iDEFENSE iALERT: Cyber Activists Plan May Day Action (A Review of the Performance) From rdom@thing.net

[rdom@thing.net]

[: hacktivism :]

From: Jerry Irvine <JIrvine@iDefense.com>
Subject: iDEFENSE iALERT: Cyber Activists Plan May Day Action

World Bank, IMF, WTO Targeted in Monday May Day Action

New Tool Set to Debut

iDEFENSE Intelligence Services
Friday, April 28 2000
3:15 pm (EST)

On May 1 at 1:00 a.m. (GMT), MARSeyes and the cyber activist group
Federation of Random Action (FRA) will launch a cyber action targeting
the
Web sites of the World Bank, International Monetary Fund (IMF) and World

Trade Organization (WTO). The attack, planned in support of May Day
protests
around the world, is scheduled to run until 12:00 p.m. (GMT) on May 5.

Participants in the action will use a new Java cyber activist tool
similar
in functionality to FloodNet. The new tool is currently being
distributed in
English, Spanish and French and will run locally on a participant's
machine.
The cyber action does not require central Web sites to host the tool,
consequently hindering attempts by victims to defend themselves.

iDEFENSE has obtained a copy of the tool and initial analysis shows that
the
tool targets Web pages on the World Bank, IMF and WTO sites that are
likely
to maximize CPU use, such as search engine pages. This approach will
considerably enhance the effectiveness of the attack because of its
increased ability to drain server resources.

The tool also offers a new interface in addition to the automated mode
which
existed in previous versions. This new interface allows each user to
draw on
an "electronic whiteboard." As the cursor is moved, the tool generates
Web
page requests. When the cursor stops moving, the Web page requests
against
the targeted machines stop. Initial examination indicates that the
volume of
requests generated by this mode can be greater than the number of
requests
generated by the automated mode. However, the draw mode requires
constant
and active participation by the activist.

In another new twist, the creators have hidden the targeted URLs within
the
Java code. While this change makes it difficult for someone to tamper
with
the tool and change the targets, it also makes it somewhat more
difficult
for "script kiddies" and others to discern exactly which sites are being

attacked and how. This may trouble some participants since they cannot
be
certain which sites they are actually attacking as part of their
voluntary
participation.

The MARSeyes call to action is being distributed by the FRA, Ricardo
Dominguez (one of the founders of the Electronic Civil Disobedience
[ECD]
group and the original creator of the FloodNet tool) and others through
a
number of different discussion groups and listservs frequented by cyber
activists and other protesters.

- ------------+------------------------+---------

iALERT delivers daily monitoring and analysis of cyberthreats,
vulnerabilities, and incidents to iDEFENSE's clients.

This e-mail is delivered to journalists covering the information
security
field.

For more information or comment please contact Jerry Irvine at
703.898.8283
<mailto:jirvine@idefense.com>

- ------------+------------------------+---------

iDEFENSE - The Power of Intelligence

Visit the iDEFENSE Web site for additional information:
<http://www.idefense.com>

Copyright 2000 Infrastructure Defense Inc. (iDEFENSE)

- ------------+------------------------+---------
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

De : Jerry Irvine <JIrvine@iDefense.com>
Date : Tue, 2 May 2000 14:03:56 -0400
Objet : iDEFENSE iALERT: May Day DoS Action (Update)

May Day DoS Action Update: Additional Targets and DoS Tool Features
Identified

Cyber Action to Continue Through Friday (May 5)

iDEFENSE Intelligence Service
May 2, 2000
2:00 pm (EST)

iDEFENSE has learned that the May Day action (iAlert, May 1) by MARSeyes
and
the Federation of Random Action (FRA), which began on May 1 and is
scheduled
to run through May 5, is targeting the following Web sites:

* Multilateral Investment Guarantee Agency (MIGA)
* The International Finance Corporation (IFC)
* The Japanese World Bank office
* The Spanish World Bank Group sites
* International Monetary Fund (IMF)
* The World Bank
* World Trade Organization (WTO)

iDEFENSE analysis of the Denial of Service tool in use indicates that
the
IMF site is receiving the greatest attention with over 177 URLs
targeted.
Over 67 URLs at the World Bank are targeted and a few at the WTO. The
other
sites, which are associated with the World Bank, appear to be targeted
to a
much lesser degree.

In order to increase the effectiveness of the attack by maximizing CPU
use,
a number of targeted URLs point to search engines, through which the
tool is
designed to run queries. Further iDEFENSE analysis of the tool has also
revealed a "server log rant" feature. This feature is designed to place
predetermined messages in server error logs. The MayDayProtest tool
contains
over 45 of these messages, including, "this is not a terrorist attack
just a
democratic virtual sit in," "Does etoys care about their stock price?,"
"Please crush us too!" and "We do not believe your utopia." Among the
groups
mentioned are Electronic Disturbance Theater (EDT), RTMark, Federation
of
Random Action (FRA) and MARSeyes.

While the MayDayProtest tool, through its draw mode, does have the
potential
to generate more traffic than FloodNet and others in this class, it is
not a
dramatic increase. What is significant, however, is that this is a very
well-written Java application integrating several new capabilities with
features previously seen in FloodNet and its variants. With the growing
level of expertise dedicated to the advancement of this class of tools,
their effectiveness and sophistication can be expected to rapidly
advance.
Since late 1999, new and enhanced versions of these tools have surfaced
every couple of months.

iDEFENSE first reported on the May Day cyber action on Friday, April 28.
For
a copy of that iALERT or additional information, feel free to contact
iDEFENSE (703.898.8283).

- ------------+------------------------+---------

iALERT delivers daily monitoring and analysis of cyberthreats,
vulnerabilities, and incidents to iDEFENSE's clients.

This e-mail is delivered to journalists covering the information
security
field.

For more information or comment please contact Jerry Irvine at
703.898.8283
<mailto:jirvine@idefense.com>

- ------------+------------------------+---------

iDEFENSE - The Power of Intelligence

Visit the iDEFENSE Web site for additional information:
<http://www.idefense.com>

Copyright 2000 Infrastructure Defense Inc. (iDEFENSE)





[: hacktivism :]
[: for unsubscribe instructions or list info consult the list FAQ :]
[: http://hacktivism.tao.ca/ :]