Language Selection

English French German Italian Portuguese Spanish

Rootkit Web sites fall to DDOS attack

Filed under
Security

Two prominent Web sites that specialize in remote access software known as "rootkits" have been taken offline by a large distributed denial of service (DDOS) attack. The take-down was allegedly ordered by a shadowy group of hackers and rootkit authors who took offense to criticisms of their software posted on the sites.

Rootkit.com, an established Web site run by security expert Greg Hoglund, has been offline for almost a week. Two other sites, operated by a prominent rootkit author known as "Holy Father" have also been taken down in the attacks, which are believed to be the work of a group of Bulgarian and Turkish hackers known as the SIS-Team, according to Hoglund, the chief executive officer of HBGary, Inc., an information technology software and services company.

The attack against rootkit.com began on Tuesday, April 5, after someone using the name "ATmaCA" posted an inflammatory message to one of the discussion groups on the site that advertised a number of malicious remote access software programs sold by SIS Team, including SIS-Downloader, ProAgent and SIS-IExploiter, Hoglund said.

The programs are powerful spyware tools that, when combined, enable remote attackers to secretly compromise other machines using attack Web pages. They are sold online at Web sites like www.spyinstructors.com and are popular with those behind spam campaigns, who use the tools to plant remote control programs that are then used to send out spam, Hoglund said.

The post by ATmaCA prompted curt responses from rootkit.com members, who objected to authors using the discussion forum as a venue to advertise their commercial software. Other rootkits discussed on rootkit.com are open source, and authors typically post links to their source code on the site, Hoglund said.

In the "flame war" that erupted between the SIS-Team members and the rootkit.com contributors, questions were also raised about the quality of the SIS-Team products. Some rootkit.com regulars alleged that the tools were poorly written and frequently crashed machines they ran on, Hoglund said.

Within hours of the first post from ATmaCA, the rootkit.com Web site was under attack by a network of more than 500 compromised computers, or bots, that flooded the site with about 170,000 requests a second, making it unreachable for most Internet users, he said.

Two rootkit-focused Web sites operated by Holy Father were also downed by DDOS attacks after that person posted remarks critical of ATmaCA and SIS-Team, according to an e-mail from Holy Father.

In both cases, extortion e-mail was sent to the Web site owner following the DDoS attacks saying that the Web site owners could end the attacks by posting public apologies to ATmaCA and SIS-Team on their Web sites, Hoglund and Holy Father said.

Hoglund, who is a noted security expert and author of the book "Exploiting Software," was working on Monday to bring the rootkit.com Web site back online. He expressed outrage at the attacks, which he said were instigated by a group of immature hackers, and said that he would have taken the inflammatory post about ATmaCA and SIS-Team off rootkit.com as a matter of policy.

"I find it very offensive that a public Web site that does nothing but share information is attacked by a bunch of immature children," he said. "These are hackers who can't stand on their own merits. They make claims for their software, and then can't argue about it, but just DDOS their critics off the Internet."

Rootkit.com has more than 25,000 registered users and about 30 regular contributors. Despite the reputation of rootkits as hacker tools, many of those who frequent the site are professional security experts and students who study computer security and use the rootkit source code available on the site to figure out ways to defend against rootkit programs, Hoglund said.

Source.

More in Tux Machines

Mozilla: Motion, Contributors, Testday, ActivityMonitor, San Francisco Oxidation

  • Firefox has a motion team?! Yes we do!
    Motion may sometimes feel like an afterthought or worse yet “polish”. For the release of Firefox Quantum (one of our most significant releases to date), we wanted to ensure that motion was not a second class citizen and that it would play an important role in how users perceived performance in the browser. We (Amy & Eric) make up the UX side of the “motion team” for Firefox. We say this in air quotes because the motion team was essentially formed based on our shared belief that motion design is important in Firefox. With a major release planned, we thought this would be the perfect opportunity to have a team working on motion.
  • Firefox 61 new contributors
    With the upcoming release of Firefox 61, we are pleased to welcome the 59 developers who contributed their first code change to Firefox in this release, 53 of whom were brand new volunteers!
  • QMO: Firefox 61 Beta 14 Testday Results
    As you may already know, last Friday – June 15th – we held a new Testday event, for Firefox 61 Beta 14. Thank you all for helping us make Mozilla a better place!
  • IOActivityMonitor in Gecko
    This is a first blog post of a series on Gecko, since I am doing a lot of C++ work in Firefox these days. My current focus is on adding tools in Firefox to try to detect what's going on when something goes rogue in the browser and starts to drain your battery life. We have many ideas on how to do this at the developer/user level, but in order to do it properly, we need to have accurate ways to measure what's going on when the browser runs. One thing is I/O activity. For instance, a WebExtension worker that performs a lot of disk writes is something we want to find out about, and we had nothing to track all I/O activities in Firefox, without running the profiler. When Firefox OS was developed, a small feature was added in the Gecko network lib, called NetworkActivityMonitor.
  • San Francisco Oxidation meeting notes
    At last week’s Mozilla All Hands meeting in San Francisco we had an Oxidation meeting about the use of Rust in Firefox. It was low-key, being mostly about status and progress. The notes are here for those who are interested.

Games: Riot Games, Ashes of the Singularity: Escalation, Dead Cells

  • Riot Games' anti-cheat software for League also targets Linux users
    This week Riot Games implemented a new anti-cheat software for the game that is meant to limit the number of players who use third-party programs while playing. Most of these programs help users cheat in-game, such as by inputting movement commands for a player to allow them to dodge enemy skillshots. Unfortunately for players who run Linux as their operating system, the new anti-cheat also targets it as a third-party program, preventing them from playing League. Many players took to Reddit and other forums to protest the change, even creating a petition for Riot to add Linux compatibility.
  • Riot Games New Anti-Cheat Could Wipe Out League of Legends Linux Player Base
    ​Riot Games has been working on a new anti-cheat system for League of Legends. There are reports that this update would make the game unplayable for Linux users, because it would make the game incompatible with virtual environments, something Linux users have to employ to play the game.
  • A small but nice update on Ashes of the Singularity: Escalation and Linux support
    We've been waiting quite a while for any real news on the Linux port of Ashes of the Singularity: Escalation [Official Site]. While we still don't know when, we do know it's still happening.
  • Dead Cells, a 'RogueVania' now has a Beta available for Linux
    Dead Cells mixes in elements of a Rogue-lite with a MetroidVania to create an interesting mix and it's now available on Linux with a Beta. I did notice in the comments of the previous article, that people were debating the choice of article title. I said it was a "rogue-lite metroidvania action-platformer", which was obviously a bit wrong. They've actually coined their own term for it, calling it a "RogueVania".

"Microsoft may find the developers it just paid so much to reach slipping from its grasp."

  • Mixed Reaction
  • After Github purchase, Microsoft remains a relatively untrusted open source player to some
  • What is GitHub?
    GitHub is now the de facto home of open-source software. But Microsoft’s acquisition reignited a debate over the platform’s centrality. Microsoft assures users the service is safe under its stewardship, but many are wary. When Mr Ballmer spoke of developers, he had a specific sort in mind: those using Microsoft’s tools to build projects for Microsoft products. He once called open-source Linux a “cancer”, which would spread uncontrollably. In a sense, his words proved prophetic: today, open-source software is everywhere, from websites to financial markets to self-driving cars. Under Mr Nadella’s leadership, Microsoft has embraced open-source development. In buying GitHub it hopes to gain the trust of developers it once spurned. But some wonder if the change is complete, or if Microsoft will use its newly bought dominance of open-source hosting to push its own products. Alternatives to GitHub—some themselves open-source—wait in the wings. If it is not careful, Microsoft may find the developers it just paid so much to reach slipping from its grasp.

Making Free Software Suffer Using New Laws

  • Free software is at risk in the EU -- take action now
    Members of the European Parliament want to turn upload platforms like GitLab into "censorship machines" that require user-uploaded materials to be monitored and automatically filtered, a process which would prevent modified and reused code from being uploaded. This provision is covered under Article 13 of the Copyright Directive. If Article 13, embedded within the proposal, becomes official policy, it will be impossible for developers to build off of one another's code -- which is not only a blow to the collaborative development of free software, but a push against the basic freedoms of free software. Software isn't free unless it can be modified and shared. Article 13 will affect all users of free software -- as development of free software suffers, the quality and availability of updates, new features, and new programs will also suffer.
  • Open Source Industry Australia Says Zombie TPP Could Destroy Free Software Licensing
    Without the ability to enforce compliance through the use of injunctions, open source licenses would once again be pointless. Although the OSIA is concerned about free software in Australia, the same logic would apply to any TPP-11 country. It would also impact other nations that joined the Pacific pact later, as the UK is considering (the UK government seems not to have heard of the gravity theory for trade). It would presumably apply to the US if it did indeed rejoin the pact, as has been mooted. In other words, the impact of this section on open source globally could be significant. It's worth remembering why this particular article is present in TPP. It grew out of concerns that nations like China and Russia were demanding access to source code as a pre-requisite of allowing Western software companies to operate in their countries. Article 14.17 was designed as a bulwark against such demands. It's unlikely that it was intended to destroy open source licensing too, although some spotted early on that this was a risk. And doubtless a few big software companies will be only too happy to see free software undermined in this way. Unfortunately, it's probably too much to hope that the Australian Senate Standing Committee on Foreign Affairs, Defence & Trade will care about or even understand this subtle software licensing issue. The fate of free software in Australia will therefore depend on whether TPP-11 comes into force, and if so, what judges think Article 14.17 means.