Saturday, July 11, 2009

I think I know what the ddos is about

If you've watched any news broadcasts since the 4th of July, you'll be aware that that certain US and South Korean government and commercial websites have been under Distributed Denial Of Service (ddos) attack. Early on, someone pondered for a minute or two about who might be a common enemy to both the US and SK, and the obvious answer was .... gasp... North Korea!!! And if NK is the perp, then clearly this is ... cyberwar!!! Holy Moley Batman!!!! Quick ... run to the bunkers!

It's obviously a great headline, but most actual security folk took the view that it's just a ddos, for goodness sake. If we can't get to for a few days, the world is not going to end. The tourists will still take their photos from the street, and the rest of us will just get another cup of coffee while we wait for it to end. Ddos's are really easy to do, and impossible to prevent up front. It's just that they're not profitable, so no one bothers in this day of "Show me the money for my malcode". And it was silly to blame North Korea, because the whole point of a ddos from a remote controlled botnet is that no one really knows who's driving it.

Now, having had a look at the disparate list of victim websites, my initial thought was that it was a disgruntled businessman targeting the Federal Trade Commission, and shooting at everyone else to conceal their real target, but then we realized that the malcode was programmed to self-destruct, starting July 10th, by erasing the first megabyte of the victim's hard drive!

At least this would effectively clean up these computers.

After we got over laughing about botmasters destroying their own botnet, and making jokes like "Don't these guys understand how retaliation works?", etc, the light slowly dawned on us that maybe they did understand exactly what they were doing.

It's not cyber-war ... it's someone who's worried about the growing plethora of botnets on the Internet, and who's trying to make people care enough to do something about it! A vigilante!

Think about it.

Why bother nuking 60k computers after doing all the work of assembling them? Nuking them only helps the Good Guys, because the victims are forced to re-build, and therefore clean, their computers.

Why bother with a ddos of a bunch of disparate government and commercial websites? Nobody was really impacted ... border routers were reprogrammed to deflect the ddos off any important sites... the only thing it really did was cause a bunch of lawmakers to point the finger at North Korea.

And the only other thing it really did was make lawmakers think "If North Korea could do this with a mere 60k machines, what could Al Qaeda do with a big botnet of 300k machines?"

Big botnets are really common, by the way.

The only reasonable explanation for the whole thing is that it was someone who is worried about the botnet problem, and who wanted to make lawmakers think about it, and do sometihng about it.

A high--tech vigilante.

By the way, the vigilante has a point. Botnets are a real probem, and we need to mitigate them a bit. Most ISPs could do something, except that their give-a-darn bone is broken.

Incidentally, the erase-one-mb thing reminds several of us of the CIH virus. The underground scuttlebut about the CIH author was that he was hired by Taiwanese military intelligence. It's an easy mind-wander to wonder if there's a connection there. Surely not. :-)

Keep safe folks.