427_Botnet_12.qxd 1/9/07 3:08 PM Page 437 W

W
ARNING
If you decide to actively pursue a botnet, be aware that you might get
hit with a tremendous DDoS attack. 
The Saga of Blue Security
Blue Security, an anti-spam vendor, developed a unique response to spam.The
company offered a subscription service for a Do Not Intrude Registry ser-
vice. Users would subscribe to the service.Then, when a user received spam,
the Blue Frog agent would search the spam Web site to find the opt out form
and submit one opt out form (Figure 12.1) for every e-mail received. All of
these actions are legal and above board, despite a disinformation campaign to
characterize the Blue Frog response as spam.
Figure 12.1 
Blue Frog Opt Out Example
The campaign appeared to be designed to disarm those who would come
to Blue Security’s defense. In April 2006, five major spam groups agreed to
stop spamming Blue Frog’s customers.The Blue Frog approach must have
been working, for it evoked a deadly response from the spammers.
According to a post on castle.com by tembow, a member of the Blue
Security profile, the following was the spammers’ attack plan.
www.syngress.com
438
Chapter 12 • Responding to Botnets
427_Botnet_12.qxd 1/9/07 3:08 PM Page 438

1.
Gain access to over 70% of the Do Not Intrude Register (DNIR).
2. Mount a massive 20-fold spam attack increase on Blue Security
members.
3. Shut down the Blue Security primary site with a massive DDoS.
4. Shut down all the other Blue Security sites the same way.
5. Subvert the Blue Frog application itself and make it launch spam and
DDoS attacks.
Several sources speculate that the spammers were able to determine the
contents of the Blue Security DNIR database by using the filtering software
provided by Blue Security to produce a list of the e-mail addresses that were
permitted by the filter.They then compared the pre-filtered list. Anyone not
on both lists had to be a Blue Security customer.The spammers then carried
out step 2 by sending the spam e-mail you find in the sidebar “E-Mail Sent
to Blue Security Customers.”The following transcript contains conversations
of the spammers discussing the database and how they would use it.
The transcript is archived at http://slashdot.org/comments.pl?sid=
184656&threshold=1&commentsort=0&mode=thread&cid=15249882.The
quote is reported to come from the postings of the alleged planners of the
Blue Frog attacks on www.specialham.com.
(crazy) 
“You BlueFrog faggots, you think this is the only community
that has your whole database? You honestly think a commu-
nity of people you are trying to take down are going to
REMOVE you from their lists? Look, killthem is not an anti, I
know him personally, so let that whole bullsh
*
t idea go to
rest. Second, by running that database as froms or mailing
them on a dedicated box will not result in any “fed” coming
to your door, more so you’ll just be p
****
ng off another
bullshit internet-lamer who can’t understand how to filter a
simple spam message, so they join some bullshit community
called”BlueFrog” and think they can run this sh
*
t. BF, news-
flash: do you realize how many resources this community as
a whole controls? Do you honestly think you stand a chance?
Your domain is down, it’s a matter of time before more nets
are mounted to bring down your members area and it’ll be

Download 6,98 Mb.

Do'stlaringiz bilan baham: