The past few years have brought a proliferation of online services that can be hired to knock Web sites and individual Internet users offline. Once only found advertised in shadowy underground forums, many of today’s so-called “booter” or “stresser” services are operated by U.S. citizens who openly advertise their services while hiding behind legally dubious disclaimers. Oh, and they nearly all rely on Paypal to receive payments.
Asylum’s attack options.
Many of these booter sites are based on the same source code, meaning that any vulnerabilities in that code can be used to siphon data from the back-end databases of multiple, competing services. This happened in March to booter.tw, a service that was used to launch a volley of attacks against this blog, among others.
Today we’ll be taking a closer look at another booter service whose customer database was recently leaked: asylumstresser.com (a.k.a. asylumbooter.com/net/us). Like other booter services, asylumstresser.com isn’t designed to take down large Web sites that are accustomed to dealing with massive attacks from Internet extortionists. But these services can and are used to sideline medium-sized sites, although their most common targets are online gaming servers.
Asylum says it deletes records of attacked sites after one month, and the leaked database confirms that. But the database also shows the sheer volume of online attacks that are channeled through these services: Between the week of Mar. 17, 2013 and Mar. 23, 2013, asylumstresser.com was used to launch more than 10,000 online attacks.
According to the leaked database for Asylum, the administrator and first registrant on the site uses the address [email protected]. That same email address was the beneficiary of more than $35,000 in Paypal payments made by customers of the service. Overall, more than 33,000 user accounts were created on the site.
That [email protected] address also is tied to a Facebook account for a 17-year-old honor roll student named Chandler Downs from suburban Chicago. A reverse WHOIS report (PDF) ordered from domaintools.com shows other interesting sites registered with that same email address.
In a brief interview conducted over Gmail chat, Downs maintained that the service is intended only for “stress testing” one’s own site, not for attacking others. And yet, asylumstresser.com includes a Skype resolver service that lets users locate the Internet address of anyone using Skype. Asylum’s resolver wouldn’t let me look up Downs’ own Skype address — “hugocub1.” But another Skype resolver service shows that that Skype username traces back to a Comcast Internet address outside of Chicago.
Asylumstresser.com also features a youtube.com ad that highlights the service’s ability to “take down your competitors’ servers or Web site.”
“Do you get annoyed all the time because of skids on xBox Live? Do you want to take down your competitors’ servers or Web site?,” reads the site’s ad, apparently recorded by this paid actor at Fiverr.com. “Well, boy, do we have the product for you! Now, with asylumstresser, you can take your enemies offline for just 30 cents for a 10 minute time period. Sounds awesome, right? Well, it gets even better: For only $18 per month, you can have an unlimited number of attacks with an increased boot time. We also offer Skype and tiny chat IP resolvers.”
Downs said he was not the owner of the site – just the administrator. He shrugged off the ad’s message, and said Asylum wasn’t responsible for what customers did with the service.
“You are able to block any of the ‘attacks’ as you say with rather basic networking knowledge,” Downs said. “If you’re unable to do such a thing you probably shouldn’t be running a website in the first place. No one would spend money to stress a site without a reason. If you’re giving someone a reason, that’s your own fault.”
Not so fast, said Mark Rasch, a computer security expert and former U.S. Justice Department attorney.
“If they’ve got their fingers on the trigger and they launch the attacks when they’re paid to, then I would say they’re criminally and civilly liable for it,” Rasch said.
Allison Nixon, a security consultant who recently left a job analyzing attack traffic at Dell SecureWorks, looked at all of the attack methods offered by Aslyum. Nixon said she was disappointed to discover a glitch in the site’s code: No matter which attack method she chose, the booter ran the same attack: A reflected DNS attack, and some weeks later, a UDP flood.
“They promise all these attacks – like Layer 7 attacks, SYN floods, Apache memory exhaustion, and all I ever got was reflected DNS attacks and UDP floods,” Nixon said. “Booters are written and modified by amateur coders who often don’t know what they are doing, so these sort of bugs are unsurprising.”
Nixon noted that all of the packets incoming from the traffic she ordered to her test machines appeared to have been sent from spoofed IP addresses. However, when she used the “Down or Not?” host checker function on Asylum, the site responded from what appears to be the real Internet address of one of the servers that are used to launch the attacks: 93.114.42.28. She noted that a booter service that appears to be a clone of Asylum — vastresser.ru — is hosted on the same network — at 93.114.41.94.
Asylum, like most other booter services, is hidden behind Cloudflare, a content distribution network that helps sites block attacks that services like Asylum are designed to launch. Apparently, getting attacked is something of an occupational hazard for those running a booter services. Behind the Cloudflare proxy, Nixon found that the secret IP for the Asylum stresser Web frontend was 93.114.42.205.
Both IP addresses map back to Voxility, a hosting facility in Romania that has a solid reputation in the cybercrime underground for providing so-called “bulletproof hosting” services, or those that generally turn a deaf ear to abuse complaints and requests from law enforcement officials. In January 2013, I profiled one data center at this ISP called Powerhost.ro that was being used as the home base of operations for the organized cybercrime gang that is currently facing charges of developing and distributing the Gozi Banking Trojan.
“I think it is outrageous that Paypal processes money for these people,” Nixon said of Asylum. “If law enforcement cared at all, every booter uses Paypal and the owners’ real financial info will be tied up in it. It would be super easy for the cops to find them and round all of them up. And if the info is fake, Paypal should be freezing those accounts.”
Update, 8:24 p.m. ET: A Paypal spokesperson sent the following statement in response to this story:
“While we cannot share specifics on our customers’ accounts due to our privacy policy, we can confirm that we will review suspicious accounts for malicious activity and work with law enforcement to ensure cyber criminals are reported properly. We take security very seriously at PayPal and we do not condone the use of our site in the sale or dissemination of tools, which have the sole purpose to attack customers and illegally take down web sites.”
Update, May 16, 12:07 p.m. ET: Downs took rather strong exception to several statements in this story. Principally, he maintains the site is owned by someone else, but he has not supplied any information about that individual other than a commonly-used hacker handle. I thought it made sense to share a few more details about my reporting that led me to believe Downs was running the site, if not also profiting directly from it. Check out this thread from Hackforums.net, where this service is primarily advertised. It shows that the user “Asylum” states that his contact nickname on Skype is “hugocub1,” which as mentioned in the story above traces back to a user in Chicago. But a more important and interesting find comes from Downs’ youtube.com channel (referred to by his gaming profile XBLvirus — one of the nicks listed in the Domaintools report linked above), which features mostly videos of his xBox Live gaming and hacking prowess. In one video, the narrator can be heard stating, “Hey youtube, what’s up, it’s Chandler from darklitstudios.” At around 4:01 in this video, if you pause it just right, you can see Lastpass listing his available stored passwords, including several different accounts using the nickname “hugocub”. Hat tip to Allison Nixon for digging up this additional information.