14 replies to this topic

[cnm]

The forum, which had been started by Mike in 2001, was hit by a massive DDoS attack starting in February 2004. Mike tried all sorts of things including multiple proxies, multiple servers, finally ended up transferring the whole forum to a different host. Unfortunately in the process he lost the member database, and everyone had to re-register. That is why you don't see any members listed as having joined before May, 2004.

[teacup61]

How long was it down? I was here for the one in 2006, and that was bad enough.

[cnm]

Pretty much out of commission from February to May of 2004. We could post a little, sometimes. Mike disabled many features to save bandwidth, so we couldn't see who was online or do searches. (Someone correct me if I have any of this wrong).

[Galadriel]

The original attack lasted a few weeks... the servers were hammered for longer, but there were other problems as I remember it.

The first wave hit on February 11th. Found a nice topic on Spyware Warrior the other day about it....
http://spywarewarrio...topic.php?t=254

Some of the links in there are dead now, obviously, but the isc.sans link suzi posted still works. All you have to do is use the drop down boxes to see the dates. Remember it was February 2004. The info is still visible there. You can actually see the spike in traffic on port 80 on Feb 11th.

That was quite a trip....

[ipl_001]

Hi cnm, teacup61, Galadriel, hi everyone,

Thanks for this forum and these lines! I like to know the very details of such events and am about to ask many questions about the beginning of the story!

I joined SWI on 11-June 04 and I remember that there were plenty of topics (in the Boot Camp) with the line "originally written by xxx" (topics from the former board).
On the Boot Camp, we had generic nickname and password to go to the former board read articles that had not been copied yet!
Rather difficult when we arrived on the forum as we had oodles of links to similar topics here and there... Some of us were completely lost and that's how I read the response to a trainee by Budfred, that I have in my signature from then, on all of my forums!



Some questions, please...
- were the DDoS attacks against SWI due to HijackThis being developed here?
- I had in mind SWI opened in 2002; you wrote 2001 here above: do you confirm? was there a Web site in 2001 then a forum in 2002?
- How did Merijn come here?
I have in mind Merijn was posting at DOXdesk (unless it was CEXX) when Mike wrote an article about malware (no longer on the Web) and that Merijn came to join Mike and the teams here, right?

I wrote some lines on a private Web page (in a reverse chronology below):

. DDoS attacks against all of the antimalware forums in early 2004: advisors take refuge with some still opened sites such as TC and DoK's board (SpyWare BeWare!) which is then re-activated!
. DDoS attacks against SWI at spring 2004 ; reopens on new servers at mid-May 2004.
. SWI Training center (Boot Camp) was opened in February 2004.
. TC's Classroom was created by Coyote in 2003, november 2003 said ChrisRLG.

Becky's archives were taken to MtM on Mai 25, 2003 -> BECKY! INTERNET MAIL
-> Wow. Becky's Forums is closed until further notice. (January 2, 2003)

It's at this period that Merijn Bellekom develops HijackThis after a document by Mike Healan; he then quits DOXdesk or CEXX to join the teams at SpywareInfo.

. Gladiator Security Forums was created on August 10, 2002 (initialy an antivirus site), by Udo Laumann aka TheSentinel.
. Pierre opened the forum Assiste.com in May 2002.
. Paul opened Wilders in July 2001.
. SpywareInfo was created in 2002, by Mike Healan, then helped by cnm.
. BroadBandReports/DSLReports was already opened on December 21, 1999 (when amysheehan joined).
. Mike Cermak opened Tech Support Guy in January 1996, at the age of 14; TSG was already well establishes on October 21, 2002 when cnm joined.
. The first antimalware forum ever created on the Internet was probably Becky's (if we exclude BBS)... MickeyTheMan joined on November 25, 2000 but speaks about 1996 for Becky! Internet Mail Program.

and on another Web page:

In 2003-2004, lots of independent forums were competing gladly and giving a poor picture... at this period, there were serious attacks against HijackThis and SpywareInfo, the forum on which Merijn was developing this tool! Forums at the time were named Becky's, TechSupportGuy, Wilders, SpywareInfo, TomCoyote, Net-Integration, SysInfo, etc.

- why did Becky's, N-I, SysInfo stop?

Responses to my questions above may need your thoughts, opinions, positions (instead of facts): there's no trap in my questions! I don't intend to start any debate... if you feel my questions may be source of problems, please don't answer!

Thanks a lot for some words in response!

~~ edit:
I realize my post is not exactly on the subject of "The disastrous DDoS of 2004": feel free to split!

Edited by ipl_001, 26 July 2008 - 08:34 AM.

[Galadriel]

Salut Gérard!

I will try to answer what I can, if I remember... unfortunately I don't have logs of that period available to me right now. I might still have them on another hard drive, I'm not sure. I'll see if I can find them and dust them off.

As far as I know, Mike started SWI in 2001. I think the board itself was probably started in 2001 also. I joined (not necessarily registered, but stumbled here) in the middle of 2002. Merijn was already active here, so I don't know the details of his arrival.

The reasons behind the DDoS were never confirmed, but we highly suspected it was because we were making an impact on the malware distributors' income. We were making a difference. They took notice.

As for the Classroom, it was indeed in 2003 but I'm not sure of the month. cnm can probably confirm, but from what I remember, that fits. If cnm is willing, I have a writeup of the history of our two schools. If she wants, I'll post it here too. I already posted it over in the school forums at geekstogo and at Bleeping Computer for those with access.

The DDoS attacks continued, after they originally abated here. When we started organizing ourselves, getting people to the sites that were up, again the DDoSers took notice and followed. That is how TC and NI were hit. TC went down for a couple days, and it was very slow when it was up. We were scrambling to find out what kind of bot was being used to perpetuate this attack. As far as I am aware, this was never discovered. At the time, Messenger Service Spam was still a big problem. And lots of infections were spread that way, users being tricked to install programs and so on. Much like the 'rogues' now, there were rogues then, they advertised through the Messenger Service (not to be confused with MSN or Windows Messenger), which is like the old netsend command in Win9x.

I remember a small group of us decided to start sending netsend messages to the infected computers (we had logs of the offending IPs) to try to let the owners know that they were part of an attack and that they needed to get off the internet asap and get their machines cleaned up. We did that for a few days, don't know if that had any kind of impact, but we had to do something.

When TC went down, the attack was so hard on the server that hosted the forum, the server itself died. We lost the database to the forum, when we tried to restore a backup and had a lot of problems getting it back. Those who were in the Classroom at the time, will probably remember how slow and painful it was after that for several months.

As for Net-Integration, who knows? The owner just shut it down one day, and that was that. As far as I know, Sysinfo never had a forum. It was a repository, a database, hosted and maintained by Patrick Kolla (Spybot) using PacMan's startup database to start with. There weren't any lists to speak of at the time, other than PacMan's, except for private forum entries were we had access to CLSIDs compiled by TonyKlein.

I'm not going to get into the squabbles that were ongoing before the attacks. It wouldn't be my place to try to explain what happened and why, nor would it do any good at this point. But those two points, the attacks and the squabbling, were what caused the formation of ASAP.

That's about it for now... If I think of something else to add, I'll add it later.

[cnm]

Mike's newsletter from February 25, 2004 provides a little more info -
I'd forgotten about Anonymizer.com being brought to its knees.

http://www.spywarein...ves/0204/25.php

You may have heard of an arrangement with anonymizer.com to help protect the site. They were going to provide SpywareInfo with as many redundant proxies as we'd need to keep the site running. Their CTO even worked on the weekend with his wife glaring over his shoulder to set it up. Unfortunately, the attacks proved too much for their network, so they have withdrawn their support. I still appreciate what they tried to do.

I don't remember why globalservers didn't work out:

The attackers still are hitting us with everything they have but the equipment at Globalservers seems to be holding up to the attacks. They are generating 60mbits per second of traffic and the site is loading just fine in spite of it. I probably will bring some more servers online there just to be on the safe side.

Once SpywareInfo is settled and I have more servers online, I hope to bring merijn.org and tomcoyote.org back into operation.

Eventually Mike moved us to Dixiesys (and lost the membership tables from the database).

In March, 2004 things were looking up but the financial drain was horrendous. We sold merchandise to raise money. http://www.spywarein...ves/0304/26.php (scroll down to the 'Support SpywareInfo' header ).

Edited by cnm, 10 December 2008 - 04:28 PM.
Fixed to use new URl for SWI main site.

[teacup61]

I have a DLTBW coffee mug.

[Galadriel]

And I have a shirt and cap.

[Budfred]

I remember Tom Coyote being down for many weeks and that is why I came to SWI... cnm had started up Boot Camp and asked me to join, so I came here... By the time TC was back up again, I was so involved here that I didn't ever get completely back into the Classroom and fighting malware there... I was invited to join the Classroom staff, but I was busy here and did not know that the plan was to have a number of teachers, so I declined... I do still keep in touch with What the Tech which is the modern incarnation of TC...

After we got Boot Camp going here, we had that really massive DDoS and ended up doing the move that has already been noted -- that was a major hassle... If you figure all the posts that many of us had over there, a number of us actually have closer to 20,000 total posts here!!

[ipl_001]

Bonjour Galadriel, Hi cnm, teacup, Budfred, hi everyone,

Galadriel, un grand merci pour toutes ces précisions que tu as écrites !
Galadriel, a big thank you for all of these details you wrote!

>dust them off
Thanks a lot! However, don't spend too much time: you have better to do in the sun than dig in your boxes!

You are right, SysInfo was rather a site. It stopped gradually around 2004-2005: we refered to Sysinfo to loonk into Startup and CLSIDs entries and I remember TonyKlein posted here at SWI to warn that Sysinfo was no longer updated (owners moved to other matters) and that we had to refer to CC instead!

cnm, thank you for your lines and the link to the Feb.25 2004 Newsletter! I went to the Web site and tried to find the page about Spyware cleaning by Mike but I didn't find anything left.
LOL I downloaded HJT 1.97.7

At bottom of the Newsletter, I followed a link to LockerGnome and could read Spywareinfo Hacked By Meanies!" by Meryl K. Evans about the days of Feb.6 and Feb.11 to 19 with the "dozens (maybe hundreds)" proxy thingies.
I also read: "The bad guys hit the servers with about 2,000 PCs"... was this a botnet (with compromised comps) or owned PCs?
>He has been in touch with the FBI about this, but they're playing phone tag. Unfortunately, he's used up $2,500 so far,
> hostpc about $1,400, xblock at least $2,000, plus some losses for their other customers on their server. Lord knows
> what it's going to cost overall.

Edited by ipl_001, 26 July 2008 - 01:43 PM.

[Galadriel]

It had to have been a botnet. Pretty sure of that.

[cnm]

ipl_001's post about Merijn moved to its own topic - http://www.spywarein...howtopic=118576

[Metallica]

2004 was a bad year in many ways. It was the year that I stopped doing logs at Wilders, Cexx and SWI.
The reasons were the force the blackhats used to strike back and the time it took to help one victim. I was used to doing hundreds a day and I couldn't cope anymore.
It took me a few months to realize that there was something missing and I came back expecting to find all my friends again.
As it turned out many had gone in different directions.
One of the main reasons, IMO, was the DDoS that is the subject of this thread.
Saying that it changed my life may be overly dramatic, but it certainly played a role.

[Galadriel]

2004 was a bad year in many ways. It was the year that I stopped doing logs at Wilders, Cexx and SWI.
The reasons were the force the blackhats used to strike back and the time it took to help one victim. I was used to doing hundreds a day and I couldn't cope anymore.
It took me a few months to realize that there was something missing and I came back expecting to find all my friends again.
As it turned out many had gone in different directions.
One of the main reasons, IMO, was the DDoS that is the subject of this thread.
Saying that it changed my life may be overly dramatic, but it certainly played a role.

I hear that. I so hear that. The year everything changed for me too. And the DDoS was the first major event that triggered a lot of others for me. So yeah, it changed my life too. In more ways than one.