Hacker Claims Old-School Tactic Brought GoDaddy to Its Knees

Someone with the Twitter handle @AnonymousOwn3r made a grab for 15 minutes of fame last week by claiming responsibility for taking down the network for Internet’s largest registrar, GoDaddy.

GoDaddy discredited that claim. “The service outage was not caused by external influences,” CEO Scott Wagner said in a statement. “It was not a ‘hack’ and it was not a denial of service attack (DDoS). We have determined the service outage was due to a series of internal network events that corrupted router data tables.”

Whether @AnonymousOwn3r tried to take down GoDaddy or not, the method he claimed he used for the attack was an interesting one, and one not commonly used by hackers these days. He said he mounted the attack with a botnet controlled through Internet Relay Chat (IRC), instead of through a typical command and control (C&C) server.

The technique is “old school,” according to Sophos Security Advisor Chet Wisniewski. “IRC channels are the original C&C,” he explained to TechNewsWorld. “Early bot herders used IRC exclusively until anti-virus vendors caught on and started creating identities and network intrusion rules looking for untoward IRC traffic.”

“The idea is simply to infect a bunch of computers with malware that all connect back to an IRC channel — often password protected so only the controller can join it,” he noted. “The bot controller criminal then joins the channel and can instruct the bots to attack whatever targets he chooses.”

Because of the size of GoDaddy, F-Secure Researcher Sean Sullivan was skeptical that a single hacker could make it go dark. “There are definitely botnets large enough to attack an operation such as GoDaddy,” he told TechNewsWorld, “but generally, such large botnets are used by criminals for activities such as bank account theft.”

“I seriously doubt that a ‘hacktivist’ is in control of a botnet large enough to be more than just annoying,” he added.

Al-Jazeera SMS Compromised

Apple isn’t the only one in the world with SMS problems.

Middle Eastern news network Al-Jazeera had its SMS network invaded last week by the notorious hacker group the Syrian Electronic Army (SEA). The group managed to send three fake texts over the outlet’s SMS service before being discovered.

One of the texts reported an assassination attempt on the prime minister of Al-Jazeera’s home country, Qatar. Another text reported the wife of Qatar’s emir had been wounded.

This is the second time in as many weeks that security gaps in SMS has made headlines. A flaw in the iPhone’s SMS handling makes the device vulnerable to spoofing, some researchers argue.

That’s because if there’s an address in the “reply to” field in a message, the phone treats that address as the one from which the text was sent. It’s easy for a spoofer to put a familar address on the reply-to line — a bank address, for example — and hide the real origin point of the message. Once the spoofer has the recipient’s attention, they can entice the target to follow links in the message that will lead the victim into trouble.

“Normally, an SMS is quite secure,” Thorsten Trapp, cofounder and CTO of Tyntec, an SMS networking company, told TechNewsWorld. “The network over which it’s transmitted is more secure than IP.”

“When a message hits the phone, there’s a lot of information to process — much more than you can actually see on the phone,” he noted. “If you throw some of that information away, you open security risks. That was the pitfall that Apple fell into.”

Half of Android Phones Infected

As much as 50 percent of the smartphones running Google’s Android mobile operating system have unpatched vulnerabilities that could be exploited by a malicious app or adversary, according to identity authentication company Duo Security.

Duo reached that conclusion after analyzing data from some 20,000 phones worldwide running its free X-Ray app. The app is designed to identify known but unpatched vulnerabilities in Android.

“As carriers are very conservative in rolling out patches to fix vulnerabilities in the Android platform, users’ mobile devices often remain vulnerable for months and even years,” wrote Duo CTO Jon Oberheide in a company blog.

He admits that 50 percent is a scary number, but added “it exemplifies how important expedient patching is to mobile security and how poorly the industry … has performed thus far.”

What’s more, he maintained the problem could be far worse. “We feel this is actually a fairly conservative estimate based on our preliminary results, the current set of vulnerabilities detected by X-Ray, and the current distribution of Android versions globally.”

X-Ray is available for free from Duo Security’s website.

Breach Diary

  • Sept. 10: Twitter subscriber espousing affiliation with Anonymous hacker collective claims responsibility for disrupting service on GoDaddy, Internets’s largest domain name registrar and provider of host services for some 5 million websites. GoDaddy repudiates claim, saying the outage was caused by a glitch in its systems.
  • Sept. 10: Blue Toad, a Florida document conversion company, reveals that Apple UDID information posted to the Internet by hackers earlier this month came from its computer system. The hacker group AntiSec had claimed it stole the UDID data from an FBI laptop.
  • Sept. 10: Two Irish telecommunication companies, Eircom and Meteor Mobile, ordered to pay some US$39,400 in fines for theft of customer information on two laptops stolen from companies in late 2011 or early 2012.
  • Sept. 10: Hacker known as NullCrew posts message to the Internet declaring he is no longer selling data he stole from eight Sony servers in Asia. Folowing the attack earlier this month, Sony stated no credit card information was compromised in the breach.
  • Sept. 11: Utah Department of Health extends to September 30 time for victims of health data breach last March to sign up for free credit monitoring services. That breach put as risk personal information for 780,000 persons, including Social Security numbers for 255,000 persons. Despite efforts by the state to publicize the program, only 20 percent of the victims have signed up for it.
  • Sept. 12: Barrett Brown, a putative spokesperson for the Anonymous hacker collective, arrested by FBI after he allegedly threatened a federal agent.
  • Sept. 12: University of Miami Hospital begins notifying patients treated at the school’s Miller School of Medicine campus between October 2010 and 2012 that personal information they provided the facility may be at risk. Two employees gained unauthorized access to “face sheets” used by physicians to quickly familiarize themselves with patients. Sheets contain patients’ names, addresses, dates of birth, insurance policy numbers and the reason they visited the hospital. Some insurance policy numbers may be the same as a patient’s Social Security number, the hospital warned.
  • Sept. 13: Symantec reports that average number of data breaches down in 2012 compared to 2011. Monthly average in 2012 of 14 is lower than 16.5 in 2011. More identities were also stolen in 2011 (1.3 million) compared to 2012 (640,169).
  • Sept. 13: Scottish Border Council fined some $396,500 for failing to properly manage outsourced data processing. A firm hired to process employee pension records disposed of some them by dumping them in public recycling bins.


  • Sept. 20: Attack Tools Workshop. 1 p.m. ET. Black Hat webcast. Free with registration.
  • Sept. 25: Security Awareness — Maybe It’s Not About the Users. 2 p.m. ET.RSA webcast. Free with registration.
  • Sept. 27: Foundational Cyberwarfare (Plan X) Proposer’s Day Workshop. 9 a.m.-4 p.m. ET. DARPA Conference Center, 675 N. Randolph Street, Arlington, Va. Closed to media and public. Unclassified session in the morning. U.S. DOD Secret clearance needed to attend afternoon session.
  • Oct. 1: Launch of “S&TI Flash Traffic,” a monthly summary of R&D activities for 14 high risk nation states — states with high levels of hacker activity or acts of cyber espionage — published by Taia Global. Annual subscription $250 until October 1, $500 thereafter.
  • October 3-5:2012 National Cybersecurity and Innovation Conference. Baltimore Convention Center, 1 West Pratt Street, Baltimore. Sponsored by SANS. Registration: US$1995.
  • Oct. 9-11: Crypto Commons. Hilton London Metropole, U.K. Discount registration (by Sept. 12): Pounds 900. Standard registration: Pounds 1,025.
  • Oct. 16-18: ACM Conference on Computer and Communications Security. Sheraton Raleigh Hotel, Raleigh, N.C.
  • Oct. 18:Suits and Spooks Conference: Offensive Tactics Against Critical Infrastructure. Larz Anderson Auto Museum, Brookline, Mass. Attendance Cap: 130. Registration: Early Bird, $295 (by Sept. 18); Standard, $395 (by Oct. 17).
  • October 20-21: Ruxcon 2012. Melborne, Australia. Registration: AUS$350.
  • October 22-23: Cybersecurity Conference. Grand Hyatt, Washington, D.C. Managed by 1105 Media. Expo Admission: Free. Conference Registation: US$295 for government employees; US$495 for others.
  • Oct. 25-31:Hacker Halted Conference 2012. Miami, Fla. Sponsored by EC-Council. Registration: $2,799-$3,599.
  • Dec. 3-7: Annual Computer Security Applications Conference. Orlando, Fla. Registration starts in September.

John Mello is a freelance technology writer and former special correspondent for Government Security News.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Security

Technewsworld Channels