Dissection of 'itsoknoproblembro', the DDoS tool that shook the banking world

Prolexic, a DDoS mitigation company, has now released a detailed advisory on the itsoknoproblembro DDoS toolkit used in these attacks. The hope is that by better understanding the malware’s methodology, infected servers can be cleansed before they become part of the next attack.

While many DDoS attacks in the past have relied upon hired criminal botnets or voluntary activist networks, itsoknoproblembro is different. It uses a sophisticated two-tier combination of compromised commercial servers, and as a result can generate a higher bandwidth attack from a smaller number of hosts. “Malicious hackers,” explained Prolexic yesterday, “are using the toolkit to target known vulnerabilities in web content management systems, including Joomla and WordPress, to infect web servers with malicious PHP scripts. The toolkit then leverages a unique, two-tier command mode that can launch multiple high-bandwidth attack types simultaneously.”

It is in the interest of the infected websites to recognize and cleanse any infections. Apart from being an unwitting part of an attack on the banking system (or whatever is the current target), “users were complaining of CPU and bandwidth usage on their accounts exceeding their allowed amounts,” explains Prolexic, “sometimes resulting in stern letters from their hosting provider or an account suspension.” It is in order to help such users recognize that they have been compromised with itsoknoproblembro that Prolexic has published its advisory together with an associated log analyzer, brolog

The advisory includes details of 11 different attack signatures, and provides SNORT rules for DDoS mitigation. The free log analysis tool can be used to pinpoint which scripts were accessed, by what IP address and for what DDoS targets. “Armed with this information,” says Prolexic, “the infected servers can be sanitized, preventing them from being used in subsequent itsoknoproblembro campaigns.” 

Given the chatter in the hacker underground, explained Prolexic CEO Scott Hammack, “we expect these itsoknoproblembro DDoS campaigns will continue to grow in frequency. We want to support the security community by sharing our knowledge, so we can help eradicate this threat and remove these malicious scripts from infected machines before they do even more damage.” 

But the eradication of the itsoknoproblembro toolkit and its attack methods will take time, warns the advisory. “The continued use of outdated content management system (CMS) products with vulnerabilities is a rampant problem today. DDoS attackers compromise outdated web applications because it is effective. It is desirable for CMS developers to make it simpler for users to update CMS products after user customization, so that users are not impeded from running the most up-to-date software by having to reconfigure an update.”

What’s hot on Infosecurity Magazine?