#Operation Ababil

The Never-ending Attack on US Banks

Ziv Gadot

SOC/ERT Group Leader

Radware

Origination & History

Case Study

Conclusions

Origination & History

“Innocence of Muslim” Movie Trailer

4

July 12th 2012

“Innocence of Muslims”

trailer released on YouTube

Sep 11th 2012

World wide protest against the movie

resulting the death of 50 people

Operation Ababil

5

Sep 18th 2012

Operation Ababil Begins

The cyber attack is

an act to stop the

movie

First targets:

• Bank of America

• NYSE

Group name:

“Izz ad-din Al qassam

cyber fighters”

Attack Span

6

Q4 - 2012 Q1 - 2013 Q3 -2013 Q2 - 2013

Sep 18th, 2012

Operation Ababil Begins

(Phase I)

6 weeks

Q3 - 2012

Dec 10th, 2012

Phase II

7 weeks

Mar 5th , 2013

Phase III

8 weeks

July 23th ,2013

Phase IV

8 weeks

July 12th 2012

Innocence of

Muslim

Sep 11th 2012

Physical Protests

Target List

7

Major banks hit with biggest cyberattacks in history – CNN

Bank DDoS Attacks Resume: Wells Fargo Confirms Disruptions – Informationweek

Phase3/W4 Operation Ababil - pastebin.com

Hacktivists Suspend DDoS Attacks - bankinfosecurity.com

Insult Formula – Phase IV

8

Phase 4 will take

8 weeks

“Based on the formula which is

approved for paying, the united

states must still pay because of

the insult”

http://pastebin.com/22WJ6m9U

Servers Enlisted to Launch the Attack

9

OpAbabil Introduces

‘Server-based Botnets’

Advantages

• Firepower

• Reliability

• Control

'itsoknoproblembro' is a general purpose

PHP script injected into the servers allowing

the attacker to upload and execute arbitrary

Perl scripts

Case Study

Case Study Background

• A large US bank

• The attacks started since October 2012

• The bank had already invested in anti-ddos solution

– Both ISP provided this service

• While most Network (UDP, ICMP and SYN floods) were

mitigated, the Application (HTTP, HTTPS) attacks passed

• Outage occur on daily basis

– IT department was frustrated and exhausted

• At this point our Emergency Response Team joined in, and we

got visibility into the attack patterns

11

Attack Vectors

• Network Level Attacks

– UDP

– ICMP

– SYN Flood

• Application Level Attacks

– HTTP attacks

• URL Attacks

• Search Page

– HTTPS

• TLS/SSL Negotiation Attacks

• Login Page DoS

– Bypassing Mitigation Challenges

12

TLS/SSL Negotiation Attacks

TLS/SSL Negotiation Attacks

14

Login Page DoS

Login Page DoS

• The Login Page is a critical resource

– Usually the first HTTPS transaction

– No user is identified yet

– No Load-Balancing yet

• The attacker clearly used malformed usernames

• Attempts to block this usernames with a signature caused the

attacks to change the usernames

16

Bypassing Mitigation Challenges

Challenge Technology

• HTTP Challenges

– 302 Redirect + Cookie

– JavaScript

18

Existing JavaScript

<html>

<body>

<script>

document.cookie='eeeeeee=ff85bb7eeeeeeee_f

f85bb7e;

path=/';window.location.href=window.locati

on.href;

</script></body></html>

Attacker Pass JavaScript Challenge

19

}

if(preg_match("/\"(.*)\"/",$cookie,$var_val)){

if(!preg_match("/\'/",$var_val[1]) ||

preg_match("/\"/",$var_val[1])){

$cookies[] = trim($var_val[1]);

}

}

}

}

if(preg_match_all('/document.cookie[^\=]*\=([^\;]*);/i',$co

ntent,$setcookie)){

foreach($setcookie[1] as $cookie){

if(preg_match("/\'(.*)\'/",$cookie,$var_val)){

if(!preg_match("/\'/",$var_val[1]) ||

preg_match("/\"/",$var_val[1])){

$cookies[] = trim($var_val[1]);

}

} if(preg_match("/\"(.*)\"/",$cookie,$var_val)){

if(!preg_match("/\'/",$var_val[1]) ||

preg_match("/\"/",$var_val[1])){

$cookies[] = trim($var_val[1]);

}

}

} April 2013

Attacker passes

DefensePro

JavaScript challenge

Attack Script ‘OutFlare’ Malware

Feb 2013

‘OutFlare’ malware

passes CloudFlare

challenge mechanism

Short Term (Hot Fix)

20

Existing JavaScript

<html>

<body>

<script>

document.cookie='eeeeeee=ff85bb7eeeeeeee_f

f85bb7e;

path=/';window.location.href=window.locati

on.href;

</script></body></html>

Alternative JavaScript

<html>

<body>

<script>

var n_d8ey="fffffff",eq_1="=";

var hi_2a="324fd333";

var hi_3="yyyyyyy";

var Qr789_a33="_",Z1_792="qqq";

var hZi_sd1="qqqq";

function JSRa23nd_1()

{

return

hZi_sd1+Z1_792+eq_1+hi_2a+Z1_792+hZi

_sd1+Qr789_a33+hi_2a;

}

//document.cookieee("yyyyyyy=3HH133d

7yyyyyyy_3HH133d7")

var cRokie1_78=JSRa23nd_1();

document.cookie='cRokie1_78;

path=/';window.location.href=window.

location.href;

</script></body></html>

Long Term

21

Existing JavaScript

<html>

<body>

<script>

document.cookie='eeeeeee=ff

85bb7eeeeeeee_ff85bb7e;

path=/';window.location.hre

f=window.location.href;

</script></body></html>

Polymorphic JavaScript <html>

<body>

<script>

var n_d8ey="fffffff",eq_1="=";

var hi_2a="324fd333";

var hi_3="yyyyyyy";

var Qr789_a33="_",Z1_792="qqq";

var hZi_sd1="qqqq";

function JSRa23nd_1()

{

return

hZi_sd1+Z1_792+eq_1+hi_2a+Z1_792+hZi_sd1+Qr789_a33+hi_2a;

…

Polymorphic JavaScript

<html>

<body>

<script>

var n_d8ey="fffffff",eq_1="=";

var hi_2a="324fd333";

var hi_3="yyyyyyy";

var Qr789_a33="_",Z1_792="qqq";

var hZi_sd1="qqqq";

function JSRa23nd_1()

{

return

hZi_sd1+Z1_792+eq_1+hi_2a+Z1_792+hZi

_sd1+Qr789_a33+hi_2a;

}

//document.cookieee("yyyyyyy=3HH133d

7yyyyyyy_3HH133d7")

var cRokie1_78=JSRa23nd_1();

document.cookie='cRokie1_78;

path=/';window.location.href=window.

location.href;

</script></body></html>

Existing JavaScript

<html>

<body>

<script>

document.cookie='eeeeeee=ff

85bb7eeeeeeee_ff85bb7e;

path=/';window.location.hre

f=window.location.href;

</script></body></html>

Obfuscated JavaScript

eval(function(p,a,c,k,e,d

){e=function(c){return

c.toString(36)};if(!''.re

place(/^/,String)){while(

c){d[c.toString(a)]=k[c]|

|c.toString(a)}k=[fun

Combination

Produce challenges that are

virtually impossible to cheat

Conclusions

Attack Becomes more Advance and Persistent (APT)

Slide 23

Operation Ababil 2012-2013

•Duration: Over an Year

• At least 20 Attack Vectors

•Sophistication level = High APT

Score

•OpIsrael 2012

• Duration: 6 Days

• 5 Attack vectors

• Sophistication level = Med

Operation Payback 2010

•Duration: 3 Days

• 4 Attack vectors

• Sophistication level = Med

Time

Operation Vatican

Duration: 20 Days

• 7 Attack vectors

• Sophistication level = Med

10

Summary

• Operation Ababil is the single biggest DDoS Attack in History

– Attackers demonstrated their capabilities

• Duration

• Find blind spots in mitigation

• Bypass mitigation techniques during the campaign

• Most of the victims had already budget well anti-DDoS solution

– CPE based solutions did not handle pipe saturation

– Cloud-based solutions are not designed for long attacks

– ISP based solution did not handle Application attacks well

• How can such attack be stopped?

24

DoS & DDoS Mitigation History

• 2010

– Nobody cared about DoS & DDoS

• 2011

– All you needed to do is to buy proper anti-DoS Solution

• 2012

– Acquire ability to fight back during the attack

– Acquire Response Team on your side

• 2013

– Build an Anti-DoS Architecture!

25

Anti-DoS Architecture

26

Protected

Organization

• 85% of the attacks can be mitigated at

organization perimeter

• Allows maximal visibility and control of

the attack

On-Premise

Protection

Application Attacks

Scrubbing Center

Extremely Sophisticated Attacks

should be mitigated by in the Cloud

using its agility but only when needed

Response

Team

Network Attacks

(Volumetric)

Scrubbing Center

Today APT attacks

requires not only machines

but also human experts on

your side

Network (Volumetric)

attack should be

mitigated in the cloud to

protect the pipe but only

when needed

Q&A

Thank You www.radware.com

For More on Radware Security and our Emergency

Response Team, visit:

http://security.radware.com