Balyoz ad
An ad for Balyoz on Turkish hacking forums [Credit: Forcepoint]

A Turkish hacking crew is running a DDoS-for-Points platform where participants can earn points if they carry out DDoS attacks against a list of predetermined targets, points they can exchange later on for various online click-fraud tools.

The name of this DDoS-for-Points platform is "Sath-ı Müdafaa," which translates to "Surface Defense."

The platform is advertised through local Turkish hacking forums such as Turkhackteam and Root Developer.

Its creators say that each hacking crew or hacker who participates in the Surface Defense program will receive one point for every ten minutes of DDoS attacks.

Hackers get points for attacking a list of political targets

Surface Defense members are only allowed to attack a list of predefined targets. This list includes many websites that appear to have been added to the lineup based on political reasons.

The list includes Kurdish targets such as the Kurdistan Workers Party (PKK), an organization considered a terrorist group by NATO members, its military wing the People’s Defense Force (HPG), the websites of Kurdish hacking crews, Kurdish radio and TV stations, and more.

Other politically-motivated targets include the German Christian Democratic Party (CDU, Angela Merkel's party), the Armenian Genocide website, and several Israeli sites.

List of targets included in the Surface Defense program
List of targets included in the Surface Defense program [Credit: Forcepoint]

Hackers must use a special DDoS tool nicknamed Sledgehammer

Hackers that sign up for the Surface Defense program must use a special tool to carry out the DDoS attacks. This tool is named Balyoz, translated to "Sledgehammer."

The version of Balyoz participants receive is locked-in and only allows them to attack the list of predefined targets.

This DDoS tool includes features to prevent users from cheating, such as running Balyoz inside a virtual machine.

Balyoz is available in two versions, one with a GUI and one for users that prefer command-line tools. According to Forcepoint security researchers, who uncovered the Surface Defense program, Balyoz works via Tor, requires a user and password to log in, and it uses a DoS (Denial of Service) technique to starve targets of computing resources.

Balyoz DDoS tool CLI version
Balyoz DDoS tool CLI version [Credit: Forcepoint]

If the operators of the Surface Defense operators detect that one user is trying to cheat and rack up more points, they can tell Balyoz to download and install a backdoor trojan in real-time, or the next time he logs in.

As Turkish hacking crews carry out attacks, the Surface Defense platform aggregates the points and creates a ranking.

A ranking of hacking crews participating in the Surface Defense program
A ranking of hacking crews participating in the Surface Defense program [Credit: Forcepoint]

Surface Defense members can earn hacking tools for their efforts

After attackers gather a certain amount of points, participating hackers can exchange their totals for various click-fraud tools. They have at their disposal four tools, according to a YouTube video.

The big prize is an untethered version of the Balyoz DDoS tool that allows users to launch DDoS attacks against sites not included in the predefined list of targets.

The others are three click-fraud bots that can automatically click on ads for pay-to-click (PTC) services such as Ojooo, PTCFarm, and Neobux PTC.

Rewards offered to Surface Defense participants
Rewards offered to Surface Defense participants [Credit: Forcepoint]

Forcepoint researchers say that they've managed to track down the IP where the Surface Defense platform operated, despite running on the Dark Web via Tor.

This breakthrough has helped researchers gather some information on the hacker's identity, such as a name/nickname, which appears to be "Mehmet." Researchers said they also tracked the name Mehmet to two Balyoz tutorials uploaded on YouTube.

For a more in-depth analysis of the Surface Defense platform, you can download and take a look over Forcepoint's 30-page "Sledgehammer - Gamification of DDoS attacks (for ideology, profit & msichief)" report.