In 2007, a Google engineer, Michal Zalewski, published a memo detailing a potential vulnerability of both Apache and IIS Web Servers after investigating the HTTP/1.1 “Range” header implementation. He reported then:

it is my impression that a lone, short request can be used to trick the server into firing gigabytes of bogus data into the void, regardless of the server file size, connection count, or keep-alive request number limits implemented by the administrator. Whoops?
A proof of concept for the Apache DDoS tool was published as a Perl script on the August 19 ”Full Disclosure” security mailing list. On August 24, the Apache Security Team published a memo explaining:

It most commonly manifests itself when static content is made available with compression on the fly through mod_deflate – but other modules which buffer and/or generate content in-memory are likely to be affected as well. This is a very common (the default right!?) configuration.

The attack can be done remotely and with a modest number of requests leads to very significant memory and CPU usage.

Active use of this tools has been observed in the wild.

There is currently no patch/new version of apache which fixes this vulnerability. This advisory will be updated when a long term fix is available. A fix is expected in the next 96 hours.

On Friday, Apache published a second advisory in which they explain how Apache httpd and its so called internal ‘bucket brigades’ deal when a server processes a request to return multiple (overlapping) ranges; in the order requested. A single request can request a very large range (e.g. from byte 0- to the end) 100’s of times in a single request. Currently this kind of requests internally explode into 100’s of large fetches, all of which are kept in memory in an inefficient way.

This is being addressed in two ways. By making things more efficient. And by weeding out or simplifying requests deemed too unwieldy. There are several immediate options to mitigate this issue until a full fix is available.
Apache’s mitigation strategies ranged from completely disallowing the Range header, to limiting the size of requests, to deploying a custom Range counting module. Lori MacVittie detailed how the mitigation strategies could be implemeted with Big-IP.

Botnets have been taking down web sites for years by overwhelming sites with too much traffic. But now the swarms of compromised computers are being unleashed for the first time on an old kind of vulnerability: Google Dorks.

Google Dorks have been around for a while, as the name for an attack where hackers scan web sites, using commonly used links within company networks, to see if there are any unsecure links that can be used to break into a company’s web site. A report being released today by Imperva warns that the combination of the highly automated botnets and the Google Dorks are a new vector for hackers to break into companies on a massive scale.

Hackers sometimes manually scan sites for such stray links, but that’s like looking for a needle in the haystack. They have now figured out how to automate their scanning. They do so by getting botnets, or farms of compromised computers that have been hijacked without the owners’ knowledge. These botnets are used to automatically search through a series of links that may be related to a company’s web site. They use the botnets and Google Dorks to uncover weaknesses, and then they launch conventional hacking attacks against them. The result of these attacks can be contaminated web sites, data theft, data modification, or compromised company servers.

The hackers can efficiently use popular search engines as an attack platform to retrieve sensitive data. Botnets automate the process and can evade anti-automation detection techniques commonly deployed by the search engine providers. By using bots that are distributed throughout the world, the hackers fool the search engines into thinking that the searching is being done by real human individuals, not a herd of bots controlled by a hacker.

“This is what the hackers do to conduct cyber reconnaissance,” said Rob Rachwald, a senior security strategist at security firm Imperva, in an interview. “This used to be a manual process, but now it’s automated.”

With the automation, attackers can get a filtered list of potentially vulnerable web sites in a very short time. Mining search results can expose neglected sensitive files and folders, and unearth network logs and unprotected network-attached devices.

With botnets, the hackers can run 80,000 queries in a day, eluding detection and efficiently fishing for attack targets. Imperva’s Application Defense Center observed a particular botnet in action during the May-June time frame and witnessed its use against a well-known search engine provider. By tracking this botnet, Imperva found how attackers lay the groundwork to simplify and automate the next stages in an attack campaign against web apps.

“We found out because we were observing,” Rachwald said.

Today, search engines detect automated search routines by detecting the searcher’s internet protocol, or IP, address. If the same address is used over and over again for slightly different searches, the search engines block it. But botnets consist of computers scattered around the world, all using different IP addresses. Hackers can hide their identities behind these botnets, which are available on the underground for rental.

The botnets can be used with a distributed search tool to find distinguishable resource names and specific error messages that say more than they should. Dorks are often exchanged between hackers in forums. Some of the lists of Dorks are posted on various web sites. Dorks and exploits go hand in hand.

In the attack that Imperva observed, the attackers used dorks that match vulnerable web applications and search operators that were tailored to a specific search engine. For each unique search query, the botnet examined hundreds of returned results. Full told, the number of queries topped 550,000 queries, including one day with 81,000 queries — all via single botnet.

The attackers targeted e-commerce sites and content management systems. The more success they had, the more the attackers refined their search terms. Imperva saw 4,719 different variations of dorks used in the attacks.

Fortunately, there are some solutions that Google, Bing and Yahoo can use to protect against these attacks. Search engines are in a unique position to identify botnets that abuse their services and can thus find out more about the attackers. The search engines can identify unusual queries such as those that contain terms from publicly available Dork databases, or queries that look for sensitive files. By doing so, search engines can come up with more blacklisted IP addresses. Google can force some searchers to fill out a CAPTCHA form, (where you look at handwritten characters and type the word that you see), to prove they are human searchers.

Rachwald said that web site creators should attack themselves using common Dork search terms and find out if they are vulnerable. They should also mask their links so that they are harder to guess.Web application firewalls should be able to detect and block attempts at finding application vulnerabilities. The web sites can also use reputation controls to block attacks coming from known malicious sources.

Hackers launched cyber attacks on a number of government websites starting at 6 p.m. Thursday, but failed initially to bring some of the websites to their knees because of enhanced security protection.

Anonymous, an online international group of self-described anarchist hackers, targeted websites related to the Telecommunications Directorate (TÄ°B). The hackers, who tried to block access to the websites belonging to TÄ°B, failed to achieve their goals until 9 p.m.

With an election three days away, access to Turkey’s telecoms authority website, identified as a main target in the protest against the planned new Internet filtering system, was blocked.

While authorities worked to limit the disruption, other sites were also blocked including those related to social security, meteorology and several telecoms-related sites.

One of these was the official site where people can report inappropriate Internet content.

Anonymous threatened to attack Turkish government websites around two weeks before Aug. 22, the date when a new filtering system the Turkish government unveiled in May is to enter into force.

The codename of the cyber attacks was “operationturkey” and the first website to become a target was “www.tib.gov.tr,” TÄ°B’s official website. The hackers also attacked the websites of other units operating under TÄ°B, including the Internet Information Report Center (www.ihbar.org.tr), www.guvenliweb.org.tr and www.guvenlicocuk.org.tr. The attacks were characterized as distributed denial of service (DDoS) attacks.

They then targeted websites of a number of public institutions and political parties.

Anonymous’ cyber attacks were continuing as of Friday.

Crooks using online games to farm virtual currencies that they can sell for real money have turned internet spaceship game Eve Online into a battlefield for botnets.

Eve Online is home to various rival groups who generate in-game currency for gamers who want to join in without spending their time acquiring experience and resources by working their way up from the bottom. Rivals groups from eastern Europe are using botnets to DDoS opponents before taking over their territories. Regular gamers are often caught in the cross-fire of multi-pronged attacks that might occur in game, via DDoS attacks to forums, over VoIP communication systems and late night prank phone calls. Game servers have taken a hit in the process.

Gold farmers are known for using Trojans to gain control of compromised accounts. The Eve Online baddies have taken a different tack through attacks that swamp forums with junk traffic.

Chris Boyd, a senior threat researcher at GFI Software and gaming security experts, said that Eve Online’s difficulties are a part of wider problems in virtual worlds.

“Gold farmers can cause the price of in-world items to rise, chat channels can be flooded by sale scams, endless bots and automated processes can cause significant server load,” Boyd told El Reg. “That’s before you get to the problems creating by phishing, hacking and scamming established and profitable accounts.”

Boyd (AKA paperghost) agreed that the miscreants on Eve Online are taking it up to 11.

“The idea that there are effectively dead systems filled with nothing but spambots and hostile empires that are happy to do battle outside of their gaming realm by DDoS’ing websites and making prank phonecalls is a fascinating insight into the troubles plaguing virtual worlds, and real world currency having a marked impact on virtual trading makes this a few steps above dedicated DDoS botnets designed for nothing other than kicking console gamers out of Halo 3 sessions.”

Various groups rumoured to be working out of Eastern Europe and Russia are said to be offering in-game currency for real money. “Investigations by the owners of the game have caused several leaders of these alliances to be banned in the past,” explained Reg reader Patrick, who was the first to tell us of the hive of villainy within Eve Online.

Anti-zombie PC systems hit the market one after another in the wake of the DDoS (distributed denial of service) attack earlier in March this year and the recent NACF (National Agricultural Cooperative Federation) network breakdown caused by a laptop infected by a zombie PC.

Wins Technet, Piolink and NP Core are about to enter into the market soon with their CC (Common Criteria) certifications, a qualification to supply anti-malignant bot solutions to the local public-sector market.
Wins Technet has recently released the Sniper BPS, which not only detects and blocks a PC infected with a malicious bot from accessing networks but also analyzes malicious codes to treat affected computers. It has already won the CC mark and is getting ready to win over public-sector customers after June.
Piolink has also launched a similar product, dubbed TiFRONT-AntiBot, and has supplied it to the National Computing & Information Agency, the Korea Internet & Security Agency and major companies in the industry. The solution senses botnets trying to access networks in advance and analyzes them, directing the L2 security switch to shut them off. Saint Security, a local bot detection firm, participated in the development of the product and added to its detection accuracy.
In the meantime, foreign companies like Trend Micro, Symantec and FireEye are preparing themselves to land on the local malware detection software market, too. As such, it is likely that the domestic and foreign solution developers will be engaged in a neck-and-neck competition down the road.