Friday, October 26, 2012

Dissecting 'Operation Ababil' - an OSINT Analysis - Part Two

With more crowdsourced intelligence on "Operation Ababil" published in the recent weeks, it's time to revisit the campaign's core strategy for harnessing enough bandwidth to successfully take down major U.S financial institutions.

As you can remember, in Part One of the OSINT analysis for "Operation Ababil" I emphasized on the crowdsourcing campaign launched by Izz ad-Din al-Qassam a.k.a Qassam Cyber Fighters, which led to the successful DDoS attack against these institutions. It appears that this is just one of the many stages of the campaign.

According to security researchers from Proxelic, the attackers also relied on a PHP based DDoS attack script known as "itsoknoproblembro" that was installed on servers susceptible to exploitation through the Bluestork Joomla template. By combining crowdsourced bandwidth and bandwidth from the compromised servers, the attackers managed to successfully achieve their objectives.

The DDoS script in question,"itsoknoproblembro", has been publicly available as a download for months before the attacks started, indicating that it was not on purposely coded to be used in the campaign against major U.S financial institutions.


Detection rate: PHP_DDoS.html - MD5: 9ebab9f37f2b17529ccbcdf9209891be - detected by 9 out of 44 antivirus scanners as PHP/Obfuscated.F; Heuristic.BehavesLike.JS.Suspicious.A

Next to Prolexic's claims, th3j35t3r also published an analysis of the situation that's primarily relying on wishful thinking and social engineering, claiming that Anonymous supplied the operators of "Operation Ababil" with DDoS bandwidth by using a service called Multiboot.me - 108.162.193.85; 108.162.193.185, AS13335.

Sample screenshots of the Multiboom.me's GUI:





With "Operation Ababil" continuing to fuel political tensions between the U.S and Iran, which is blamed for organizing the launching these attacks, it's worth emphasizing on the basics of 'false-flag' cyber operations, and "aggregate-and-forget" type of botnets.

When was the first time you heard of Izz ad-Din al-Qassam a.k.a Qassam Cyber Fighters? Appreciate my rhetoric - right after they started their crowdsourcing campaign. With the group lacking any significant digital fingerprint prior to these attacks, virtually anyone can localize their objectives with a little twist of politics and propaganda, and easily set the foundations for what is now perceived as an Iranian cyber operation.

Moreover, their bandwidth acquisition techniques clearly indicate that the attackers are aware of the dynamics of modern cyber operations in general, and by doing so, chose to acquire bandwidth without outsourcing their needs to ubiquitous and sophisticated Russian DDoS on demand services, which could have led to the easy identification of the service in question, next to the cybercriminals behind it.

Updates will be posted as soon as new intel becomes available.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.