The countdown to Nov 11th and the most recently rumored "cyber Jihad"against the West has sparked some other questions. One in particular isthe comparison of their individual capabilities for possible denial ofservice (DoS) attacks.
Symantec’s analysis of the purported DoS tool to be used in this"E-Jihad," known as “E-Jihad 3.0,” has shown it to be crude andunsophisticated. First, it requires a user to manually install it ontoa computer. The user must then log into a “cyber-jihadist” Web sitethrough the tool, which sends back attack commands. The Web site inquestion is currently offline and we believe it may have been sinceJuly 2007. Symantec has detection for this tool as Hacktool.Dijah and has set up intrusion prevention system (IPS) blocking.
Since January 2007, Symantec has been tracking the evolution of whatis commonly referred to as the "Storm" threat. This term so far hasincorporated various malicious online activities like distributeddenial of service (DDoS) attacks, spam, pump-and-dump stock emails, andbotnets. Symantec has been prompt to add detection and remediation forall these activities under either the Trojan.Peacomm family orTrojan.Packed.13.
The full capabilities and size of the Storm botnet are as-yetunknown. Systems continue to be infected on a daily basis throughvarious techniques, such as spam, social engineering, and browserexploits. The use of the Overnet peer-to-peer protocol, used by manylegitimate file-sharing clients like eMule and MLDonkey, also makes itdifficult to track and isolate where commands are coming from. It isalso constantly evolving with new methods to infect users. The latesttechniques discovered have shown that they are now incorporatingnetwork encryption, worm-like propagation across drives, and alsoinjecting malicious IFRAME code into .htm, .html and .php files foundon compromised computers.
Comparing the E-Jihad and Storm techniques mentioned above clearlyshows that the “cyber terrorists” in this case are well behind thecyber criminals. Although it must be noted that at this time it is notclear whether the “E-Jihad 3.0” tool will be used in the rumoredE-Jihad on Nov 11th or even if it is all just a pie in the sky.
However, we should not rule out the impact that a basic DoS attackcan have. Lessons learned from May 2007 in Estonia have shown us thatmanually entered DoS commands by individual users on systems can causean impact if there is enough popular support. If we look at the figuresbelow, we can see just how much bandwidth can be consumed in a simpleenough attack.
Magnitude of 25.000 bytes/sec. = 24 KB/sec. = 192 Kbps for each single attacker
Assuming N=100 attackers => 192x100 = 18.7 Mbps denial of service attack
If these figures are exponentially multiplied by the number ofattackers, such an attack can have a considerable impact on a target.However, this would require a considerable amount of organization. Withthe Storm threat this is all simplified because one user can issuecommands to unknowingly compromised computers that are hosting thethreat’s bots. There is no definitive figure on just how many computersthe Storm bots occupy, but various reports suggest anywhere fromthousands to millions. With these figures in mind, a DDoS attack fromthe Storm threat should theoretically outweigh an organized E-Jihadusing the “E-Jihad 3.0” tool and poses the greater threat. Yet, withthe Storm threat being controlled by cyber criminals who are motivatedby money, it is unclear just who or for what they might lease theirbotnet herds out to. Time will tell.
To minimize the risk of an attack as much as possible, never installan unknown program, keep your antivirus definitions up-to-date, andnever open attachments from unknown sources.
Special thanks to Elia Florio and James O’Connor for their analyses.