Attack of the Opt-In Botnets

Attack of the Opt-In Botnets

Summary: What's more devastating than a DDoS attack launched by a botnet? In some cases, that's the DDoS attack launched by the "opt-in botnet" aggregated through a crowdsourcing campaign.

TOPICS: Security, Browser

What's more devastating than a DDoS attack launched by a botnet? In some cases, that's the DDoS attack launched by the "opt-in botnet" aggregated through a crowdsourcing campaign.

Damballa's recently released report "The Opt-in Botnet Generation: Social Networks, Cyber Attacks, Hacktivism and Centrally-Controlled Protesting" describes the increasing sophistication of cyber-protesting tools, for launching political protests around the globe.

Let's review seven well known and extensively profiled examples of "opt-in botnets" and crowdsourcing campaigns, to find out why some failed and others succeeded.

What exactly is an opt-in botnet? What are some of the most notable cases where it has been successfully used? How can you disrupt a opt-in botnet given that the command and control server is in the hands of every user knowingly participating in it?

Damballa's report describes "opt-in botnets" as:

  • "In practically all criminal botnet cases in the past, the owners or users of the bot-infected computers have been unwitting participants in an attack. This aspect of botnet participation fundamentally changes in the context of cyber-protesting, since as users intentionally install botnet software agents, subscribe to a particular CnC, and choose to participate in coordinated attacks against a target category.  Whether it’s because of a vagueness in the understanding of laws governing cyber  attacks and electronic denial of service, or a perception of only being a small cog in a much wider effort that will never result in them being singled out, there seems to be few inhibitors to taking protesting in to the cyber world and taking an active role in the call to action."

Just like real botnets, opt-in botnets need a command and control server from where to issue new commands, and accept status reports on the success/failure of the DDoS attack.

What's particularly interesting about opt-in botnets is their reliance on popular social networks such as Facebook, or micro-blogging services like Twitter, both acting as the command and control center for scheduling the attack,  and distributing the attack tools.

  • "Three Twitter accounts, five Yahoo! Mail accounts, twelve Google Groups, eight Blogspot blogs, nine Baidu blogs, one Google Sites and sixteen blogs on that we being used as part of the attacker’s infrastructure" - Researchers expose complex cyber espionage network

And whereas the use of legitimate networks as "virtual human shields" against potential take efforts (Twitter, Google Groups, Amazon’s EC2, Facebook as command and control servers) is nothing new, given the millions of active users and the increase ease of reaching the citizens of a particular country only, a well organized campaign could achieve its objectives by nothing else besides setting up a Facebook group, or promoting a Twitter hashtag.

Just how successful is the concept of "opt-in botnets", also known as "people's information warfare" or the "malicious culture of participation? Let's review some of the well known campaigns that relied on "opt-in botnets", and crowdsourcing tactics to achieve the DDoS effect.

Examples of Opt-in Botnets/Crowdsourcing -->

- Make Love Not Spam opt-in botnet campaign - 2004

The campaign claims to have attracted over 110,000 participants who installed their screensaver launching DDoS attacks at over 100,000 spam sites :

"Lycos Europe's approach has been cheered by some Internet users fed up with spammers' abuse of their mailbox and connectivity. The UK-based firm appears to be relying on the likelihood that the renegade sites being targeted are unlikely to use legitimate channels (such as ISP abuse departments) to report attackers. No Internet service providers have yet indicated that they will take action against subscribers participating in the attacks."

The opt-in botnet was introduced, surprisingly, by Lycos Europe who shut down the campaign on December 21, 2004 due to criticism.

- The failed Electronic Jihad (e-jihad.exe) crowdsourcing attempt - 2007

In November, 2007, a cyber jihadist site know as Al-Jinan started publicly coordinating a DDoS attack against Western sites. And whereas the target list later on included anything else but Western sites, the campaign was a complete failure for its organizers.

How come? Not only was their central coordination point, the official site in question shut down, but also, they have embedded a single phone back location for the application to connect back and obtain the list of the targets. Again, that was the central coordination site.

- The successful DDoS attack against courtesy of Chinese hacktivists -2008

Next to the DDoS attack against, this crowdsourcing attempt was perhaps among the first to utilize multiple attack tactics such as web site defacements resulting in the compromise of CNN sports to spread Pro-Chinese messages against Tibet.

Was the campaign successful? According to NetCraft:

"The CNN News website has twice been affected since an earlier distributed denial of service attack last Thursday. CNN fixed Thursday's attack by limiting the number of users who could access the site from specific geographical areas. Subsequently, an attack was purportedly organised to start on Saturday 19th April, but canceled.

However, our performance monitoring graph shows CNN's website suffered downtime within a 3 hour period on Sunday morning, followed by other anomalous activity on Monday morning, where response times were greatly inflated. Netcraft is continuing to monitor the CNN News website. Live uptime graphs can be viewed here."

- The Russia vs Georgia cyber attack, a combination of crowdsourcing and standard botnet - 2008

Next to the 2009's cyber attack against Pro-Ahmadinejad sites, this campaign is a personal case study on the sophisticated understanding of the basics of cyber operations shown on behalf of the Russian attackers.

What's so impressive about their tactics? It's the convergence of PSYSOPS (psychological operations) standardized web site defacements spreading identical messages, a clear planning phrase based on the publicly distributed lists of Georgian sites susceptible to SQL injection attacks, a self-mobilization on behalf of Russian cybercriminals, and the crowdsourcing element in the face of thousands of Russians attacking Georgian sites.

Moreover, the Russian campaigners also took offline one of Georgia's most vibrant hacking forums offline in an attempt to prevent Georgian hacktivists to organize themselves.

More examples of Opt-in Botnets/Crowdsourcing -->

- The crowdsourcing cyber attack against Pro-Ahmadinejad sites - 2009

What this campaign demonstrated was literally everything Damballa is discussing in their report.

Excessive coordination took place through Twitter, in between the countless number of separate coordination sites, followed by a systematic supply of fresh proxy IPs given the censorship efforts aimed at social networking sites at the time of the attacks.

What's particularly interesting to point out about the campaign was the paradox of the "self-eating" Internet infrastructure of Iran:

"Moreover, the majority of people's information warfare driven cyber attacks we've seen during the past two years, have all been orbiting around the scenario where a foreign adversary is attacking your infrastructure from all over the world. But in the current situation, it's Iran's internal network that's self-eating itself, where the trade off for denying all the traffic would be the traffic which could be potentially influenced through PSYOPs (psychological operations)."

The scale of the campaign was in fact so massive, that calls to stop attacking government sites and news agencies were made in order to allow Iranian people to use the Internet as a distribution channel for user-generated content streaming from the country.

This disagreement over whether DDoS-ing is better than contributing user-generated content, eventually resulted in the overall decline of the DDoS efforts.

- The Pro-Israeli crowdsourcing DDoS attempt - 2009

Failed attempt organized by the "Help-Israel-Win movement" in an attempt to entice users into joining an "opt-in botnet" targeting pro-Hamas web sites.

"We created a project that unites the computer capabilities of many people around the world. Our goal is to use this power in order to disrupt our enemy's efforts to destroy the state of Israel. The more support we get, the efficient we are! You download and install the file from our site. The file is harmless to your computer and could be immediately removed. There is no need for identification of any kind - anonymity guaranteed!"

This campaign is an example of a badly executed one, with zero utilization of social media, with contributed to the quick demise of its central redirection point, and the small number of people that downloaded their software and became part of it.

- 'Anonymous' group's DDoS attempt against the Australian government - 2009

Another failed crowdsourcing attempt -- in comparison their most recent attack in February, 2010 was successful -- due to the campaign's lack of social media promotion and interaction with potential users who could have opted-in.

Although the group is clearly familiar with IRC (Internet Relay Chat), Generation Y isn't, and doesn't want to.

"Operation Didgeridie consists of the distribution of DIY denial of service attack tools (404ServerNotFound.exe), launching “Fax bombs” using a GetUp! Campaign script, enticing into direct server compromise attempts by distributing a recently performed web application vulnerability assessment of Australian government web site using commercial tool."

Damballa's "The Opt-in Botnet Generation: Social Networks, Cyber Attacks, Hacktivism and Centrally-Controlled Protesting" concludes that the threats will only grow in scale and seriousness due to the ease of establishing these botnets and the ever-increasing penetration of social networks in our daily lifes.

A good question emerges from the report's conclusion - how thin is the line between being the victim, and being the enabler?

In the event of crowdsourcing driven cyber attack, would you "surrender" your bandwidth?


Topics: Security, Browser

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • So what if they manage to DDoS my hosted site

    Most hosting companies have routers in place that deal specifcally with detected attacks.

    The routers quite litterally siphon off the attacking traffic and send it into space.

    So essentially you end up slowing down the website for a short time and then eventually your attack is thwarted.

    With distributed webhosting, this is even further deluted.

    DDoSing is not as big and bad as it once was... maybe thats a good thing.. maybe its abad thing.
  • RE: Attack of the Opt-In Botnets

    A good antidote against this attack: sensitization. Informing users, just as you are doing in this article, about the potential of each of their individual actions summed up together could be largely enough to mitigate such an attack.
    What do you think?
  • RE: Attack of the Opt-In Botnets

    Very few of the examples in this article are genuinely grass-roots campaigns. The exception is the Iranian protest, and given everything that was being done to protesters (torture, rape, and murder, for example) the tactics used, while not what I would favor, are understandable. I think the danger is being over-hyped.
  • Reminds me of the heady days of Blue Frog
  • RE: Attack of the Opt-In Botnets

    I have never seen any need at all for Twitter or Facebook, and this posting serves as an excellent reason for continuation of that policy.
  • RE: Attack of the Opt-In Botnets

    I guess, unless this is for tech savvy individuals, the article didn't mean much. I consider myself to be an average internet user, but have no idea what the article was talking about. If the author is going to inform more than just a few tech savvy individuals he needs to talk on some level more understandable to average (or less) internet user.
    • Why are you on a tech site then

      If you are not a tech savvy individual why are you
      on a tech site that is geared to and targeted to
      tech savvy people.
    • In layman's; some offer people something to run that spams the spammers.

      [b] [/b]
  • Potential is very serious

    The real problem is that people can be persuaded to install a piece of software that can be used to do much more than just launch DDoS attacks - like serving as a conduit for installing other, more critical software, such as keyloggers or anything else the hackers desire.
    • Unless they said up-front that it would be used to keylog them..

      ..that's not what this article is about.

      It's about people making an [i]educated decision[/i] to run something, not being tricked into it.
      • Educated decision? Unless you write the code how do you know what it does?

        It could be harvesting their credit card, login, and pw information for all anyone knows.

        These are obviously cyber attack malwares of some sort. At the very least, their nefarious nature makes them suspect from the get go.

        Who hasn't heard of legitimate entities serving malware on factory cd's or websites? Whats to stop these grey hats from collecting data for identity theft later? If they bide their time, they can lure in more people with their political/social ruse. Thus making a big one time killin before everyone gets wise and tries to shut em down.
        • If it does something that wasn't advertised, it's not an opt-in anything.

          It's a trojan horse.
  • RE: Attack of the Opt-In Botnets

    Forensic analysis of opt-in botnets is a tough project. Figuring out why they fail sometimes and succeed others borders on a subtle self-delusion. It is, perhaps, just as easy to say that the opt-in attack succeeds in one case because the coerced CnC was, itself, not in use that day by another opt-in campaign. Or there could have been a cable service problem in Houston, Texas. Or there could have been an accident near Berlin, preventing a bunch of hackers from getting to a Cafe. Or an earthquake.

    Better, in my opinion, to focus on the users who are joining the campaigns from the opposite point of view. Looking for a vector AFTER the attack is simple. Looking for the potential vector is tough. Predicting who will join is, to put it bluntly, marketing science.
  • Possibly. It depends.

    Dancho Danchev (2010, April 23) asked, "In the event of crowdsourcing driven cyber attack, would you ?surrender? your bandwidth?"

    It would depend upon who was being attacked and the reason(s) for attacking them. If it was the thieving government of China, pro-China government supporters, or China's nationalist citizens who have stolen America's technology, economy, and economic leadership, or North Korea's government that recently torpedoed and sunk a peacekeeping South Korean ship, losing most hands on board, then sure, I would gladly contribute my bandwidth to the cause!

    Basically, any government or group that cyber-attacks the United States and/or any part of our lives, here, has declared a cyber war and I will gladly lend my bandwidth to the defense of our country and our lives.
  • Not very effective.


    But not very effective, IMO.

    -Ultimately, all web sites come back up again.
    Depending on the design of the website it may take
    longer or shorter, but I don't think anybody was
    knocked off permanently.

    -Nobody changes policy based on a web attack. A
    politician is not gonna change their position on some
    controversial issue just because their website went
    down for a while.

    Pretty much what happens is that the website and
    attackers get their 15 minutes of fame, but pretty
    quickly are forgotten. These attacks are largely
    • Ya unless their livelihood depends on it and its taken down for months.

      [b] [/b]
  • RE: Attack of the Opt-In Botnets

    So, what is the legal liability a participant may face?
  • RE: Attack of the Opt-In Botnets

    Not hard to see where this is going. It's not pretty. How soon will it be before the "overlords" decide they need to step in and save us from ourselves... Again. The destruction of the internet as we know it is at hand.Regulation and censorship is right around the corner.Side note, IPv4 is at critical mass. IPv6 needs to be implemented completely, now.
  • RE: Attack of the Opt-In Botnets

    Another form of social engineering. Social engineering is not problem but using it for "evil" intent is real issue as with any other forms of technology. The device or technology itself isn't the problem but if someone with evil intent can use it "bad" way so that blame the device or technology. If we can "see" bad or evil people and ignore the device or technology they use we can safely go around them or get them justice.
    • social engineering do you really want it? No different from brain washing..