Well, one has to hand it to the world’s cybercriminals — they never fail to impress with their inventiveness. Reports are emerging about a Turkish cybercrime syndicate that is working hard to motivate hackers to join its DDoS platform with some stunningly mainstream tactics. Specifically gamification — the site offers users the chance to compete for points through games and then to use those points to buy hacking tools.
Called “Surface Defense,” the platform then moves hackers to attack political websites and encourages them to start DDoS attacking using a tool called Balyoz (translated as Sledgehammer). To be part of the hacker games, users must download the Surface Defense software and register. The attacks are routed through Tor to disrupt online service.
Users are rewarded with a single point for every ten minutes they can keep their attack up and going on the website. To encourage “healthy” competition, the platform runs a live scoreboard. Disturbingly, some players are already clocking in hundreds of points.
So who do the Turkish game show hackers want brought down? There are 24 websites on offer for points worth DDoS attacks — Kurdish media, a website owned by the Armenian National Institute, the German Christian Democratic Party website, and Israeli domains are all included.
The games, notably, are tightly controlled for something aimed at suborning cybercrime. Users have to communicate with the Surface Defense command-and-control (C&C) center to authenticate themselves. Additionally, the program will not run in virtual machines — hackers can not run the platform on multiples systems at once to wrack up extra points.
Also, the platform software has a “hack the hackers” backdoor in it — which gives the Surface Defense operator access to the users’ systems — making some wonder just who exactly is behind this site, and why.
“The backdoor is a very small Trojan and its sole purpose is to download, extract and execute another .NET assembly from within a bitmap image,” the researchers say. “It also downloads a secondary ‘guard’ component which it installs as a service. This ‘guard’ component ensures that if the backdoor is deleted then it will be re-downloaded and also installed as a service.”
The researchers believe that the operator may act under the handle “Mehmet.”