Is Trend Micro correct in its #OpIsrael ‘Botnets Involved in Anonymous DDoS Attacks’

OpIsrael DDoS spike: 7 April

Trend has done an analysis of #OpIsrael attacks on April 7. It notes that on that particular day, traffic to one particular website, normally around 90% Israeli, became 90% international due to the botnet DDoS attacks.

This increase in non-Israeli traffic was well distributed, with users from 27 countries (beside Israel itself) accessing the target site.

This is factual and we can take it at face value from a company like Trend. The next comments, however, start with fact but end in interpretation:

[fact] Examining the IP addresses that had accessed the target site, we noticed that some of these were known to be parts of various botnets under the control of cybercriminals. In addition, further investigation revealed that these IP addresses had been previously identified as victims of other attacks like FAKEAV, ransomware, and exploit kits.

[opinion] These findings highlight how major DDoS attacks are, at least in part, not just carried out by hacker groups like Anonymous but by cybercriminals as well. These attacks are not nearly as “harmless” as some would think.

The interpretation is that because a particular PC is known to be infected with a bot, participation in the DDoS attack against Israel was necessarily under the direction of the botherder criminal. But an alternative interpretation could be that the PC owner, entirely independently, decided to take part in the protest. (This is unlikely given the need to hide the source IP during such a protest.) Another possibility, however, could be that an activist protester, not otherwise a criminal, could have hired a botnet from a criminal, not otherwise an activist.

My point is that the final comment (“major DDoS attacks are, at least in part, not just carried out by hacker groups like Anonymous but by cybercriminals as well”) is a non-sequitur from the preceding argument. Trend may be right; but should not be making such a bald statement without further ‘proof’.

It highlights a danger we all face as we shift our news intake from traditional newspapers to blogs: the automatic acceptance of an opinion as fact. Blogs, for their part, should draw a distinction between fact and opinion – and the conclusion of this particular blog should be clearly labelled ‘opinion’.

A lament on the passing of independent news – not quite dead, but certainly dying

Before I say anything else, let me just say that I really, really like Sophos; and I really, really like NakedSecurity; and I really, really like Graham Cluley. This is really, really just a comment on how the internet has upset the status quo rather than a criticism of any of the above.

But…

Purely coincidentally I was talking to a fellow freelancer who, like me, is old enough to remember the golden, halcyon days of freelancing back in the mists of the last century. The internet has destroyed all that, along with the majority of magazines I used to write for for whom I used to write.

“Today,” I said, “company blogs have replaced independent magazines. Just take NakedSecurity, which competes head on with the security magazines in terms of content.”

I stand by that. It’s a great blog and a great read written by experts in their subject. But the one thing it isn’t is ‘independent’.

Consider one of today’s news items: Microsoft and Symantec jointly took down the Bamital botnet (my news story is on Infosecurity Mag here). The problem is that Symantec, a direct competitor of Sophos, gets hardly a look-in on the Sophos blog – which is headlined: Bamital botnet dismantled, as Microsoft seizes control of malware servers.

In fact, you wouldn’t think that Symantec was involved in the actual takedown at all judging from the Sophos account – despite the fact that it published an excellent and detailed analysis of Bamital today.

Coincidence? Possibly; but I doubt it. The problem is that NakedSecurity is so good and so popular that it is often taken as news. It isn’t. It’s a marketing machine for Sophos – and readers should always bear in mind (not just for NakedSecurity, but for all of the company blogs that are replacing the magazines) that the one thing you cannot get from a company blog is independent news.

Apple’s response to the Flashback botnet – Fail

Apple, it keeps telling us, is on top of security. Well, I used to give it the benefit of the doubt on that; but now I’m not so sure. What worries me is not the existence of a massive Mac botnet (Windows suffers from far more), nor even Apple’s response to the finder of the botnet, Russian firm Dr Web. “We’ve given them all the data we have,” said Dr Web’s chief executive Boris Sharov. Apple’s reply? Zilch – but that’s just arrogance, not really anything to worry about, just something we have to accommodate.

It’s the one thing that Apple actually did do that worries me.

The botnet was discovered by Russian firm Dr Web. Not exactly a big name in security, but a good one nevertheless. The company set up three sinkhole servers to help monitor the botnet, estimate its size – and perhaps take it down. Apple’s one actual response? It contacted Russian Web registrar Reggi.ru and asked for one of the servers to be shut down since it was engaged in malicious activity. It wasn’t – it was one of Dr Web’s sinkholes.

Dr Web’s CEO, Boris Sharov, thinks this was an honest mistake by Apple. I suspect it was a dishonest mistake. I suspect it was more to do with Apple attempting to maintain its carefully constructed facade of invulnerability. I suspect that if it had been one of the better known anti-malware companies that had discovered this 600,000 strong Mac botnet Apple would have reacted differently. Instead they thought they could keep quiet, try to shut down the botnet by taking down a C&C server and nobody would be any the wiser.

Instead the company has simply shown itself to be a child in an adult’s playground. Poor show, Apple.