent times and there's no sign they'll go away anytime soon. Cyber-criminals, competitors, hacktivists and nation-state sponsored actors all have their motives to use DDoS attacks. In this case, a suspected entity behind these attacks is a Dutch hosting company called CyberBunker, whose owner denies being responsible, but claims to be a spokesman for the attackers. The conflict between Spamhaus and CyberBunker goes back to 2011 and has now escalated after Spamhaus blacklisted CyberBunker earlier this month. The timing and conflict is uncanny. And, Spamhaus is certainly under attack from some determined group capable of generating massive amounts of traffic, forcing them to move to hosting and service provider CloudFlare, known for effectively dissipating large DDoS attacks.

Incidents|Elections 2012 and DDoS attacks in Russia

VitalyK
Kaspersky Lab Expert
Posted March 07, 08:14  GMT
Tags: DDoS
0.3
 

As Eugene Kaspersky had written earlier, we were expecting new DDoS attacks on resources covering the Russian presidential election. So, as the country went to the polls on 4 March, we were on the lookout for new DDoS attacks.

We were surprised to hear a news report from one mass media source that claimed a series of attacks from foreign countries had targeted the servers responsible for broadcasting from polling stations. The announcement came at about 21:00, but there was no trace of any attack on our monitoring system. The media report did not clarify exactly what sort of attacks had been staged. Instead of a DDoS attack, the journalists might have been referring to a different method of seizing unauthorized access, such as an SQL injection.

Webcasts|Lab Matters - The threat from P2P botnets

Ryan Naraine
Kaspersky Lab Expert
Posted January 19, 13:35  GMT
Tags: Botnets, DDoS, Malware Technologies
0
 

Kaspersky Lab malware researcher Tillmann Werner joins Ryan Naraine to talk about the threat from peer-to-peer botnets. The discussions range from botnet-takedown activities and the ongoing cat-and-mouse games to cope with the botnet menace.

Comment      Link
0.2
 

It's the end of 2011 as we know it, and Microsoft feels fine finishing out the year with a handful of out-of-band holiday patches. This round is important not because the vulnerabilities directly impact massive numbers of customers and their online behavior on Windows laptops, tablets, and workstations, but because ASP.NET maintains vulnerable code enabling easy DoS of hosting websites, authentication bypass techniques, and stealth redirections to other websites (most dangerously those sites hosting phish and hosting client side exploits and spyware). All of this could curdle your eggnog in the coldest of weather.

0.3
 

Dark Market was one of the most famous underground forums ever, for several reasons. The most important one was that one of the administrators was an infiltrated FBI agent running a covert operation that ultimately lead to the arrest of 60 people worldwide. The forum was shut down in 2008, when Dark Market was probably the most important carding forum in the world.

0.4
 

At Virus Bulletin 2011, we presented on the exploding level of delivered Java exploits this year with "Firing the roast - Java is heating up again". We examined CVE-2010-0840 exploitation in detail, along with variants of its most common implementation on the web and some tools and tips for analysis. Microsoft’s security team presented findings for 2011 that mirrored ours in relation to Java exploit prevalence on the web – it is #1! At the same time, aside from the recent, well-known BEAST Java implementation, it is striking that it has been very uncommon to see Java backdoors, Trojans and spyware. But that lack of Java malware variety is beginning to change. My colleague, malware analyst Roman Unucheck, identified a new Java bot with some interesting characteristics that we named "Backdoor.Java.Racac".

Events|Virus Bulletin 2011 - Chinese DDoS Bots

Kurt Baumgartner
Kaspersky Lab Expert
Posted October 05, 12:34  GMT
Tags: Botnets, DDoS
0.4
 

Hello from Virus Bulletin 2011! Several talks this morning were very good, and an unusual topic about DDoS in the east was presented early in the afternoon.

Over 40 families of Chinese DDoS bots were identified by Arbor Networks and have been tracked over the past year. Online occurance of the malware itself is increasing. A ton of these families are cropping up all the time, at least a new one every week appears with an unusual new capability. When these botnets are used to DDoS an online presence, often it is difficult to understand or even speculate what the motivation behind the attack may be. Most of the code base is shared, cobbled together, and generally was thrown together by inexperienced writers.

Arbor writes and maintains "fake bot" monitors to log data and activity of these botnets and build up a better picture of attacks and profile of groups. One of these familes represents the "typical" Chinese DDoS bot: darkshell is a great example of the rudimentary and simple level of network traffic obfuscation, but it's as sophisticated as it gets for these families.

0.4
 

The title of this post suggests that I’ve been thinking of one of the cyber-criminals that uses SpyEye, maybe in admiration! But actually his cyber-criminal actions overshadow anything else.

The truth is that, following my post highlighting the tactic of using as C&C one of the Cloud Computing services offered by Amazon, I found a sample of SpyEye that is somewhat interesting: among its goals is an attack DDoS directed against the Kaspersky Lab website.

The SpyEye configuration file, which is basically a compressed file and password protected (usually MD5), stores the resources involved in the planned attack. The surprise came when I looked at the configuration file of the plugin (ddos.dll.cfg). The following image shows the parameters set in this file:

0.3
 

Webmasters, mainly corporate sysadmin and dev teams, need to pay attention to today's Oracle CPU, impacting Oracle Fusion Middleware, Oracle Application Server, and Oracle Enterprise Manager. This stuff is commonly deployed in the enterprise. Sysadmins should be aware that CVE-2011-3192 is only known to enable DoS attacks: "The byterange filter in the Apache HTTP Server 1.3.x, 2.0.x through 2.0.64, and 2.2.x through 2.2.19 allows remote attackers to cause a denial of service (memory and CPU consumption) via a Range header that expresses multiple overlapping ranges, as exploited in the wild in August 2011, a different vulnerability than CVE-2007-0086."

The issue is an urgent one, "Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Security Alert fixes as soon as possible". Normally this wouldn't be all that interesting, but the bug has existed for a long time and was being exploited in at least late summer. It is surprising to see that an Apache bug being publicly exploited and reported on mid-August, patched by the Apache group in mid-August, receives a delayed patch delivery from Oracle in mid September. Also interesting is that this problem is partly rooted in a protocol design issue going back to 2007. Now-Google Security engineer Mike Zalewski posted to Bugtraq with a "cheesy Apache/IIS DoS vuln question" about the problem back then.

Customers are provided with a link to "My Oracle Support Note 1357871.1" where "Patches and relevant information for protection against this vulnerability can be found..." Coincidentally, the Weblogic host serving resources at that URL returns an Apache error at this time: "Failure of server APACHE bridge: No backend server available..." Nonetheless, knowing that hacktivists are heavily in the news for site takedowns and simple perl scripts are publicly available targeting this vulnerability, admins are urged to spend another day patching ASAP.

Comment      Link