Hackers organize vandalism contest

A call for online vandals to take part in a Web site defacement contest has some companies warning clients to beware over the holiday weekend.

Robert Lemos
Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
4 min read
A call for online vandals to take part in a Web site defacement contest has some companies warning clients to beware over the holiday weekend.

The contest awards points to vandal groups for defacing Web sites, with higher points awarded for sites that are run on less common servers. The winner of the contest will be the group that defaces 6,000 servers in the shortest amount of time.

The numbers had some security companies warning clients to be on guard for defacement activity.

"Due to the large scope of the contest, normal Internet activity could be disrupted," Internet Security Systems (ISS) wrote in an advisory sent to media outlets.

Peter Allor, manager for ISS's incident response team, said the security company debated whether to make the contest public, but several companies had already sent the warning to news bureaus.

"We went heavily back and forth," he said, adding that, in the past few days, the tenor of the situation changed. "We saw that defacements reported over the last couple of days decreased and the scanning has increased." The trend looked as if online vandals had taken the contest seriously, he said.

Security Web site Zone-H.org, the largest archive of defaced sites on the Web, confirmed that the actual number of defacements sent to its database has decreased in recent days.

"Since the contest was announced, we at Zone-H noticed a significant drop in the notifications," Roberto Preatoni, founder and editor of

Special report
The thin gray line
New laws make hacking
a black-and-white choice.

Zone-H, wrote in an e-mail to CNET News.com. "It doesn't mean the crackers are at the beach. It means instead that they are rooting (taking over) targets, waiting to deface them during the contest time."

Hackers who break into computers and do other criminal activity are frequently referred to as "crackers."

Preatoni added that Zone-H expects to record between 20,000 and 30,000 Web site defacements during the contest.

Because the contest doesn't differentiate between defacements on the same server, so-called mass defacements will be far more likely, he said. "What is mostly going to happen is that a lot of Web-hosting companies will be hit, instead (of) single servers belonging to different companies."

"To deface in a short time, defacers are using special mass-defacement tools that can deface in three minutes a Web-hosting server that contains several thousand Web sites," he wrote.

Preatoni said his site will record the defacements just as it always does, adding that he doesn't believe that shuttering the system during the contest will discourage the vandals.

"The scope of Zone-H is to monitor cracker activity, so I don't think we would render a good service to the community if we would put a blindfold on our mirror robots," he said.

ISS's decision to publicize the advisory earned it criticism, however. Rafael Nunez, a former hacker and a security consultant with

Special report
Hacking their image
An underground school tries
to reprogram hackers' reputation.

Scientech de Venezuela, said ISS likely made things worse and may have turned what could have been a nonevent into a self-fulfilling prophesy.

"I have been in contact with Brazilian defacers, and they say that contest is a joke," Nunez said. ISS's advisory is "sort of like warning you against eight-year-old terrorists," he said, and makes the situation seem more serious than it is.

The Web site for the contest has a fluent Portuguese section and a broken-English section, evidence, Nunez said, that points to Brazilian "script kiddies" as the source. Script kiddies are nontechnical vandals that use tools created by other, more knowledgeable hackers to attack systems.

Security company Symantec wouldn't comment on ISS's public announcement of the contest, but did say that its extensive network of 19,000 sensors hadn't seen the increase in scanning activity that ISS's network had detected.

"As far as general Internet traffic, based on our statistics, it's just been the basic noise we see every day," said Sharon Ruckman, senior director of Symantec's security response team.

The company has decided not to issue an advisory, because it doesn't see the contest as being a threat, she said.

Web servers that run on Windows systems--historically the most common targets of defacements--may weather Sunday's storm quite well, as the contest awards such systems the least points per defacement.

The contest awards a point for every Windows systems defaced, two points for a Unix, Linux or BSD system, three points for any system running IBM's AIX, and five points for an HP-UX system or Apple Computer OS X system.