NetBot Attacker Anti-CNN Tool
As I noted last night, another, third tool (that I know of) dedicated for Chinese who are upset and want to attack CNN has been released. The folks at Hackeroo have released a Netbot Attacker Anti-CNN version, free of charge, for folks to use. Normally Netbot Attacker is a commercial tool, but this is a focused version.
Netbot Attacker provides a simple Windows UI for controlling a botnet, reporting and managing the network, and commanding attacks. So far nothing special or new there. It ships as a simple RAR file with two pieces: an INI file (see below, partially edited and obscured) and a simple EXE.
The INI file hardcodes a target – CNN.com – and info on the controller. The server it contacts is in AS4134, or CHINANET-BACKBONE.
The UI provided in this one is very roughly modified of the real NetBot_Attacker, and it looks like a very simple tool for some people to use. Sadly, it appears to come with a way for the attackers to access the user’s PC.
On startup the program wants to start listening on a port (TCP 8080 in my case). I just tell XP to let it be … Sadly, I don’t have the Chinese language pack installed so I can’t make heads or tails of the writing.
The system gives you basic controlls to choose your attack type: SYN, UDP, TCP, ICMP, etc … The default is the classic TCP SYN flood.
Because the original Netbot Attacker is a backdoor, this tool retains that capability and lets you update the bot and be a part of the rest of the botnet. This is controlled here. Notice that you spin up a listening port on TCP 8080.
And finally the ubiquitous “About” page, telling you what’s going on:
A rough translation – provided with the bot – would be:
SYN Flood ICMP Flood UDP Flood UDP Small TCP Flood TCP Mult-Connect
Web Attack :
NoCache Get Flood CC Attack Http GET Nothing
CQ Game Attack Route Attack Smart Auto Attack
SYN+UDP Flood IACMP +TCP Flood UDP Small+TCP Connect
Note that there’s no mention to the average user that they’ll be able to access your PC now that you’re helping the cause.
It is unclear to me how much this specific tool is used compared to the others. In the end, the effect is the same, however, which is to try and drive an adversary offline with a packet flood.
Also, despite new tools being released, we’re not detecting any major sustained attacks against CNN.com’s website, the attacks have (so far) subsided. It’s unclear if any other ones will appear in the near future, it’s possible that these tools are being released in preparation of a new wave of attacks.