July 22nd, 2008

Georgia President's web site under DDoS attack from Russian hackers

Posted by Dancho Danchev @ 8:43 pm

Categories: Black Hat, Botnets, Denial of Service (DoS), Governments, Hackers, Malware, Russia

Tags: Georgia, Mikheil Saakashvili, DDoS, Hacktivism, MachBot, Pinch, Dancho Danchev

From Russia with (political) love? It appears so according to a deeper analysis of the command and control servers used by the attackers. During the weekend, Georgia President’s web site was under a distributed denial of service attack which managed to take it offline for a couple of hours. The event took place in a moment of real life tensions between Russia and Georgia, with Russia clearly demonstrating its position against Georgia’s pro-Western government. Shadowserver’s comments, which originally picked up the attack first :

“For over 24 hours the website of President Mikhail Saakashvili of Georgia (www.president.gov.ge) has been rendered unavailable due to a multi-pronged distributed denial of service (DDoS) attack. The site began coming under attack very early Saturday morning (Georgian time). Shadowserver has observed at least one web-based command and control (C&C) server taking aim at the website hitting it with a variety of simultaneous attacks. The C&C server has instructed its bots to attack the website with TCP, ICMP, and HTTP floods. Commands seen so far are:

flood http www.president.gov.ge/
flood tcp www.president.gov.ge
flood icmp www.president.gov.ge

The server [62.168.168.9] which houses the website has been largely offline since the attack started. Passive DNS records show the system houses several other websites which are mostly unrelated to the Georgian government. However, the server does also host the Social Assistance and Employment State Agency website (www.saesa.gov.ge). This website along with the others on the host have been rendered inaccessible.

We do not have any solid proof that the people behind this C&C server are Russian. However, the HTTP-based botnet C&C server is a MachBot controller, which is a tool that is frequently used by Russian bot herders. On top of that the domain involved with this C&C server has seemingly bogus registration information but does tie back to Russia. “

Russia’s most recent cyber attacks successfully attacking Estonia, Lithuania and now Georgia, all share a common motivation despite that these attacks are executed from different parties, with Estonia still remaining the only coordinated attempt to attack a country’s Internet infrastructure next to Lithuania and Georgia’s lone gunman attacks.

The DDoS against Georgia President’s web site appears to be using a well known Russian malware variant from the Pinch family — whose authors got arrested after operating for several years online in 2007 — next to a command and control bot ( MachBot controller) primarily known to be popular in Eastern Europe, and including messages in the flood packets like “win+love+in+Rusia”, speak for itself. It’s also interesting that despite that they’ve dedicated a new command and control server to be used specifically for this DDoS attack, one that haven’t been seen in any third-party attacks, they made a small mistake further confirming the attacks has been launched by well known Russian botnet masters. Their mistake? Having the malware phone back to a well-known command and control seen in a great number of previous attacks, sharing DNS servers with a provider of DDoS attacks on demand, which despite announcing on its site that is no longer in business, continues offering botnets for rent services.

Russia’s politically motivated, or perhaps politically tolerated attacks, are all the result of Russia’s IT underground self-mobilization, feeling obliged to sent out a signal that they’re in fact actively participating in the political life and monitoring everything. Moreover, nationalistic articles in Russian newspapers often further fuel the tensions and literally seek involvement from Russian hackers, so even when they speculate about non-existent hacker discussions on coordinated attacks against a particular country, such discussions actually start taking place and the result has been pretty evident ever since.

Machbot command and control locations image courtesy of Team Cymru.