Malware Evolution: April - June 2007
by Alexander Gostev - Senior Virus Analyst at Kaspersky Lab - Wednesday, 15 August 2007.
The first attack lasted roughly until May 4. During this DDoS attack, over ten Estonian sites took a lashing. However everyone knew fully well that the worst was yet to come. May 9th, Russiaís Victory Day, was still ahead. The company Arbor, which specializes in protection against DoS attacks, later published its own statistics from observing the events in Estonia. Interestingly enough, their reports show that attacks began on May 3, 2007. It's possible that this was the day on which Estonian officials approached Arbor for assistance, as there are no data on the first wave of the attack (April 27th through May 3rd). The stats are shown here:

As we can clearly see, the second wave of attacks began on May 8th and peaked on the ninth of the month. Let us clarify the definition of "attack" in this context. Arbor reported that during the course of two weeks, they recorded 128 individual DDoS attacks, of which 115 utilized a typical ICMP-flood, 4 used SYN, and the remaining 9 were different variants of attacks meant to increase traffic.

Of course this is only part of all of the attacks that took place, but one can still get the general idea of the enormous scale of the attack. Furthermore, the overwhelming majority of the attacks were rather short-lived at one hour or less. Only 7 attacks lasting over 10 hours were recorded. The attack against Estonia happened on several levels at once. Besides the DoS attacks targeting key government sites, there were also mass defacements of dozens of other Estonian websites. Most of these were aimed at websites running different script engines which have a number of vulnerabilities ranging from CSS/XSS vulnerabilities to SQL injections.

These attacks were not particularly complex technically and they could have taken place at any other time, although the events as a whole attracted hackers around the world, and many of them managed to use the situation as an arena for honing and applying their skills. One of the first websites to be broke into was that of the Reformist Party, which is chaired by Estoniaís Prime Minister, Andrus Ansip. The text on the website's homepage was replaced with an alleged apology addressed to the Russian-speaking population of Estonia. "The Prime Minister Asks For Forgiveness! The Prime Minister of Estonia and the Estonian government begs the forgiveness of the entire Russian population of Estonia and takes responsibility for returning the Bronze Soldier statue to its rightful place" the hackers wrote.

Meanwhile, Russian websites were also subjected to the attacks."On May 3 this year the website of the President of Russia was hit by an unprecedented scale of hacker attacks from servers that seem to be located in the Baltics"RIA Novosti news agency was told by a source in the Kremlin. However, thanks to a multifaceted backup system and a modern security system, the president's website managed to retain control. The source at the Kremlin did admit that "there were certain problems." "The hacker attacks on government institutions in various countries are, unfortunately, a widespread practice" added the source.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Mon, Feb 8th