RSA Admin

Tales From the Darkside: Firefox OS Phone Manufacturer DDoS'ed

Blog Post created by RSA Admin Employee on Feb 25, 2013

RSA Firstwatch shines a spotlight in the darker corners of the Internet to better understand Internet Fraud and Criminal trends online.  When possible, RSA Firstwatch members will use this space to share information about some of our findings.

 

All I can say is "that was fast."  Less than 24 hours after announcing that the new Firefox Operating System-enabled smartphone would be produced for Japan by manufacturer KDDI, we detected botnets lauching ICMP-based distributed denial of service attacks against the KDDI networks.

 

54915

From JapanDailyPress here:

February 25, 2013
Mozilla and KDDI Corporation (KDDI) announced plans of launching Firefox OS smartphones in the Japanese market soon. This news comes after their big announcement at the Mobile World Congress in Barcelona that they will be launching the highly-anticipated Firefox OS in mid-2013.

Firefox OS is the new mobile platform being developed by Mozilla which will challenge Google’s Android and Apple’s iOS in the mobile market. It utilizes open web technologies like HTML5 and has no proprietary restrictions, in keeping with Mozilla’s goal for open development of the online world. The launch of this new OS will make application development even more competitive and faster, as well as bring even more innovation to the industry, with an eye out for fair competition.

So much for fair competition.  Someone is clearly unhappy with the announcement now that thousands of bots are downloading malware that participates in this attack on KDDI.

 

Here is how we detected it-

We have a huge malware sandbox that is constantly ingesting new samples of malcode, viruses, and malware and we simply watch the behavior of the network these sandboxes are connected to using NetWitness Security Analytics.  And while detecting DDoS attacks tend to stand out when looking at a timeline, this particular DDoS uses simple icmp packets directed at random IP's on KDDI's network.

 

54916

54917

Almost 4000 icmp packets were shot at KDDI's netblock in under two minutes from just two infected sample hosts.  If this malware is pervasive in the wild, and it seems it is, this sample attack could represent only the tiniest sliver of the attack against KDDI.  And while most ICMP-based attacks can be repelled with rate limiting tactics, an unprepared organization could still suffer outages and downtime if the attack is not detected or dealt with in a timely manner. 

 

This also shows how cut-throat the internet can be for emergent technology, and why marketing decisions need to be made in conjunction with the CISO of the organization to ensure that the enterprise is prepared- for not only the new business visitors to the corporate website, but to also ensure the enterprise is ready to defend itself from miscreants seeking to create mischief or claim a new cyber-scalp.

Outcomes