Criminals 'go cloud' with attacks-as-a-service

Malicious hackers may find themselves out of work, as one bot operator offers cloud-based denial-of-service attacks on demand

Just like legitimate businesses, criminals are turning to the cloud as a way to generate new services and simplify their infrastructure. While some sites offer botnets for lease or sale, and other sites offer aid with cheating on games, the latest crop of criminal enterprises is serving up attacks as a service.

In the latest example of this, a Chinese group has opened up a site, called IM DDODS, that allows customers to sign in and order denial-of-service attacks, according to a report released by security firm Damballa on Monday. The attacks are powered by a fairly large botnet, the firm says.

[ Also on InfoWorld: Security researchers are seeing signs that the Google attackers may be back. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]

"It is a self-service website," Stephen Newman, vice president of product management with the firm. "And it is has all the hallmarks of a commercial website, essentially."

The IM DDOS site -- written in Mandarin -- allows customers to create accounts, choose targets, and level attacks against those targets. The website claims that only nonlegitimate Web servers -- such as gambling sites -- can be chosen as the target of an attack, according to a report written by Damballa researchers.

Using distributed denial-of-service attacks against illegal sites is uncommon, but not unheard of. Late last week, for example, an Indian firm reportedly claimed that Bollywood movie studios had paid it to attack pirated movie sites and make them inaccessible to other users.

Attacks-as-a-service sites have been less popular than those that help would-be criminals create their own botnet, but as better defenses and more successful botnet takedowns make attacks more complicated, it's likely that criminals will outsource their needs.

Currently, IM DDOS offers free and paid services. The service has all the hallmarks of a business site, including service-level agreements, subscriptions for paid services, and technical support for "lifetime customers," says Damballa. Paying customers have to contact the bot operators directly through the Chinese instant messaging service QQ.

The group behind the IM DDOS botnet registered the domains used by the network on March 20, according to Damballa's report. In April, they started testing the infrastructure in China. By June, they number of lookups from infected machines to the DNS grew to 10,000, reaching 25,000 recursive DNS lookups by August. A similar amount of DNS traffic is seen from other major botnets, such as Mariposa and Virut, but is not necessarily an indication of size.

"This is the largest of this nature, so far in terms of how fast the attack has grown," says Damballa's Newman.

The malware that spreads the bot software is nothing special, says Newman. In fact, it sends out DNS requests often enough that it should be fairly easy to detect, he says.

This article, "Criminals 'go cloud' with attacks-as-a-service," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog.


Copyright © 2010 IDG Communications, Inc.

How to choose a low-code development platform