Collateral Damage
Friday August 7, 2009 at 4:23 am CST
Posted by Dmitri Alperovitch
Twitter, LiveJournal, FaceBook, Youtube, Fotki–what do they have in common? They all hosted an account of a pro-Georgian blogger who went under the nickname cyxymu (taken after Sukhumi, the capital of Abkhazia, one of Georgia’s pro-Russian breakaway republics and the city he professed to flee from in 1993 during the republic’s war with Georgia). And they all suffered a distributed denial-of-service (DDoS) attack during the course of the day yesterday, an attack that was able to take down Twitter for several hours and significantly slow down connectivity to Facebook. Reportedly, the attack packets sent to the targeted social-media sites were requests to fetch the pages hosted for this user, who had just a few days ago blogged about the upcoming one-year anniversary of the war between Georgia and Russia.
In addition to the web-based DDoS attacks, McAfee’s TrustedSource reputation system had also detected a spam campaign that referenced the targeted blogs. We believe this campaign had a dual purpose. On one hand, the attackers spoofed the email address of the blogger, which is hosted on Gmail, as the originator of the spam. As a result, the blogger’s inbox was flooded with out-of-office notifications and vacation bounces automatically sent by mail clients of people who had received this spam. This was likely part of an intimidation campaign designed to send a message to cyxymu about who was the real intended target of the DDoS. In addition, the spam contained links to the blogger’s sites, with the likely goal of bringing even more traffic to bear on the servers of those blogs than would already be caused by the DDoS.
Screenshot of the spam bounces in cyxymu’s mailbox that he had posted after the attack on abkhaziya.net, one of his backup blog sites
In our analysis, the spam appears to have been distributed, at least partially, by the same botnet as the one that was used for the DDoS. Of the infected machines spreading the spam, 29 percent were located in Brazil, 9 percent in Turkey, and 8 percent in India.
We detected two distinct spam runs that began around 8 a.m. EDT on Thursday, August 6 and started winding down around 11 a.m. the same day, with the last messages being detected at 4 p.m. Only the second spam run, the larger of the two, spoofed cyxymu’s email address, while the first one randomized the senders’ email addresses.
URLs that were attacked include:
http://twitter.com/cyxymu
http://www.youtube.com/Cyxymu
http://www.facebook.com/cyxymu
http://cyxymu.livejournal.com
http://cyxymu1.livejournal.com
http://fotki.com/cyxymu
The IP addresses included in the attacks were detected proactively by McAfee’s TrustedSource as having a malicious reputation.
August 7th, 2009 at 05:58
[...] Computer Security Research – McAfee Avert Labs Blog. Share and [...]
August 7th, 2009 at 06:36
[...] Comments Trackback While Dmitri Alperovitch wrote his blog entry about the recent DDoS attack against Twitter and some other platforms hosting accounts of a pro-Georgian blogger nicknamed ‘cyxymu’, I [...]
August 7th, 2009 at 09:17
[...] “What do they have in common? They all hosted an account of a pro-Georgian blogger who went under the nickname ‘Cyxymu’,” Dmitri Alperovitch, vice president of threat intelligence at McAfee Avert Labs, wrote in a blog published early Friday morning. [...]
August 7th, 2009 at 17:55
[...] more about it on McAfee Blog and F-Secure [...]
August 7th, 2009 at 23:53
This is the first massive attack i have seen since i start my journey in net..
August 13th, 2009 at 06:29
Dmitri,
Over the last couple of weeks I’ve been investigating what seems to be a large botnet. There are a couple of characteristics that make me think it might be the same one you’re looking at: (1) the activity peaked on Thursday and Friday last week, then dropped off suddenly on Friday night; (2) there were disproportionately many bots in four Brazilian IP ranges: 187.x.x.x, 189.x.x.x, 200.x.x.x and 201.x.x.x. If this sounds familiar please drop me a line and let’s share information.
Cheers,
Michael
November 3rd, 2009 at 16:05
[...] Comments Trackback We have already discussed the Facebook phishing campaign. Now the scammers are using the phishing campaign not just for spamming but also for a [...]
December 12th, 2009 at 04:01
[...] have already discussed the Facebook phishing campaign. Now the scammers are using the phishing campaign not just for spamming but also for a [...]
December 12th, 2009 at 04:02
[...] [...]