The Attack from Hell!
Posted: August 10th, 2010, 5:34 am
The Attack from Hell!
What could I possibly be talking about? An attack from Hell? What? Well let me explain what happened and how I plan on preventing it in the future, as well as what the Hell is going on! It will all make much, -much-, more sense when I explain.
It all started about four or so months back when I began to notice an exponentially large increase in network activity on my local area network. At the time I quickly realized I was getting DDoS’d! Obviously I couldn’t really do much and when looking through my logs I realized whoever was doing it wasn’t playing around either! There was well over 10,000 unique IP addresses pounding away at my one 25MB/10MB connection. I couldn’t do anything against such odds! So I simply unplugged my cable modem for an hour and played some Soul Caliber whilst I waited. After reconnecting the modem and receiving a new IP I was back up with no problem.
However, the comfort of high speed internet was short lived. Only an hour after reconnecting my modem I was under attack again! I repeated what I had done before with the modem and began pondering how they managed to find me so quickly. I reconnected to the modem as I had done before, and BAM! Within minutes this time I was back under attack. I will not lie; I was a bit frustrated at this point for obvious reasons. I decided that it would be in my best interest to contact my ISP and inform them of the problem. Which after roughly an hour on the phone I managed to get a tier 3 Network Security Engineer, which was rather pleasing and after another hour or so on the phone we managed to block all those IP’s from attacking my network. (I should also note that this is the point in which I was given the log of the attacks.)
After a few days I began to ponder again, how they were able to find my machine? Normally when a DDoS is performed on a website you attack the DNS (Domain Name System) server. Essentially a DNS translates a binary identifier (the IP) into something more meaningful to the user. IE: google.com is actually 74.125.224.16. You can read more about DNS in the reference page at the end of the document. Anyhow, I digress.
So how did they get my information, and done so quickly without me going out and making connections? I began the hunt on my local machine looking for anything suspicious. I couldn’t find squat! I was absolutely puzzled! I pondered this for a good week before I literally slapped myself because the answer was right at my feet! And I mean, really, it was at my feet; my laptop! It had been on running folding at home! I began looking around on my machine and quickly found a few Trojans alongside a slew of other malware.
And so began the hunt! After isolating the laptop from the network and containing the malware threats I began to dissect them one after another looking for the code that sent my IP address back to the attackers. After almost a week of reviewing code I was still without the answer. So I began digging deeper into the laptop looking for an answer. And after almost a full month I finally found the answer! There was a bit of custom code added onto a .dll file which would execute another, and another, and another, till finally it got to a little function that would occasionally ping a system.
I decided to find out whom that IP belonged to, and tracked it back down to Hell, Michigan USA. I found this incredibly amusing and almost instantly checked to see if that computer was indeed the master machine of this devilish plot or in fact another infected machine. Doing a port scan I found a plethora of open ports that are typical of an infected machine. However one particular port of interest seemed to be open; Port 666. This particular port was being used for IRC. Cool! A botnet that still runs on IRC!
After a few more hours of hounding away I managed to call and get a hold of the owner of that machine! “Sweet” I said to myself, maybe I can get a hold of the actual bot on the machine and start doing some damage of my own. IE: seize control of the attacker’s bots. Needless to say the owner of the machine was a bit skeptical of sending me anything, and after about 15min of talking with them I finally gave up and simply instructed them that they should look into an antivirus or something. A few days later that machine stopped replying to port 666, so at least something good came out of the conversation.
However, I was still without an answer; who the bloody hell attacked me and why? I began asking around to some of my friends in the Security business and no one seemed to have any information. I posted here and there giving some friends a heads up of the situation etc. Nothing more happened and I simply waited which resulted in nothing and so I more or less thought the threat had been eliminated. They had their fun and were now over it. That was the case until three weeks ago.
Three weeks ago I was chugging along fine when something interesting happened to my desktop. It died, but not you’re normal death. It was running than crashed and refused to boot. After further inspection I noticed that two drives were missing from my raid array. 1&2 were missing. Further inspection leads me to believe that their bios had been flashed. Two drives, two new drives, just stop working? Interesting I said however there are very few people that I know that have the technical knowledge and ability to pull something like that off. I ignored it as coincidence until just recently.
About a week ago I woke up and promptly had the glorious college student breakfast; leftover pizza and a soda! I booted up my laptop (my desktop is still down). When it started up I quickly noticed my CPU was being maxed out well longer than it should be for a boot. I looked at what was running and was shocked to see well over 50 Trojans and assorted malware! Quickly I pulled my network cable out and began the long process of cleansing the system. I was able to remove most pretty easily however some where a little less than willing to be removed. I decided to just roll my system back to a week or so and see what happens from there.
After the roll back completed I booted the laptop back up to find myself back where I had started. Buggers I though, my saved rollbacks had been compromised! Which wasn’t that surprising at all seeing as how I have seen plenty of Trojans that have abused known security issues with the Windows roll back system. I began the long processes of removing them by hand! After a few days I had removed them all, or so I had thought. It wasn’t till later on Wednesday of last week that I noticed something wasn’t right with my system. My google/bing searches were being hijacked. Neato I said! I looked into my host files and found a whole slew of stuff I really didn’t want there. With ease I just found the defaults for the host files and restored them. Problem solved!
However, who was doing this? Was it the same people from the Hell incident a few months ago? I can only assume so seeing as how I have been laying pretty damned low. However, again, how did they find my machine? There is nothing to give me away, or so I had thought. I began looking into the connections being made by my machine and was horrified by the amount of network activity directed towards my machine. What the duce was happening here I thought to myself. What was different?
I ran a little program of mine that checks hash marks from a saved point against my current to see if any system critical components had been modified. Nothing! So I began searching by hand looking for anything to give their device away. With no luck I was beginning to get rather frustrated when a friend of mine mentioned looking into the TCP/IP stacks on my machine. Which I did and was surprised to find I had a metric buttload of crap in there that was far from normal. My only conclusion is that it had been something I had missed from the first attack alongside a few rootkits. Upon removal my network activity returned to normal and all was good!
What was the network activity you ask? Everything! My machine was working as a proxy doing stuff from DDoS to torrent’s. I am actually surprised I missed something this BIG on my machine. However I am happy that it’s all over now. After doing some research I found some known security issues with the firewall revision both hardware on my router and software on my laptop and have fixed both. Since, I have been clean of all infection.
I am still stumped as to whom I pissed off so horrifically bad that they are going through such lengths to attack my machines and have requested the assistance of a whole slew of security specialists that I am on good terms with. Hopefully I can get to the bottom of this before anymore damage to my machines or annoyances.
What could I possibly be talking about? An attack from Hell? What? Well let me explain what happened and how I plan on preventing it in the future, as well as what the Hell is going on! It will all make much, -much-, more sense when I explain.
It all started about four or so months back when I began to notice an exponentially large increase in network activity on my local area network. At the time I quickly realized I was getting DDoS’d! Obviously I couldn’t really do much and when looking through my logs I realized whoever was doing it wasn’t playing around either! There was well over 10,000 unique IP addresses pounding away at my one 25MB/10MB connection. I couldn’t do anything against such odds! So I simply unplugged my cable modem for an hour and played some Soul Caliber whilst I waited. After reconnecting the modem and receiving a new IP I was back up with no problem.
However, the comfort of high speed internet was short lived. Only an hour after reconnecting my modem I was under attack again! I repeated what I had done before with the modem and began pondering how they managed to find me so quickly. I reconnected to the modem as I had done before, and BAM! Within minutes this time I was back under attack. I will not lie; I was a bit frustrated at this point for obvious reasons. I decided that it would be in my best interest to contact my ISP and inform them of the problem. Which after roughly an hour on the phone I managed to get a tier 3 Network Security Engineer, which was rather pleasing and after another hour or so on the phone we managed to block all those IP’s from attacking my network. (I should also note that this is the point in which I was given the log of the attacks.)
After a few days I began to ponder again, how they were able to find my machine? Normally when a DDoS is performed on a website you attack the DNS (Domain Name System) server. Essentially a DNS translates a binary identifier (the IP) into something more meaningful to the user. IE: google.com is actually 74.125.224.16. You can read more about DNS in the reference page at the end of the document. Anyhow, I digress.
So how did they get my information, and done so quickly without me going out and making connections? I began the hunt on my local machine looking for anything suspicious. I couldn’t find squat! I was absolutely puzzled! I pondered this for a good week before I literally slapped myself because the answer was right at my feet! And I mean, really, it was at my feet; my laptop! It had been on running folding at home! I began looking around on my machine and quickly found a few Trojans alongside a slew of other malware.
And so began the hunt! After isolating the laptop from the network and containing the malware threats I began to dissect them one after another looking for the code that sent my IP address back to the attackers. After almost a week of reviewing code I was still without the answer. So I began digging deeper into the laptop looking for an answer. And after almost a full month I finally found the answer! There was a bit of custom code added onto a .dll file which would execute another, and another, and another, till finally it got to a little function that would occasionally ping a system.
I decided to find out whom that IP belonged to, and tracked it back down to Hell, Michigan USA. I found this incredibly amusing and almost instantly checked to see if that computer was indeed the master machine of this devilish plot or in fact another infected machine. Doing a port scan I found a plethora of open ports that are typical of an infected machine. However one particular port of interest seemed to be open; Port 666. This particular port was being used for IRC. Cool! A botnet that still runs on IRC!
After a few more hours of hounding away I managed to call and get a hold of the owner of that machine! “Sweet” I said to myself, maybe I can get a hold of the actual bot on the machine and start doing some damage of my own. IE: seize control of the attacker’s bots. Needless to say the owner of the machine was a bit skeptical of sending me anything, and after about 15min of talking with them I finally gave up and simply instructed them that they should look into an antivirus or something. A few days later that machine stopped replying to port 666, so at least something good came out of the conversation.
However, I was still without an answer; who the bloody hell attacked me and why? I began asking around to some of my friends in the Security business and no one seemed to have any information. I posted here and there giving some friends a heads up of the situation etc. Nothing more happened and I simply waited which resulted in nothing and so I more or less thought the threat had been eliminated. They had their fun and were now over it. That was the case until three weeks ago.
Three weeks ago I was chugging along fine when something interesting happened to my desktop. It died, but not you’re normal death. It was running than crashed and refused to boot. After further inspection I noticed that two drives were missing from my raid array. 1&2 were missing. Further inspection leads me to believe that their bios had been flashed. Two drives, two new drives, just stop working? Interesting I said however there are very few people that I know that have the technical knowledge and ability to pull something like that off. I ignored it as coincidence until just recently.
About a week ago I woke up and promptly had the glorious college student breakfast; leftover pizza and a soda! I booted up my laptop (my desktop is still down). When it started up I quickly noticed my CPU was being maxed out well longer than it should be for a boot. I looked at what was running and was shocked to see well over 50 Trojans and assorted malware! Quickly I pulled my network cable out and began the long process of cleansing the system. I was able to remove most pretty easily however some where a little less than willing to be removed. I decided to just roll my system back to a week or so and see what happens from there.
After the roll back completed I booted the laptop back up to find myself back where I had started. Buggers I though, my saved rollbacks had been compromised! Which wasn’t that surprising at all seeing as how I have seen plenty of Trojans that have abused known security issues with the Windows roll back system. I began the long processes of removing them by hand! After a few days I had removed them all, or so I had thought. It wasn’t till later on Wednesday of last week that I noticed something wasn’t right with my system. My google/bing searches were being hijacked. Neato I said! I looked into my host files and found a whole slew of stuff I really didn’t want there. With ease I just found the defaults for the host files and restored them. Problem solved!
However, who was doing this? Was it the same people from the Hell incident a few months ago? I can only assume so seeing as how I have been laying pretty damned low. However, again, how did they find my machine? There is nothing to give me away, or so I had thought. I began looking into the connections being made by my machine and was horrified by the amount of network activity directed towards my machine. What the duce was happening here I thought to myself. What was different?
I ran a little program of mine that checks hash marks from a saved point against my current to see if any system critical components had been modified. Nothing! So I began searching by hand looking for anything to give their device away. With no luck I was beginning to get rather frustrated when a friend of mine mentioned looking into the TCP/IP stacks on my machine. Which I did and was surprised to find I had a metric buttload of crap in there that was far from normal. My only conclusion is that it had been something I had missed from the first attack alongside a few rootkits. Upon removal my network activity returned to normal and all was good!
What was the network activity you ask? Everything! My machine was working as a proxy doing stuff from DDoS to torrent’s. I am actually surprised I missed something this BIG on my machine. However I am happy that it’s all over now. After doing some research I found some known security issues with the firewall revision both hardware on my router and software on my laptop and have fixed both. Since, I have been clean of all infection.
I am still stumped as to whom I pissed off so horrifically bad that they are going through such lengths to attack my machines and have requested the assistance of a whole slew of security specialists that I am on good terms with. Hopefully I can get to the bottom of this before anymore damage to my machines or annoyances.