Posted on Tuesday, April 22nd, 2008 | Bookmark on del.icio.us

CNN Attacks - Inside Two Dedicated DDoS Tools

by Jose Nazario

A new DDoS tool to be used in the China vs CNN attacks has surfaced (thanks for the tip!) has been released. This one is more flexible than the first, it lets you specify what targets you want to hit, indicating more flexible attacks in the near future may be afoot. But first, a quick peek at the first dedicated DDoS tool released in this online skirmish.

AntiCNN.exe

anti_cnn_icon.png

This was the first of the two dedicated tools to be found and analyzed. As you would expect, it’s a dedicated tool against CNN.com. It opens a flood of HTTP connections and attempts to hurt the servers. All of the requests look like this:


GET /aux/con/com1/../../[LAG]../.%%%%%%%%./../../../../fakecnn/redflag-stay-here.php.aspx.asp.cfm.jsp

And they’re against all of the IPs associated with www.cnn.com. The user can start or stop the attack at their will. This tool has been analyzed by others already.

anti_cnn_main.png

Sdos.EXE

sdos_icon.png

This is the second of the two tools and just crossed my desk within the last hour. This one lets you specify a target server and a port, uses a simple connect() loop for the TCP flood. This has the advantage (for the defender) of making traceback and source /32-based blocking easy.

sdos_main.png

During installation a driver is installed, presumably for some of the attack traffic creation.

sdos_driver_install.png

By default it installs in

c:\Program Files\Sattacker\SDos\sdos.exe

. It uses the following registry keys to store information:

HKEY_CURRENT_USER\Software\Sattack\SDos\SDos\Recent File List ""
HKEY_CURRENT_USER\Software\Sattack\SDos\SDos\Recent File List ""
HKEY_CURRENT_USER\Software\Sattack\SDos\SDos\Recent File List ""
HKEY_CURRENT_USER\Software\Sattack\SDos\SDos\Recent File List ""
HKEY_CURRENT_USER\Software\Sattack\SDos\SDos\Settings ""
HKEY_CURRENT_USER\Software\Sattack\SDos\SDos\Config ""
HKEY_CURRENT_USER\Software\Sattack\SDos\SDos\Config ""
HKEY_CURRENT_USER\Software\Sattack\SDos\SDos\Config ""

The tool apparently was written in MS Visual C++.

Overall similarities

Both tools are designed “for the masses”, ie people who may not be running their own botnet but are upset by events. This isn’t new, and has been done before, and will continue to be done. Both tools are user-friendly, and neither one has a backdoor (unlike other tools like this in the past).

UPDATE There’s a third tool that I will post info about tomorrow. Unlike these two, it has a backdoor for the attackers to abuse.

This entry was posted on Tuesday, April 22nd, 2008 at 11:23 pm and is filed under Attacks. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

One Response | Add your own



Comment Post by: DDoS to the people; inside two toolkits helping Chinese hackers « IT Spot — April 23rd, 2008 @ 2:35 pm EST  Reply

[…] a blog Tuesday, Dr. Jose Nazario of Arbor Networks says one of the toolkits is easier to use than the other although both are designed for “the […]

Leave a Comment