Collateral Damage

Twitter, LiveJournal, FaceBook, Youtube, Fotki–what do they have in common? They all hosted an account of a pro-Georgian blogger who went under the nickname cyxymu (taken after Sukhumi, the capital of Abkhazia, one of Georgia’s pro-Russian breakaway republics and the city he professed to flee from in 1993 during the republic’s war with Georgia). And they all suffered a distributed denial-of-service (DDoS) attack during the course of the day yesterday, an attack that was able to take down Twitter for several hours and significantly slow down connectivity to Facebook. Reportedly, the attack packets sent to the targeted social-media sites were requests to fetch the pages hosted for this user, who had just a few days ago blogged about the upcoming one-year anniversary of the war between Georgia and Russia.

In addition to the web-based DDoS attacks, McAfee’s TrustedSource reputation system had also detected a spam campaign that referenced the targeted blogs. We believe this campaign had a dual purpose. On one hand, the attackers spoofed the email address of the blogger, which is hosted on Gmail, as the originator of the spam. As a result, the blogger’s inbox was flooded with out-of-office notifications and vacation bounces automatically sent by mail clients of people who had received this spam. This was likely part of an intimidation campaign designed to send a message to cyxymu about who was the real intended target of the DDoS. In addition, the spam contained links to the blogger’s sites, with the likely goal of bringing even more traffic to bear on the servers of those blogs than would already be caused by the DDoS. 

Screenshot of the spam bounces in cyxymu’s mailbox that he had posted after the attack on abkhaziya.net, one of his backup blog sites

In our analysis, the spam appears to have been distributed, at least partially, by the same botnet as the one that was used for the DDoS. Of the infected machines spreading the spam, 29 percent were located in Brazil, 9 percent in Turkey, and 8 percent in India.

We detected two distinct spam runs that began around 8 a.m. EDT on Thursday, August 6 and started winding down around 11 a.m. the same day, with the last messages being detected at 4 p.m. Only the second spam run, the larger of the two, spoofed cyxymu’s email address, while the first one randomized the senders’ email addresses.

URLs that were attacked include:

http://twitter.com/cyxymu
http://www.youtube.com/Cyxymu
http://www.facebook.com/cyxymu
http://cyxymu.livejournal.com
http://cyxymu1.livejournal.com
http://fotki.com/cyxymu

The IP addresses included in the attacks were detected proactively by McAfee’s TrustedSource as having a malicious reputation.

(No Ratings Yet)

 Loading ...

Sorry, the comment form is closed at this time.