Published on December 10, 2007
Slide1: Nicolas FISCHBACH Senior Manager, IP Engineering/Security - COLT Telecom [email protected] - http://www.securite.org/nico/ version 1.0 DDoS, Worms and the Underground Ecosystem CanSecWest/core 04 DDoS, Worms and the Underground: DDoS, Worms and the Underground MEECES – an acronym for Money Ego Entertainment Cause Entrance into social groups Status Max Kilger (Honeynet Project) Applies to the underground/”hacker”/blackhat community INTEL agencies’ MICE (Money, Ideology, Compromise, Ego) DDoS, Worms and the Underground: DDoS, Worms and the Underground What have we seen up to now Cause/Hacktivism: Web site defacement DDoS (SCO, WU/MSFT, etc) Ego/Status: “I have more (network) power than you” “I’m not going to loose that item in <online game>” Entertainment “Hey look, I just DoSed <favorite IRC user/website>” Entrance into a social group “Wanna trade this botnet ?” DDoS, Worms and the Underground: DDoS, Worms and the Underground What have we seen up to now Money: BGP speaking routers SPAM, botnets, open proxies, etc. C/C numbers incl. personal information, eBay accounts, etc. Where are we today ? Real money “Pay or get DDoSed” Worms for SPAM Organized crime using “real world” proven ways of making money on the Internet Targets: online business, mainly gaming/gambling/betting sites nowadays DDoS, Worms and the Underground: DDoS, Worms and the Underground Where are we today “Loosing” a botnet isn’t a tragedy Mass-acquisition tools are mandatory Protect your property (host and communication channel) Control channel over IRC/P2P/not so common protocols/IPv6 (anonymous) Secure the host to avoid multiple zombies/agents Not for fun on free time anymore (people with network and DoS filtering technology/techniques skills) The skills, knowledge, organization and hierarchy are not different/worse in the “blackhat” world… anything but not the chaotic world we all expect DDoS, Worms and the Underground: DDoS, Worms and the Underground Where are we today A few hundred/thousand dollars/euros is a yearly salary in poor countries AP and SA are the main sources, not (just) .ro anymore Usually good education, leaving in a country with a high number of unemployed people Most of the communications are in-band (Internet), out-of-band is limited to “hacker” meetings or local phone calls Do you have the resources to analyze TBs a day of IRC logs coming from compromised hosts/honeypots (in x different languages) ?