Incident Detection

LizardSquad Exposed: DDoS of PSN and XBox From Google Cloud Using Kaiten

This content was originally posted on Pastebin here, it has been reportedly deleted once or twice, so am reposting here just in case it is deleted. I am not the original author. (full plain text here 

After joining lizardsquads IRC network (hosted by OVH) I noticed a flaw.
Even though their were 290 users in their channel, their were 4200 users on the network.
This prompted me to do a /who * (which would show users without usermode +i enabled)

I was promptly flooded off their IRC network with lines of text such as this.

[04:26:35] •›› Who: [*] HZWJJF H KSUUZF
[04:26:35] •›› Who: [*] JWJMVO H UMKQTRQ
[04:26:35] •›› Who: [*] VQJAUBTT H ZKYJ
[04:26:35] •›› Who: [*] SSTHW H LYIBCZ
[04:26:35] •›› Who: [*] LXIZQPLJ H QCPCE

With this being said and my extenstive research into botnet culture. I am able to identify several characteristics that leads me to believe said machines are infected with a linux bot known as Kaiten (detectable as Trojan.Tsunami.B in ClamAV).

1) Kaiten characteristic is that Kaiten generates the USER, IDENT and NICK with makestring.
2) Kaiten by default sends a MODE-xi (in IRC this would remove hostmasking, allowing you to view the REAL IP of the bots inside of the botnet. usermode -i disables invisible flag (allowing a /who * to show you)

This is an extreme exposure for LizardSquad as we now know this information has address

This in the botnet world is known as a C&C (command and control) server.

OrgAbuseHandle: ABUSE3956-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-855-684-5463

for all of those wanting to have this C&C shut down.

As far was the google IPs, Due to the volume of infected machines and it being isolated to only google, I do not believe it is a widespread exploit. I believe this to be either a cause of 1 of 3 ways.
1) There was a hackforums post discussing the abuse of google clouds $500 free credit, allowing them to script something that would set up hundreds of VPSes.
2) Credit card fraud on google cloud services.
3) An exploit into google cloud services panel, allowing them to execute commands thus uploading and executing their kaitens. (highly unlikely, but plausible)

Listed below are a list of google IPs that have been infected with kaiten that LizardSquad is using for Denial of Services attacks.

Previous post

How Point-of-Sale Malware Works with RAM Scraping Demo

Next post

Transforming USB Malware Into Snitches

Ken Westin

Ken Westin

Your Pundit of Paranoia