Recent Bank Cyber Attacks Originated From Hacked Data Centers, Not Large Botnet
By Fahmida Y. Rashid October 05, 2012


New details have emerged about the attack toolkit that was used to launch the distributed denial of service (DDoS) attacks against a number of US-based financial institutions late last month.

The majority of the banking attack traffic does not appear to have been generated by client bots, but rather from compromised servers in data centers, Carl Herberger, vice-president of security solutions at Radware, told SecurityWeek on Thursday.

itsoknoproblembroThe “itsoknoproblembro” toolkit did not compromise those servers in the first place, as Radware believes the servers were already under the attacker's control before being infected with the DDoS attack kit, Herberger said.

Some of the U.S.-based financial institutions that fell under attack in late September include Bank of America, JPMorgan Chase, PNC Bank, and others. While not all the institutions confirmed being hit by denial of service attacks, they all experienced extremely high traffic volumes that affected the availability of their sites within days of each other.

The fact that the denial of service attacks originated from servers within the data center, as opposed to a large botnet or series of client machines, means the attack traffic could bypass security mechanisms in place, Herberger said. The servers generally have a trust relationship with the endpoints, which means malicious traffic coming from the servers look like internal traffic and abuse that relationship, Herberger said.

Earlier this week, researchers from Prolexic Technologies told SecurityWeek that it appeared as the attacking botnet contained many legitimate IP addresses, which made it harder to use anti-spoofing mechanisms to block the junk traffic. These legitimate IP addresses could support Radware’s claims that the attacking servers did, in fact, have a trust relationship on the network.

Further validating Radware’s claims, Prolexic told SecurityWeek just days ago that its team nad not observed any itsoknoproblembro botnets available for rent, and that the campaigns launched by itsoknoproblembro appear to have been the work of a small group of attackers.

"What we have is pretty interesting," Herberger said.

Herberger admitted that Radware does not yet have a "comprehensive enough" profile of the attacking server, making it difficult for the team to describe which servers had already been compromised, how it spread, or the initial infection methods.

While Radware does believe that the toolkit communicates with a remote command-and-control server, the team is still looking for more information about the remote server.

"We are not positive that it [DDos attack kit] is a bot," Herberger said.

The infection point is also a big mystery, Herberger said. The types of attacks launched against the servers would be very different from typical malware scenario. For example, server attacks are not very likely to use an Adobe vulnerability in PDF files but rather use common "server-related" tactics such as going after PHP to infect the machine in the first place, Herberger said.

The fact that servers were compromised with itsoknoproblembro means that attackers hooked into "lots of horsepower," Herberger said. Considering the attacks had a dramatic uptick with bandwidth, having the servers in a data center may have helped attackers hit the 60 to 70 GBps level in their attacks.

Radware's Emergency Response Team also found a "private version" of the toolkit used in the attacks in Saudi Arabia, Herberger said. The term refers to the fact that this version was significantly different from the version originally seen in the wild and behind the banking DDoS attacks, Herberger said. This particular variant doesn't "have the bells and whistles of the other version," he said.

"It's tough to tell what it is," he added, as Radware hadn't finished its investigation. It doesn't have all the features the malware traditionally. It may be an earlier version of the itsoknoproblemobro toolkit, or a testing prototype, or just a variant intent on doing its own damage, Herberger said.

The fact that it was found in Saudi Arabia could have some implications but it's not known what that would be at this time, Herberger said.

"It could just be that this version is one instance of all the compromised machines that are located in the Middle East, or the only machine that is based in the Middle East," Herberger said.

Commenting on the discovery of the private version of "itsoknoproblembro" in Saudi Arabia, Radware says this does not mean that the attack was launched there, but it does show that there may be more servers infected by this malware around the world, and that these attacks may not yet be over.