Kaspersky reports DDoS attacks no longer motivated by financially-driven fraud

Cybercriminals, says the Russian-headquartered IT security vendor, are increasingly targeting government resources or the sites of big companies to show off their skills, demonstrate their power or, in some cases, as a form of protest.

These are, Kaspersky observes in its analysis, exactly the sort of attacks that get maximum publicity in the media.

The most active hacker groups in the second quarter of 2011, says the report, were LulzSec and Anonymous, organising DDoS attacks on government sites in the US, the UK, Spain, Turkey, Iran and several other countries.

Attacking government sites, notes the report, is a risky business for hackers because it immediately attracts the attention of law enforcement authorities. In Q2 of 2011, as an example, more than 30 members of Anonymous were arrested on suspicion of launching DDoS attacks on government sites.

More arrests, says the security vendor, are likely to follow as authorities continue their investigations. However, not all those involved are likely to be convicted because participation in the organisation of a DDoS attack is still not considered illegal in many countries.

Delving into the report reveals that the most powerful attack repelled by Kaspersky's DDoS Prevention servers in the second quarter was one using 500 Mbps of bandwidth, although the average power of the attacks was a more modest 70 Mbps.

The longest DDoS attack seen in Q2 was 60 days, 1 hour, 21 minutes and 9 seconds, whilst the highest number of DDoS attacks against a single site during the quarter was 218.

One botnet that Kaspersky traced during the quarter was Optima, which was used in the DDoS attacks on LiveJournal – between 23 March and 1 April, the firm says it saw Optima receiving commands to attack the anti-corruption site http://rospil.info, http://www.rutoplivo.ru and http://navalny.livejournal.com, as well as the furniture factory site http://www.kredo-m.ru.

On certain days only http://navalny.livejournal.com was attacked. And at the beginning of April the botnet received a command to attack a long list of LiveJournal addresses mostly belonging to popular bloggers who cover a wide range of subjects.

“The Optima botnet has been known on the market since late 2010. From the type of code used, it is safe to say that Optima bots are developed by Russian-speaking malware writers and they are mostly sold on Russian-language forums”, says the report.

“It is difficult to determine the size of the botnet because it is highly segmented. However, our monitoring system has recorded instances of the Optima bots that attacked LiveJournal receiving commands to download other malicious programs. This suggests the Optima botnet includes tens of thousands of infected machines because such downloads are considered unprofitable for small botnets”, it adds.

Kaspersky says it expects to see a further growth in these types of attack in the future.

What’s Hot on Infosecurity Magazine?