Sunday, July 20, 2008

Hacker Attack Follows Military Fighter Jets

As reported by Reuters, NATO Secretary-General Jaap de Hoop Scheffer expressed his concern with the “Russia's statement that its military aircraft deliberately overflew Georgian territory in violation of its territorial integrity."

Russian officials have admitted that they ordered the air force to fly over Georgia's rebel region of South Ossetia in a maneuver aimed "to cool hot heads in Tbilisi (Georgia's capital)."

Now, the political tension in South Ossetia region has spread into the cyber space with the new distributed denial of service attack against the website of the Georgian President Mikhail Saakashvili (

As indicated by Steven Adair from the Shadowserver Foundation, who was the first to report about this DoS attack, the C&C server used in it has the IP address

The domain name of this C&C server - - is already known to ThreatExpert from this threat that was intercepted "in-the-wild" about one month ago with our behavioral antivirus ThreatFire.

As seen from the report, the bot hooks itself into the system by loading as a BHO into Internet Explorer, and injecting its code into the address space of the legitimate system process svchost.exe. Then, it contacts its command-and-control server at

Another C&C contacted by the same bot resides at Searching this domain at ThreatExpert returns reports on several threats.

All of the reported threats (that contact C&C at share common characteristics: they all try different memory injection techniques such as injecting into system processes lsass.exe, svchost.exe, winlogon.exe (by installing itself as a Winlogon notification package), or iexplore.exe (by installing itself as a BHO). All of them belong to the Pinch family of trojans.

Another valid guess about the origin of this attack's C&C can be made by searching for IPs from the same range as the reported IP The new search returns reports on threats that belong to a different family.

One striking similarity however is that they all rely on a bogus HTTPS protocol in order to communicate with the C&C located at

The problem with the bogus HTTPS protocol (used by this bot to be remotely controlled and as in this case, being instructed to initiate the DoS attack), is that it relies on a "universal firewall port" 443.

Almost all firewalls allow outbound access to TCP port 443 to any location and any content, as they can't scan traffic that flows over the encrypted SSL channel.

Thus, what was initially invented to protect the sensitive information from praying eyes, is now used by hackers to coordinate their own activity.

The situation with the bogus HTTPS rather reminds infamous Jeff Goldblum's "They're using our own satellites against us!" in Independence Day: