Once compromised the end system is turned into a boot that is under the command and control of the criminal identity theft. Criminal organizations utilize malicious software to infect large numbers of systems to create bootees to perpetrate large scale attacks like those we have seen against our financial organizations. Mallard is malicious software intended to cause harm. It usually refers to viruses, worms, Trojan, or other forms of malicious code that is used to compromise the integrity of the target system with the intent to disrupt systems, spy on users and steal their credentials and /or identify, or take control of the yester.
Systems can be infected in multiple ways including physical contact such as sharing files on portable storage media such as Cad’s or flash drives. However, today mallard more commonly arrives in electronic mail messages, either in an infected file attached to the email or through a Web link within the message. Mallard can also be embedded in a downloaded file such as a jpg or a music file. In addition, mallard can enter through an open network connection, without any human intervention due to poor configuration, or the lack of security patching processes.
Once infected the end system is under he command and control Of the criminal organization to conduct illicit activities. The trend and sophistication of attacks using bootees has been increasing and recently has been taking the form of Dos attacks. There are several reasons for the increase in the numbers and sophistication in the attacks namely the emergence of crime as a service (AAAS) and historicism. AAAS has emerged as a threat due to the growth in low-cost highly available attack software that allows novice hackers the ability to unleash attacks.
Secondly, historicism or the use of cyber attacks to make political or social tenements like we have recently seen emanating from the Cyber Fighters of Size ad-Din al-Assam (Cyber Fighters), Anonymous or the Occupy movement. Recent data shows that nearly 51% of observed attack traffic has originated in the Asia Pacific region, while just over 23% has originated in North and South America. Targets of recent Dos activity include U. S. Bannock, Joanna Chase, Bank of America, PAN Financial Services Group, Sunburst, HISS, Ally Bank, B, Wells Fargo and Capital One.
However, a recent announcement by the Cyber Fighters indicates that they are going to be targeting regional and community banks. The methodology that is evidenced during recent attacks is that virtual private servers have been compromised with a per node attack rate that is one hundred times greater than the normal boot. In addition, the command and control of the bootee is much tighter and able to modify attack methods and shift between targets in as little as twenty minutes whereas it used to take hours or days.
Some interesting examples of recent DOS attacks using Bootees are as follows: Case #1 The London Olympics was the target of Dos attacks from 25 July through 9 September. The first significant attack occurred five hours prior to the opening ceremony ND used twenty-three different attack vectors with MM requests over an hour and twenty minute period. The second significant event took place during the first full day of competition and over a twelve hour period there were 5. 6 B requests.
Case #2 A large East Coast financial services company was targeted during Hurricane Sandy and DNS requests peaked at KICK per second and totaled BIB in five days compared to MM hits per week. Case #3 – A leading CSS financial institution (Fl) with millions of customers was the target of a massive Dos attack with peak attack traffic of 30 Gaps which is 30 times the normal daily high traffic volume. Because of mitigating controls in place the attack was unsuccessful and the attackers gave up after fifteen minutes.
Then twenty-five minutes later another large IIS based Fl underwent a Dos attack whose peak attack traffic volume of 8,491 Ambit/sec with a duration of approximately two hours and forty minutes. Despite existing mitigating controls there was a degradation of service. In conclusion, the use and sophistication of Bootees is increasing and recent trends indicate thus type of activity will continue to increase. Lessons learned include after a short probe of defenses the attacks begin in earnest and can last from minutes up to several days.