Alleged vDOS creators nabbed in Israel

The underground enterprise was said to be responsible for most of the DDoS attacks over the past four years.
The underground enterprise was said to be responsible for most of the DDoS attacks over the past four years.

Two teenagers in Israel were arrested for their alleged part in the running of vDOS, a so-called booter service selling kits for distributed denial-of-service (DDoS) attacks.

The underground enterprise – which enabled clients to launch DDoS attacks that could potentially cripple any target website – was said to be responsible for most of the DDoS attacks over the past four years, according to The Inquirer.

The service ran under the radar for four years until security researcher Brian Krebs reported last week on an unidentified partner exploiting a hole in a different DDoS-for-hire service, dubbed PoodleStresser. The configuration data for PoodleStresser's attack servers, Krebs said, enabled access to vDos's database.

The trail led to the two teenagers in Israel, Itay Huri and Yarden Bidani – also known as P1st aka P1st0, and AppleJ4ck – who were promoting their service on hackforums[dot]net. vDos offered would-be hackers subscriptions for prices ranging from $20 to $200 per month, depending on how long they wanted the assaults to operate. Payment was preferred in the digital currency Bitcoin, although Krebs said it did for brief periods accept credit cards. As well, for several years "the attack service worked assiduously to launder payments for the service through a round-robin chain of PayPal accounts," he added.

DDoS attacks up 211%

Imperva last month released its 2015-2016 DDoS Threat Landscape Report. Some key trends: 

DDoS attacks increased by 211 percent year over year. This uptrend is fueled by DDoS-for-hire services.  

South Korea dethrones China as the main hub for DDoS botnet activity.

Half of all targeted businesses were attacked more than once.

The vDOS database obtained by Krebs contained details on tens of thousands of paying customers. He said the operation conservatively netted more than $600,000 over the past two years as it facilitated the launching of over 150,000 DDoS attacks intended to shutter websites. Its earnings are believed to be much higher as this sum factors in only two years of its four years of operation.

Clients were unable to attack sites in Israel as the creators of the service presumably wished to not draw attention to themselves, Krebs speculated.

The two 18-year-olds were arrested on September 8 by Israeli authorities at the request of the FBI, according to Israeli news site The Marker. They were questioned and released on bond on Friday after their passports were seized. They were placed under house arrest and are forbidden to use internet-connected devices for 30 days.

They were identified after publishing, in August 2016, a technical paper on DDoS attack methods on the Israeli security e-zine Digital Whisper. Bidani gave out his Gmail address, which linked to an admin account at vDos and Huri signed with his actual name. Bidani also posted about DDoS attacks on his Facebook page and Huri's phone number was linked to vDOS's site registration records as well as its support line.

The lawyer for one of the accused said that instead of receiving punishment, his client should be put to work in the army.

Meanwhile, after Krebs published his investigation, his site was targeted by a massive DDoS attack that spiked at nearly 140 Gbps (the attack, he said, is ongoing though his site is currently online).

“The scale of vDOS is certainly stunning, but not its novelty or sophistication," Ofer Gayer, product manager for DDoS at Imperva Incapsula, informed SCMagazine.com in an email on Monday. "DDoS attacks can be accomplished with rudimentary tools by unsophisticated attackers. The fact that vDOS was able to run unchecked for so long is unfortunate."

There will always be a black market to facilitate the trade of illegal goods, Michael Covington, VP product, Wandera, told SCMagazine.com in an email on Monday. Whether the “merchants” are moving drugs, humans, weapons or software, if there are buyers, the sellers will find a way to reach them, he said.

"Crimeware as a service may be a relatively new term, but it's just the latest iteration in a long string of online, software-based exploits-for-hire," Covington explained. Other examples he provided include the spam-generating systems built during the early 2000s and the botnet toolsets that followed.

"Spam infrastructure, botnets, malware and crimeware have all been sold on the black market," Covington wrote, "but this is not because they are profitable commodities to trade in on their own. Instead, these are tools that are being used to make money. Lots of money."

There are a lot of reasons why someone might purchase an exploit and use it against a company or an entire industry, Covington said. The recent surge in ransomware demonstrates that both companies and individual consumers value their data and are willing to pay to unlock it, he said. Denial-of-service attacks take access rights one step further. "In addition to preventing an authorized entity from accessing their own data, DoS attacks can prevent that same entity from being in business in the first place. If you cannot reach a website or process a payment, business cannot be done and money cannot be made."

The problem is not going away, he added. In fact, enterprises shouldn't expect to stop the attacks altogether. "But they can take steps to lessen the impact if and when they are attacked," Covington said. That involves enterprises knowing where they are exposed and what assets they have in order to best position their defensive tools.

"The industry as a whole must work together with governments and law enforcement to pursue legal and regulatory restrictions that place more burden on those wishing to distribute," he said. "Further, the penalties should be even stiffer for those utilizing those tools to disrupt business, government operations or financial markets. Technical solutions on their own will not work to solve this problem as there's too much money to be made through the sale and use of these tools."

DDoS attacks have been a problem for some time, agrees Cris Thomas, strategist, Tenable Network Security. "They are hard to prevent, hard to trace and they are rather profitable," he told SCMagazine.com on Monday.

"Mitigating a flood of unwanted traffic can be an extremely technical challenge in systems architecture," Thomas wrote. "The best solution is to wait it out and hope the attackers move on, or work with a service that is designed to handle the excess traffic."

The fact is, DDoS attacks have been around roughly for 16 years or so, and DDoS as a service is almost as old, Thomas said. "It is good to see vDoS get taken down, but there is money to be made here so someone will step in to fill the void."

"This incident of two Israeli teenagers selling kits for DDoS attacks is yet another example of the proliferation of the “sharing economy,” Yogesh Amle, managing director and head of software at Union Square Advisors, told SCMagazine.com on Monday. Though, he added, in this case it could be appropriately termed as the “dark” economy that goes unchecked on the dark web and where amateurs are trading their talents and skills for money and to support rogue and sophisticated cybercriminals.

"The building blocks of the sharing economy model are people, incentivization and distribution," Amle said. "To effectively tackle crimeware-as-a-service (CaaS), we need to deal with these three elements: people (and their talents) need to be channeled elsewhere which could be done through the right amount of policing (and frankly education and training); disincentivization, which can be done by criminalizing this kind of activity and; curbing distribution which means busting these networks.

When asked what enterprises can do to prevent, or lessen, attacks, Amle said he is seeing enterprises coping with such activity by deploying the services of their own service providers, many of whom are specialists of the dark web but are the good guys. "Enterprises also continue to buy point technologies from various vendors – like DDoS and firewall vendors – and depend on other threat intelligence feeds to be able to cope with these attacks. Remediation and mitigation in real time is the mantra today."

Tom Kellermann, CEO of Strategic Cyber Ventures, held a similar view around mitigation strategies. "Crimeware can be prevented through collective international action to dismantle/sinkhole the bulletproof hosts that distribute it and the forfeiture of digital currencies that are exchanged for it," he told SCMagazine.com on Monday. Anti-laundering rules must be expanded to digital currencies immediately, he said, adding that "enterprises should deploy cybersecurity technology which can deceive the crimeware into detonating against fake machines."

You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS