LiveJournal under attack

I don’t have a LiveJournal account, but sometimes I’ll have a quick read of the blogs during breaks. On 4 April, however, an official announcement by LiveJournal Russia stated that the service had been subjected to a DDoS and was unavailable.

This massive DDoS attack is the second to target LiveJournal over the last few days. Russia’s online mass media is currently awash with rumors and speculation about the reasons and aims of the attacks.

We don’t know exactly how many botnets took part in the latest attack but we definitely know of one botnet that was involved. It is based on the Optima/Darkness DDoS bot that is currently popular on the Russian-speaking cybercrime black market. Not only are the Trojan programs (bots) themselves on sale, but also infected computer networks that are built with the help of such programs and services offering to carry out DDoS attacks on any given Internet resource.

We have been monitoring one of these Optima botnets for some time now.

Analysis of the data acquired showed that the first DDoS attack on LiveJournal occurred on 24 March. The botnet’s owners gave the command to launch an attack on the blog address of the renowned anti-corruption figure Alexey Navalny: http://navalny.livejournal.com. On 26 March, the bots received commands to attack another resource belonging to Navalny: http://rospil.info, and on 1 April, http://www.rutoplivo.ru, another site with a political slant, was targeted.

Below is a list of links that was sent out to the bots with a command to carry out DDoS attacks on them from 24 March to 1 April:

Significantly, LiveJournal made the first announcement about a DDoS attack on 30 March. On the same day, Kaspersky Lab registered that the Optima botnet was only attacking navalny.livejournal.com. But on 4 April, the bots received an impressive list that included links to the blogs of many popular users of the LiveJournal service:

http://www.livejournal.com
http://www.livejournal.ru
http://sergeydolya.livejournal.com
http://shpilenok.livejournal.com
http://tema.livejournal.com
http://radulova.livejournal.com
http://marta_ketro.livejournal.com
http://pesen_net.livejournal.com
http://doctor_livsy.livejournal.com
http://pushnoy_ru.livejournal.com
http://navalny.livejournal.com
http://dolboeb.livejournal.com
http://olegtinkov.livejournal.com
http://mi3ch.livejournal.com
http://belonika.livejournal.com
http://mzadornov.livejournal.com
http://tebe_interesno.livejournal.com
http://tanyant.livejournal.com
http://eprst2000.livejournal.com
http://drugoi.livejournal.com
http://stillavinsergei.livejournal.com
http://kitya.livejournal.com
http://vero4ka.livejournal.com
http://zhgun.livejournal.com
http://zyalt.livejournal.com
http://fritzmorgen.livejournal.com
http://miss-tramell.livejournal.com
http://sadalskij.livejournal.com
http://becky-sharpe.livejournal.com
http://roizman.livejournal.com
http://alex-aka-jj.livejournal.com
http://alphamakaka.livejournal.com
http://borisakunin.livejournal.com
http://kungurov.livejournal.com
http://plucer.livejournal.com
http://twower.livejournal.com

It should be obvious to specialists in the Russian-speaking blogosphere that the list affects some of the most popular bloggers on LiveJournal who write about a wide variety of things. It is not known if this was an attempt to “blur“ the real target of the attacks, which may have been clearly designated during the first DDoS attacks, or if the list of blogs that had fallen out of favor had become bigger.

One site – kredo-m.ru – stands out from the rest on the list. It belongs to a company that makes furniture and wooden products. We can only suggest that the botnet owners are selling their DDoS attack services to anyone and this particular attack could have been ordered by business competitors. This sort of B2B attack is not uncommon.

And what about the guilty party here – the Optima bot? Well, it first appeared at the end of 2010 on the Russian-speaking cybercrime black market and quickly achieved popularity. Apart from DDoS attacks, the bot’s functionality includes downloading other executable files and stealing passwords for a number of popular programs (FTP clients, IM, email clients, browsers, etc.).

As for the botnet’s size, we don’t have any definitive information, but there are indirect pieces of information that can help us estimate how big it is. During the DDoS attacks described above, Optima bots also received commands to download new versions of Trojan-Downloader.Win32.CodecPack (you’ll soon be able to read more about this interesting Trojan in an upcoming analytical research article). The fact that CodecPack is distributed via this botnet suggests that this particular Optima botnet is probably big, because the CodecPack owners will only “collaborate” with the biggest botnets on the market. For participation in their program, the CodecPack owners require botnets maintaining at least tens of thousands infected machines before they will do business with any potential bot herder.

We are quite surprised that LiveJournal officials haven’t yet asked the authorities for help. “We haven’t approached the Russian law enforcement authorities with a request to start legal proceedings but we don’t exclude a lawsuit option,” said Svetlana Ivannikova, head of LiveJournal Russia. Moreover, there are claims in the online mass media that such a case has no chance of succeeding. From our point of view, there is direct evidence of a crime according to Article 273 of the Criminal Code of the Russian Federation “Creation, Use, and Dissemination of Harmful Computer Viruses”. After all, Russia’s law enforcement agencies and courts already have experience of enforcing this law.