Share

Related Links

Top 5 Stories

News

Dissection of 'itsoknoproblembro', the DDoS tool that shook the banking world

04 January 2013

Last autumn the US banking world was shaken by sustained, heavy and effective DDoS attacks that peaked at 70 Gbps – a traffic load capable of overwhelming the majority of network infrastructures. More of the same is expected in 2013.

Prolexic, a DDoS mitigation company, has now released a detailed advisory on the itsoknoproblembro DDoS toolkit used in these attacks. The hope is that by better understanding the malware’s methodology, infected servers can be cleansed before they become part of the next attack.

While many DDoS attacks in the past have relied upon hired criminal botnets or voluntary activist networks, itsoknoproblembro is different. It uses a sophisticated two-tier combination of compromised commercial servers, and as a result can generate a higher bandwidth attack from a smaller number of hosts. “Malicious hackers,” explained Prolexic yesterday, “are using the toolkit to target known vulnerabilities in web content management systems, including Joomla and WordPress, to infect web servers with malicious PHP scripts. The toolkit then leverages a unique, two-tier command mode that can launch multiple high-bandwidth attack types simultaneously.”

It is in the interest of the infected websites to recognize and cleanse any infections. Apart from being an unwitting part of an attack on the banking system (or whatever is the current target), “users were complaining of CPU and bandwidth usage on their accounts exceeding their allowed amounts,” explains Prolexic, “sometimes resulting in stern letters from their hosting provider or an account suspension.” It is in order to help such users recognize that they have been compromised with itsoknoproblembro that Prolexic has published its advisory together with an associated log analyzer, brolog

The advisory includes details of 11 different attack signatures, and provides SNORT rules for DDoS mitigation. The free log analysis tool can be used to pinpoint which scripts were accessed, by what IP address and for what DDoS targets. “Armed with this information,” says Prolexic, “the infected servers can be sanitized, preventing them from being used in subsequent itsoknoproblembro campaigns.” 

Given the chatter in the hacker underground, explained Prolexic CEO Scott Hammack, “we expect these itsoknoproblembro DDoS campaigns will continue to grow in frequency. We want to support the security community by sharing our knowledge, so we can help eradicate this threat and remove these malicious scripts from infected machines before they do even more damage.” 

But the eradication of the itsoknoproblembro toolkit and its attack methods will take time, warns the advisory. “The continued use of outdated content management system (CMS) products with vulnerabilities is a rampant problem today. DDoS attackers compromise outdated web applications because it is effective. It is desirable for CMS developers to make it simpler for users to update CMS products after user customization, so that users are not impeded from running the most up-to-date software by having to reconfigure an update.”

This article is featured in:
Internet and Network Security  •  Malware and Hardware Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×