In a post about the recent cyberattack of Georgian computers from Russian sites, the shadowserver site asks, “Is it possible the same thing that happened to Estonia is happening to Georgia? To put it quite simply, the answer is yes.” They offer the following as evidence.
“Lots of ICMP traffic and Russian hosts sounds a lot more like users firing off the ‘ping’ command and a lot less like some evil government controlled botnet. It did not take us long to find out what is going on. Much like in the attacks against Estonia, several Russian blogs, forums, and websites are spreading a Microsoft Windows batch script that is designed to attack Georgian websites. Basically people are taking matters into their own hands and asking others to join in by continually sending ICMP traffic via the ‘ping’ command to several Georgian websites, of which the vast majority are government.
The following text is a redacted version of the script being posted:
We have removed the actual commands and parameters of the script to avoid being a distribution point for it. However, you can see the raw list of targets that are being spread across the websites. This script has been posted on several websites and is even being hosted as “war.rar” which contains “war.bat” within it on one site. It would appear that these cyber attacks have certainly moved into the hands of the average computer using citizen.”
Their conclusion is that ordinary users are now participating in the continuing attacks on Georgian websites.
“According to Gadi Evron, former Chief information security officer (CISO) for the Israeli government’s ISP, there’s compelling historical evidence to suggest that the Russian military is not involved. He confirms that Georgian websites are under botnet attack, and that yes, these attacks are affecting that country’s infrastructure, but then notes that every politically tense moment over the past ten years has been followed by a spate of online attacks. It was only after Estonia made its well-publicized (and ultimately inaccurate) accusations against Russia that such attacks began to be referred to as cyberwarfare instead of politically motivated hackers.”
Update II (8/14): A Google Blog Search query returns two results for the comment in the script posted by shadowserver. A search against Google’s main index turns up a few more that look like they are intended to share it with people who will use it. And, finally, a search over Google Groups returns no results. It looks like there are only about ten instances on open sites indexed by Google. I was not able to find anything using Technorati. it may be that there are online sites that Google is not indexing that are being used. If the script was widely distributed, it may have been done using mailing lists that are not indexed by google, either because they are marked as private or run by another company, like Yahoo.