Russia has been in the news for the last week, with thousands of protesters taking to the street to protest against alleged irregularities in the elections held on December 4th. There are also multiple reports of attempts to silence protesters on the Internet, such as DDoS attacks against websites used by the political opposition, the use of Twitter bots to flood messages with specific hashtags related to the protests or by requesting that social networks close groups associated with the protests, as is demonstrated by this letter made public by the owner of the Vkontakte social network.
This week we noticed a botnet using a piece of malware detected as Win32/Flooder.Ramagedos by ESET targeting its distributed denial of service (DDoS) attack at the website http://superjedi.ru/, a forum with a section for discussions on politics in Russia. It contains multiple messages related to the recent events regarding the elections.
The forum currently has a notice stating that “We are under DDOS-attack by unknown persons. We do everything to keep the forum working. Thank you for being with us!”.
It turns out that the botnet is currently targeting another website named attrition.org, participating in a DDoS attack that has being ongoing for 3 weeks now. The website contains an errata section (a mirror is available at securityerrata.org) with the aim to “enlighten readers about errors, omissions, incidents, plagiarism, lies, and charlatans in the security industry”. Chances are the website is targeted by an individual who is displeased to see his name appearing there.
Those 2 cases are good illustrations of DDoS being used for censorship purposes. Based on the collected evidence, about 4500 computers are participating in the DDoS attacks. While this is a relatively small number for a botnet, it is sufficient to disrupt access to websites with limited bandwidth and no specific DDoS protection.
Author Sébastien Duquette, ESET