Prolexic Believes Multiple Groups and Tactics
Behind Recent High Profile DDoS Attacks
The bot toolkit discovered to be responsible for the majority of these attacks is a PHP-based suite known as itsoknoproblembro; the infected hosts are known as brobots. However, post forensic attack analysis of a number of infected hosts conducted by the Prolexic Security Engineering & Response Team (PLXsert) point to multiple malicious actors participating in the crippling DDoS attacks using individualized toolkits and tactics. The PLXsert team found:
- Techniques of exploitation and defacements varied. In some instances hosts were taken over and defaced. In others, files were dropped and scans were setup to identify additional targets. This leads PLXsert to believe that the initial infections were performed by multiple groups (or multiple individuals).
- Forensics showed that different toolkits were used to maintain or gain access to infected hosts.
- A blend of attack scripts and different techniques during each observed campaign points to the possibility of multiple, well-organized groups.
- PLXsert was able to gain visibility into some machines and was able to prove persistence of infection going back to May 2012. The difficulty of cleanup is directly related to the number of different toolkits used and the high number of back doors installed. This supports PLXsert’s hypothesis that multiple groups/individuals used different tactics.
“A blend of attack scripts and different techniques used in each campaign is another pointer to the likelihood that multiple, well-organized groups or individuals were behind these attacks,” said Stuart Scholly, president at Prolexic. “As we approach the critical online holiday shopping period, there is no doubt that attackers have armed themselves with advanced toolkits capable of generating amplified and sophisticated DDoS floods.”
Prolexic will issue its Q3 2012 Global DDoS Attack Report in mid-October. The report will include a detailed case study on the itsoknoproblembro toolkit as well as data from the recent high profile DDoS attacks. A complimentary copy of the report will be available for download at www.prolexic.com/attackreports.
Prolexic is the world's largest, most trusted Distributed Denial of Service (DDoS) mitigation provider. Able to absorb the largest and most complex attacks ever launched, Prolexic restores mission-critical Internet-facing infrastructures for global enterprises and government agencies within minutes. Ten of the world's largest banks and the leading companies in e-Commerce, SaaS, payment processing, travel/hospitality, gaming and other at-risk industries rely on Prolexic to protect their businesses. Founded in 2003 as the world's first in- the-cloud DDoS mitigation platform, Prolexic is headquartered in Hollywood, Florida and has scrubbing centers located in the Americas, Europe and Asia. To learn more about how Prolexic can stop DDoS attacks and protect your business, please visit www.prolexic.com, follow us on LinkedIn, Facebook and Google+ or follow @Prolexic on Twitter.