By Anthony M. Freed, Director of Business Development at Infosec Island
Anti-jihadi hacker The Jester (th3j35t3r), continues his campaign against militant Islamic websites, and now reveals the development of an automated version of his DoS attack, which he calls the XerXeS project.
While most of the conversations concerning Jester are regarding the ethics and lawlessness of his crusade, no one has addressed the fact that The Jester has developed an attack technique that could be employed against our own critical systems.
I asked The Jester to explain a little more about how he first developed the DoS attack, what the implications the addition of autonomous AI features will have on his effectiveness, as well as his thoughts on our ability to defend against such attacks should the method be adapted by comparatively more rogue elements than himself.
Q: How did you first develop your DoS technique?
A: Okay it started with a little script I wrote a while back to harden-test servers. I modified this script, and it was just a nasty script, very cumbersome. When I realized the extent of the jihad online recruiting and co-ordination involvement (much later), I realized I could turn this script into a weapon. But the problem with that was it took me constantly shell hopping and wasn’t very user friendly. Now I have started on project XerXeS, an intelligent frontend with the ability to hit multiple targets autonomously.
Q: What about collateral damage to third party systems?
A: Many people worry about the nodes between me and the target. This technique affects nobody but the intended target. All intermediaries remain unaffected.
Q: Have you tested XerXeS on a live target yet?
I just did another live-firing test of XerXeS and posted on Twitter. It went well. In fact, I really want to do another one right now. Check out almaghrib.org – I will demonstrate on them for you. They will be flat-lining in a minute. I like this one, it’s kind of tricky, but I am building in a little artificial intelligence to my method so I can run it unattended. It can now detect a system attempting to fight-back and adjust to overwhelm it.
Q: Are you running the attack now?
Yes, they just hit back again but to no avail. I need to tweak XerXeS a little bit still, but it is definitely going to work completely unattended when it’s done. Refresh the site now - they are down!
Q: So the automation does not hinder your technique’s effectiveness?
No, not at all. Each new wave uses a different IP (location). It starts with just one, but ramps it up if it detects system counter-measures.
Q: So XerXeS uses a graduated attack?
Yes, it starts off nice and slow, which usually takes a site down in less than 30 seconds. But if it can’t take the target out in 30 seconds, it triggers the AI and adjusts the attack.
Q: Do you still have to identify the targets first, or does it automatically search and destroy?
Right now I specify targets. It’s better that way, and safer, as I can’t afford any false-positives.
Q: So XerXeS can be set it up to take down multiple targets at random intervals, and really drive your targets nuts?
Oh yes! This is how I will render their websites undependable for coordinating terrorist activities. I am building a nice simple GUI and adding elements of AI that can auto-detect if the target 'wakes up' during a strike and counter that autonomously. I am also adding the ability for the software to halt the attack after any specified time period.
Q: Will XerXeS increase the frequency of your attacks?
Yes. The frequency of my attacks is currently limited to the time I have to spend on this project. XerXeS will make the attacks less of a shell-hopping exercise, and more of a fire and forget exercise.
Q: What are the implications if something like XerXeS was combined with a large zombie network, and coordinated against critical U.S. infrastructure, like our communications, power grids, or financial systems?
XerXes requires no zombie network or botnet to be effective. Once a single attacking machine running XerXeS has smacked down a box, it's down, there is no need for thousands of machines. But, XerXeS does not hurt intermediary nodes along its path to the target. So the answer is that such institutions’ systems would still be intact, as it causes no collateral damage, just not functional.
Q: So something like XerXeS in the wrong hands could be a serious threat?
Even if someone were stupid enough to hit critical targets like those, they couldn't keep it up forever, and the nature of XerXeS ensures no data or systems would be physically harmed. Someone would have to be really dumb to hit those kinds of targets.
Q: Is it likely another hacker with less noble intentions may soon replicate your technique?
Yes this could happen, the technology for this type of activity has existed for years, it’s just the particular way I happen to put it all together. I combined various methods and technologies into a single weaponized product - that is where the real difference lies in my methods. I would be a fool to think I am only one developing this type of gadget. I am just the only one who tweets about it!
Q: How easily could we defend our systems from such attacks?
Web delivery servers could theoretically defend temporarily, but then XerXeS learns from each, in effect modifying the fine tunable aspects of the strike, just like cutting a new key to fit a lock.
Q: What role will you play in helping the good guys prepare and defend against something like XerXeS?
Regarding helping the good guys defend against such an attack, I can guarantee that no bad guy has this in his arsenal yet, and no bad guy will ever get it from me. I have not been approached directly by any sec/mil/spook types, but if that happens I would be glad to help out. Preferably, they would approach me with a signed immunity from prosecution document. I am not going to just throw myself to the wolves.
Q: Do you feel like Oppenheimer did after they successfully tested the atom bomb – like you let the genie out of the bottle?
No. I don't presume to think I am clever as Oppenheimer, this is the part of the evolution of things, and not just in IT terms. If it wasn't for hackers fuelling the solutions that make for better security, we would still be using abacuses. It's just the way it is. But the XerXeS Project is specifically only aimed at disrupting the online communication channels of Jihadist’s enough for them not to be able to rely on them anymore, and nothing else.
Q: Do you want to add anything else?
I want the emphasis to be on the reason for this project, I don't mind talking about XerXeS but I need the true message to get out. If it wasn’t me and XerXeS, I am sure there must be others like me. I am sure there is an element of your readers who are interested in the 'how', but the issue really is the 'why'. Project XerXeS is an ongoing project that is a means to an end. The end goal is to disrupt the online communications, recruitment and co-ordination efforts of international and homegrown terrorists.
Conclusion
Now some questions for our readers: Based on what little we know of The Jester’s XerXeS DoS attack, what are the implications for our own network security should this technique be employed by nefarious hackers against us?
Does The Jester’s conditional offer of cooperation warrant the extension of some sort of immunity in exchange for critical information that could be employed both against “enemy” systems and also in defense of our own?
And is there a place in our cyber defense strategy for virtual mercenaries?