ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Anti fraud site hit by a DDoS attack

By | November 17, 2008, 4:01pm PST

Summary: The popular British anti-fraud site Bobbear.co.uk is currently under a DDoS attack (distributed denial of service attack) , originally launched last Wednesday, and is continuing to hit the site with 3/4 million hits daily from hundreds of thousands of malware infected hosts mostly based in Asia and Eastern Europe, according to the site’s owner. Targeted [...]

Bobbear DDoS AttackThe popular British anti-fraud site Bobbear.co.uk is currently under a DDoS attack (distributed denial of service attack) , originally launched last Wednesday, and is continuing to hit the site with 3/4 million hits daily from hundreds of thousands of malware infected hosts mostly based in Asia and Eastern Europe, according to the site’s owner. Targeted DDoS attacks against anti-fraud and volunteer cybercrime fighting communities clearly indicate the impact these communities have on the revenue stream of scammers, and with Bobbear attracting such a high profile underground attention, the site is indeed doing a very good job.

Anyway, who’s behind this attack? Let’s track down a well known DDoS for hire provider currently operating 10 Black Energy DDoS botnets, and take an exclusive peek at his switchboard indicating that 4 of his botnets are currently set to attack Bobbear.co.uk only, proving that the attack may have well been outsourced. With cybercriminals so overconfident in their abilities to remain unnoticed so that they’re using a well known botnet command and control server historically used to manage Zeus banker malware campaigns, it’s fairly easy to connects the dots :

“Bob Harrison, the administrator of the Bobbear website, got in touch with me this weekend to tell me that his site was under fire from a distributed denial-of-service (DDoS) attack using compromised botnet computers around the world. The botnet is bombarding Bob’s website with traffic, effectively blasting it off the internet and making it impossible for legitimate visitors to reach the site.

Bobbear DDoS AttackMorever, as you can see in this exclusive screenshot attached, 4 of their botnets are currently set to attack Bobbear.co.uk using the following preferences :

“icmp_freq = 10
icmp_size = 2000
syn_freq = 10
spoof_ip= 0
attack_mode = 0
max_sessions = 30
http_freq = 50
http_threads = 4
tcpudp_freq = 20
udp_size = 1000
tcp_size = 2000
cmd = flood http bobbear.co.uk
ufreq = 5
botid = (not set)”

The Bobbear.co.uk DDoS attack is only the tip of the iceberg, as while tracking down the source of the attack I’ve also managed to establish a direct connection between his DDoS for hire services and the DDoS attacks against the Georgian government, once again proving that DDoS and cybecrime in general is getting easier to outsource these days.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Security, Cybercrime, DDoS, Fraud, Bobbear, BlackEnergy, Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Disclosure

Dancho Danchev

More details on Dancho Danchev's current and past professional affiliations, can be found in his LinkedIn profile.

Biography

Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog sharing real-time threats intelligence data with the rest of the community on a daily basis. More details on Dancho Danchev's current and past professional affiliations, can be found in his LinkedIn profile. You can also follow him on Twitter
10
Comments
Add Your Opinion

Join the conversation!

Just In

RE: Anti fraud site hit by a DDoS attack
birumut Updated - 5th May 2011
Great!!! thanks for sharing this information to us!
seslisohbet seslichat
View in thread
0 Votes
+ -
Gee.
kozmcrae 17th Nov 2008
I'm not part of the problem and I didn't lift a finger or pay a dime for the privilege. Hey Windows boys, care to chime in? happy (That's a taunt in case you didn't catch my drift.)
0 Votes
+ -
No response?
NoPumpGas 18th Nov 2008
Not surprising, all of the Windows/MS defenders cower in
shame when one of these articles appear.

The article sums it all up anyway, the Windows OS is so poorly
designed that legions of zombies now clog the Internet.

The Windows OS is full of so many cracks/issues/problems that
most Anti-Virus/Spy software can no longer adequately clean
the Operating System. It's now standard procedure to re-image
a PC/Laptop when certain infections are found.

Amazing racket, have users pay for the OS, then Pay for the
Anti-Virus/Spyware, only to reinstall the OS from scratch.

Suckers!
0 Votes
+ -
I'm just waiting
AzuMao 19th Nov 2008
For all the windows-zombies to come spamming with their typical "nononono tis not windoz' fualt!!11 f u all!!!'.

There's usually at least 3 within the first month an eye-opening article like this is made.
0 Votes
+ -
Must resist...
ejhonda 18th Nov 2008
... urge to respond to... dopey trolls.
0 Votes
+ -
Message has been deleted.
ScamFraudAlert Updated - 19th Nov 2008
0 Votes
+ -
SPAM ALERT!
AzuMao 19th Nov 2008
NT
0 Votes
+ -
RE: Anti fraud site hit by a DDoS attack
gertruded 18th Nov 2008
Do all these botnet infected computers use the
Windows operating system?
0 Votes
+ -
possible...
Ceridan 19th Nov 2008
It's possible, because of Window's Marketshare, but it's also plausable that there are either compromised Mac OSes and even *gasp* Linux OS in the mix. The presence of those two OSes in that(those) botnets are improbable yet not impossible.

I don't really think the ping command(or whatever equivalent in Macs) are limited to root users so a process that was installed by a willing yet ignorant user can still be used to send a ping ad nauseum when ordered to do so by an external party.
0 Votes
+ -
Duh
AzuMao 19th Nov 2008
It takes way to long to compromise *nix based systems, to the point it would be a waste of time to try.

Although they would be a much more desirable reward, since most big servers are hosted on them. That would be a LOT more power then some desktops owned by joe-sixpacks. WAY to much effort though.
0 Votes
+ -
RE: Anti fraud site hit by a DDoS attack
birumut Updated - 5th May 2011
Great!!! thanks for sharing this information to us!
seslisohbet seslichat

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix