Sunday, July 09, 2006

Stolen Computers

If you have a Blogger blog, you (your blog) are under attack.

This is a very real problem. You may not even realise it, but you are vulnerable (actually, you're vulnerable because you don't realise it).

Every computer security expert knows that there are thousands of computers, worldwide, that are not under the complete control of their legal owners. Computers under the control of a bad guy, after infection from a trojan or virus, are a serious problem.

NOTE: This is an intense subject, and in writing about it, I make liberal use of hypertext. Each of the issues discussed below are explained in greater detail, in the linked articles. Please! Click on a link or two, and read the details.

In the recent past, computers controlled ("0wn3d") by the bad guys were used for one major purpose - spam delivery. In the world of blogging, though, they have a more immediate and obnoxious purpose. They are an essential component in the hijacking of blogs.

Starting with a database listing thousands of targeted Blogger blogs, an army of computers, in a botnet, systematically attacks each blog.
  • In a brute force password attack, the many computers in a botnet combine forces, and methodically guess the password for a known Blogger account. When the password is guessed, all blogs in that account are vulnerable to hijack.
  • In a ping attack, the many computers in a botnet simply ping each blog under attack, periodically. When any targeted blog fails to respond to a ping, presumably after having been deleted, that blog is vulnerable to hijack.
  • Thanks to the splog explosion, and the ongoing attempts by Blogger Support to contain the problem, your blog is subject, at any time, to being falsely detected as a splog. Legitimate blogs are being deleted by the Blogger anti-splog bots.


Note that classical brute force password attacks might have involved a consistent and sequential series of attempts, such as "aaaaaaaa", "aaaaaaab", "aaaaaaac"..., all coming from one single computer, and as rapidly as possible. That type of attack is obvious. When a sequence like that is noticed, any even rudimentary Intrusion Detection System would simply activate a filter against the IP address of the attacking computer, preventing any more attempts from even reaching the network.

Modern brute force attacks follow no pattern. A random sequence of character strings, with attempts spaced randomly over minutes, days, even weeks; and with the attempts coming, variably, from any of the thousands of different computers in a botnet, is to be expected now. All targeted blogs are attacked, randomly, from the many computers in the botnet. No IDS has a chance of detecting such an attack, carried out discretely.

As a vulnerable blog is identified, after no ping reply is received, it is assumed to have been deleted. The blog is setup, and registered to the owner of the botnet. As a vulnerable Blogger account is identified, it is taken over, and the password is changed. The blog or blogs involved are loaded with the spam content provided by the owner of the botnet, and the blog(s) become members of the latest splog cluster.

A successful attack could result in victory for the botnet owner today, tomorrow, or next week. Patience and persistence is the key here.

Some Blogger accounts are hijacked, not thru brute force password attacks, but thru password theft. Keyloggers, installed again by a trojan or virus, are a well known threat. Using a public computer, or using your own computer in a public network, can lead to password theft too.

Why are Blogger blogs targeted so systematically?
  • The blogspot.com domain is well known. Random, and systematic, searching for subdomains ("*.blogspot.com") will yield millions of hits. Each subdomain (Blogger blog) identified is known to be part of the domain, and all technical details about its hosting are known, from the domain itself.
  • Blogger blogs are predictably online. If the Blogspot domain is online, the millions of Blogger blogs will consistently respond to pings. Any targeted Blogspot subdomain (Blogger blog), not responding to a ping, can be reliably assumed to have been deleted.
  • Many Blogger blog owners are technically unsophisticated. With the easy and free availability of Blogger One Button Publishing, any Internet user can have a Blogger account and any number of blogs. Knowledge of even rudimentary computer security principles is not required.
  • Many blog readers, who frequent blogs with non technical content, are equally technically unsophisticated. They are the perfect splog targets.
  • Thanks to the Blogger - Google relationship, and the amenities offered, many Blogger blogs have good search engine rankings. These blogs cover a wide variety of technical and non-technical topics, resulting in a very diverse audience, and are of financial interest to the sploggers.
  • The Blogger / Blogspot domain, as a whole, is a perfect target for a distributed attack.


So how can I, as a Blogger user, help to resolve this problem?

Resolving this problem starts with you. Start now.


(Edit 10/26): When I wrote this article, originally on 7/9/2006, I focused on those who publish their Blogger blogs on Blogspot, the normal setup. My previous opinion was that those who publish off-site, ie to private hosts, are also at risk, though possibly to a lesser degree. Today, we see actual detection of a serious hijack of an externally published blog.

From today's discussion, we see possible more information on blog hijacking may be found at Loris Webs.


(Edit 10/23): This is getting still worse. I added Blogs Being Hijacked? to my list of Classic Blogger Issues.


(Edit 10/17): The situation is getting worse. Today, we see a PCWorld article about last weeks outage. And this week, we have suffered thru chronic periods of instability.


(Edit 10/17): In Blogger Help Group: Something Is Broken Blogs have been hijacked. . . ..., we see a mention of possible malicious hijacking.
my research with a Lynx browser shows that your blog url has been taken by blogger user monster-job-search-SFbp
(http://www.blogger.com/profile/33065055) on October 17, 2006, 1:15 AM.

I have now started a new thread - A Blog Hijack?, where I hope to diagnose this further.

3 comments:

Shephard said...

Thanks for posting this information. Much appreciated.
~S

Dirty Butter said...

Our Blogger blogs are hosted on our own domain. Are we at just as much risk as those blogs hosted on blogspot?

You are performing a real service to a large percentage of the blogging community.

I’d like to invite you to join our family friendly BLOG VILLAGE TopList. I think your blog would be a fantastic addition.

You can find out more about it at Blog Village blog.

Bux.to Sux!! said...

Thanks for the info. This explains why I am getting a set of hits seconds apart on my blog. I recently exposed a online company for fraud, and now their employees are trying to take over my blog. I got over 50 hits within one minute. My blog isn't that popular! LOL...Thanks again for the info.