Stolen Computers

This is a very real problem. If you have a Blogger blog, you (your blog) are under attack.

Every computer security expert knows that there are probably millions of computers, worldwide, that are not under the complete control of their legal owners. Computers under the control of a bad guy, after infection from a trojan or virus, are a serious problem.

In the recent past, computers controlled (“0wn3d“) by the bad guys were used for one major purpose – spam delivery. In the world of blogging, though, they have a more immediate and obnoxious purpose. They are an essential component in the hijacking of blogs.

Starting with a database listing thousands of targeted Blogger blogs, an army of computers, in a botnet, systematically attacks each blog.

  • In a brute force password attack, the many computers in a botnet combine forces, and methodically guess the password for a given Blogger account. When the password is guessed, all blogs in that account are vulnerable to hijack.
  • In a ping attack, the many computers in a botnet simply ping each blog under attack, periodically. When any targeted blog fails to respond to a ping, presumably after having been deleted, that blog is vulnerable to hijack.
  • Thanks to the splog explosion, and the ongoing attempts by Blogger Support to contain the problem, your blog is subject, at any time, to being falsely detected as a splog. Legitimate blogs are being deleted by the Blogger anti-splog bots.

Note that classical brute force password attacks might have involved a consistent and sequential series of attempts, such as “aaaaaaaa”, “aaaaaaab”, “aaaaaaac”…, all coming from one single computer, and as rapidly as possible. That type of attack is obvious. When a sequence like that is noticed, any even rudimentary Intrusion Detection System would simply activate a filter against the IP address of the attacking computer, preventing any more attempts from even reaching the network.

Modern brute force attacks follow no pattern. A random sequence of character strings, with attempts spaced randomly over minutes, days, even weeks; and with the attempts coming, variably, from any of the thousands of different computers in a botnet, is to be expected now. All targeted blogs are attacked, randomly, from the many computers in the botnet. No IDS has a chance of detecting such an attack, carried out discretely.

As a vulnerable blog is identified, after no ping reply is received, it is assumed to have been deleted. The blog is setup, and registered to the owner of the botnet. As a vulnerable Blogger account is identified, it is taken over, and the password is changed. The blog or blogs involved are loaded with the spam content provided by the owner of the botnet, and the blog(s) become members of the latest splog cluster.

A successful attack could result in victory for the botnet owner today, tomorrow, or next week. Patience and persistence is the key here.

Some Blogger accounts are hijacked, not thru brute force password attacks, but thru password theft. Keyloggers, installed again by a trojan or virus, are a well known threat. Using a public computer, or using your own computer in a public network, can lead to password theft too.

Why are Blogger blogs targeted so systematically?

  • Blogger blogs are predictably online. If the Blogspot domain is online, the millions of Blogger blogs, that exist, will consistently respond to pings. Any targeted Blogspot subdomain (Blogger blog), not responding to a ping, can be reliably assumed to have been deleted.
  • Many Blogger blog owners are technically unsophisticated. With the easy and free availability of Blogger One Button Publishing, any Internet user can have a Blogger account and any number of blogs. Knowledge of even rudimentary computer security principles is not required.
  • Many blog readers, who frequent blogs with non technical content, are equally technically unsophisticated. They are the perfect splog targets.
  • Thanks to the Blogger – Google relationship, and the amenities offered, many Blogger blogs have good search engine rankings. These blogs cover a wide variety of technical and non-technical topics, resulting in a very diverse audience, and are of financial interest to the sploggers.
  • And, finally, there are millions of Blogspot blogs, each equally vulnerable. The Blogger / Blogspot domain, as a whole, is a perfect target for a distributed attack.

So how can I, as a Blogger user, help to resolve this problem?

Resolving this problem starts with you. Start now.


2 Responses to “Stolen Computers”

  1. Shephard Says:

    Thanks for posting this information. Much appreciated.

  2. Dirty Butter Says:

    Our Blogger blogs are hosted on our own domain. Are we at just as much risk as those blogs hosted on blogspot?

    You are performing a real service to a large percentage of the blogging community.

    I’d like to invite you to join our family friendly BLOG VILLAGE TopList. I think your blog would be a fantastic addition.

    You can find out more about it at Blog Village blog.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: