A Turkish hacking group is encouraging individuals to join its DDoS-for-Points platform that features points and prizes for carrying out distributed denial-of-service (DDoS) attacks against a list of predetermined targets.
The points earned can later be redeemed for various online click-fraud and hacking tools.
Dubbed Sath-ı Müdafaa, translated as Surface Defense in English, this DDoS-for-Points platform is advertised via local Turkish hacking forums, including Turkhackteam and Root Developer.
According to Forcepoint security researchers, who discovered this program, Balyoz works via Tor and requires a username and password to log in. The tool then uses a DoS technique to flood targets with traffic.
Here’s How the Balyoz Tool Works
Once a user downloads the Surface Defense collaboration software from hacking forums and registers, the program then runs locally on a computer, prompting the user to download DDoS attack tool in order to assault the limited list of target sites.
The DDoS traffic is then routed through Tor to disrupt online services. For every 10 minutes the tool attack a website with fraudulent traffic, the participant receives a point.
The points can then be used to obtain rewards including a more powerful version of the Balyoz DDoS attacking tool, “click-fraud” bots that automatically clicks on ads for pay-to-click (PTC) services like Ojooo and Neobux PTC to generate revenue, and a program that has ability to infect PCs and scare the victim with images and sounds.
The DDoS Tool Contains Hidden Backdoor
“The backdoor is a very small Trojan and its sole purpose is to download, extract and execute another .NET assembly from within a bitmap image,” Forcepoint researchers said.
“It also downloads a secondary ‘guard’ component which it installs as a service. This ‘guard’ component ensures that if the backdoor is deleted then it will be re-downloaded and also installed as a service.”
The list of predefined targets includes Kurdish websites of the Kurdistan Workers Party (PKK), its military wing the People’s Defense Force (HPG), an organization by NATO members, Kurdish radio and TV stations, Kurdish hacking crews, and more.
Other politically-motivated targets include the Armenian Genocide website, the German Christian Democratic Party — which is led by Angela Merkel — and many Israeli websites.
“Users can also suggest new websites to add to the list of targets,” Forcepoint researchers said. “There is a live scoreboard for participants to see how they compare to other participants.”
The researchers have managed to track down the IP address of the Surface Defense software, despite running on the Dark Web through Tor.
This development helped researchers gathered some information on the hacker’s identity, like the operator might act under the handle “Mehmet,” runs two YouTube channels advertising the Balyoz DDoS tool, and the operator is possibly based in the Turkish city of Eskisehir.
For more technical details on the Surface Defense platform, you can head on to the Forcepoint’s 30-page research paper [PDF] titled, “Sledgehammer – Gamification of DDoS attacks (for ideology, profit & mischief).”