Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Cybercriminals Building New, Stealthier Networks

CmdrTaco posted more than 7 years ago | from the hey-wait-a-minute dept.

Security 107

ancientribe writes "Cybercriminals are adopting a new method of hiding and sustaining their malicious Websites and botnet infrastructures so they'll be harder to detect, called "fast-flux," according to an article in Dark Reading. Criminal organizations behind two infamous malware families — Warezov/Stration and Storm — in the past few months have separately moved their infrastructures to so-called fast-flux service networks. The article says bad guys like fast-flux not only because it keeps them up and running, but also because it's more efficient than traditional methods of infecting victims' machines." I'm not exactly sure why this is new/different than the more well known open relay proxy networks.

cancel ×

107 comments

Sorry! There are no comments related to the filter you selected.

Block TCP Port 80 (4, Insightful)

quanticle (843097) | more than 7 years ago | (#19899953)

What can be done about fast flux? ISPs and users should probe suspicious nodes and use intrusion detection systems; block TCP port 80 and UDP port 53; block access to mother ship and other controller machines when detected; "blackhole" DNS and BGP route-injection; and monitor DNS, the report says.

The bit about blocking TCP port 80 is troubling. I run a small web-site for learning purposes and to share info with family and friends. I don't especially like the possibility of having to ask or pay extra to have port 80 opened on my end.

Re:Block TCP Port 80 (1)

physicsboy500 (645835) | more than 7 years ago | (#19900029)

(correct me if I'm wrong but,) Isn't most HTTP traffic routed through ports 80 and 8080? I don't see how the average user could still have a functional internet connection with those ports blocked.

Re:Block TCP Port 80 (1)

Nexus7 (2919) | more than 7 years ago | (#19900169)

The default for incoming is port 80. Port 8080 is popular too. These are for people connecting to your web server. Blocking these doesn't affect outgoing connections, that is, your browsing experience.

Re:Block TCP Port 80 (4, Insightful)

utopianfiat (774016) | more than 7 years ago | (#19901819)

This is what Slashdot has become.
Two years ago there would have been a frosty piss and a two-page discussion on how this douchebag OP was wrong to use the word "cybercriminals" (or cyberfoo for that matter), and how his article reads like a page out of the script to this flaming piece of shit. [imdb.com] Where did we go? Since when did Slashdot become Eternal September?
That's right point-bearing masses, mod me flamebait because nobody else has the balls to stand up to this kind of terrible quality news. FFS look at the damn article! It says nothing! It literally states something that was true ten years ago when the botnet was invented! News for NERDS? more like News for NEWBS.
Christ alfuckingmighty.

Re:Block TCP Port 80 (1)

kestasjk (933987) | more than 7 years ago | (#19903663)

Yeah, no-one ever criticizes the stories or the editors these days.

Re:Block TCP Port 80 (0)

Anonymous Coward | more than 7 years ago | (#19917803)

The thing that remains the same is there is always whining; what changes is what is whined about. See your post for example.

Re:Block TCP Port 80 (0)

Anonymous Coward | more than 7 years ago | (#19900175)

Incoming, not outgoing. Quite a lot of bastard ISPs block any incoming connection on 80.

Re:Block TCP Port 80 (0, Redundant)

TheCarp (96830) | more than 7 years ago | (#19900205)

um he knew that, and was correct.

-Steve

Re:Block TCP Port 80 (1)

somersault (912633) | more than 7 years ago | (#19901353)

Actually, doesn't seem like he did.. I was thinking along the same lines as him, but since it's only blocking incoming then it would only affect someone trying to host a website rather than view them.

Re:Block TCP Port 80 (1)

TheCarp (96830) | more than 7 years ago | (#19901383)

I read it as he was hosting a site, and the complaint was that other people couldn't view it.

-Steve

Re:Block TCP Port 80 (1)

somersault (912633) | more than 7 years ago | (#19901483)

"don't see how the average user could still have a functional internet connection with those ports blocked."

Nah.. the average user just wants to browse for pr0n!

Re:Block TCP Port 80 (1)

matt328 (916281) | more than 7 years ago | (#19900261)

I believe they're talking about blocking inbound traffic on port 80. My old ISP, Adelphia blocked inbound traffic on port 80 and my internet connection was very much functional.

Re:Block TCP Port 80 (1)

mengel (13619) | more than 7 years ago | (#19901407)

And if you ran a webserver at home, your internet connection would not be functional.

Blocking ports is not a security fix, it is breaking the networks functionality, and is simply putting baling wire and chewing gum over serious security problems, rather than really fixing them.

Whatever ports you allow open, these guys will use, and if you block all ports, your network is not functional.

Re:Block TCP Port 80 (2, Insightful)

utopianfiat (774016) | more than 7 years ago | (#19902017)

I'm waiting for a worm that exploits STUN and invalidates the whole "block any port you don't use" rule.

Re:Block TCP Port 80 (1)

PurPaBOO (604533) | more than 7 years ago | (#19902757)

I'm waiting for flourescent baler-twine.

Re:Block TCP Port 80 (1)

elh_inny (557966) | more than 7 years ago | (#19914325)

I'm waiting for a worm that exploits STUN and invalidates the whole "block any port you don't use" rule.
Even if such a worm arrives on the scene it will not reverse the ISPs' port blocking policies for the simple reason that they prohibit some kinds of old vectors of attack.

This is much like the old BIOS function to notify tampering with the MBR, this vector of attack in no longer used but the function is still there (although disabled by default) and a few recent incidents show that it was a good choice to leave it there. Nowadays it's used by some of the rootkits, for instance to overcome all Vista security protection schemes.

On the other hand I agree that too strict port blocking has caused the Internet usage to evolve and nowadays a lot of traffic lives on top of HTTP traffic or in UDP, whereas it could have been implemented in it's RFC dedicated port range if it weren't for the port blocking.

Re:Block TCP Port 80 (2, Insightful)

brunes69 (86786) | more than 7 years ago | (#19900071)

So run it on port 8080 or something else. There is nothing magical about port 80 that you have to run a website on it.

Re:Block TCP Port 80 (2, Interesting)

Sobrique (543255) | more than 7 years ago | (#19900183)

I take it you mean except the IANA assigned port number?

How about outbound firewall and proxy configurations?

Re:Block TCP Port 80 (3, Insightful)

Otis2222222 (581406) | more than 7 years ago | (#19900477)

That sounds great, I am sure it would be no problem whatsoever to tell your friends "My website is at dub-dub-dub dot mywebsite dot com, colon eighty eighty. And if you don't type the 'eighty eighty' you won't get there. Don't forget to type colon eighty eighty, grandma".

And what the other guy said about proxies is valid too. It's very common for outbound corporate firewalls to block non-port-80 traffic for web browsing.

Re:Block TCP Port 80 (1)

rossifer (581396) | more than 7 years ago | (#19901917)

My grandmother doesn't type in URL's. So I send her an email with the URL in the email. The :8080 doesn't matter at that point.

She does know not to click on URL's unless she's expecting someone to send her info about something.

Ross

Re:Block TCP Port 80 (1)

brunes69 (86786) | more than 7 years ago | (#19903043)

Just make an alias for the site via any of the hundreds of free web redirectors around. TinyURL.com being one example.

Re:Block TCP Port 80 (1)

PsychosisC (620748) | more than 7 years ago | (#19900499)

Don't you realize what you've done?! Now all the hackers know how to get around the port block!

Re:Block TCP Port 80 (4, Funny)

veganboyjosh (896761) | more than 7 years ago | (#19900979)

Mr. Potatahead! Mr. PotataHEAD! Getting around port blocks is not secret!

Re:Block TCP Port 80 (1)

Dun Malg (230075) | more than 7 years ago | (#19901173)

it's POTATOhead, mr Quayle

Re:Block TCP Port 80 (2, Interesting)

InsaneMosquito (1067380) | more than 7 years ago | (#19900185)

Charter.net blocks port 80. It was PITA to figure out why I couldn't connect to my webserver from outside the Charter network. While inside their network I could just fine. Once I figured it out though, its was as simple as moving the webserver to a different port. I picked 443 because they allow secure websites. From there I just set up a little domain forwarding/cloaking so that end users never see they are connected to 443 and don't use SSL - its not needed for the type of site I have hosted.

Re:Block TCP Port 80 (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#19900213)

Burbage dies on pg. 12
Hedwig dies on pg. 56
Mad-Eye dies on pg. 78
Scrimgeour dies on pg. 159
Wormtail dies on pg. 471
Dobby dies on pg. 476
Snape dies on pg. 658
Fred Weasley dies on pg. 637

Harry gets fucked up by Voldemort on pg. 704 but comes back to life on pg. 724

Tonks, Lupin, and Colin Creevy have their deaths confirmed on pg. 743

19 years after the events in the book:

Ron has married Hermione, their two children are named Rose and Hugo

Harry has married Ginny, their three children are named Lily, James, and Albus Severus.

Draco Malfoy has a son named Scorpius

    The epilogue shows all of the children boarding the train for Hogwarts together.

The final lines of the book are: "The scar had not pained Harry for 18 years. All was well."

Plot Spoilers
Part of Voldemort's soul was implanted into Harry whenever he used Ara Kadvara on him when he was a baby. Harry then sacrafices himself a la Lilly Potter style, which allows him to kill Voldemort without killing himself. He also has hacks (stone to bring him back to life, and an uber wand).

    Snape went to the good side (Hogwarts, etc.) because he was all emo that Voldemort killed Lilly Potter.

Harry has three kids with Ginny. Ron and Hermoine fall in love.

Re:Block TCP Port 80 (3, Interesting)

CastrTroy (595695) | more than 7 years ago | (#19900299)

I've never got why people want to run a webserver on their home computer over a cheap cable/dsl connection. I tried it for a while but between the cost of the extra computer, the cost of the extra electricity, the trouble of setting up all the server software on my own, and the trouble of dealing with changing IPs, and all the other wonderful cable ISP network oddities, I found it easier to just pay a cheap monthly fee for a shared hosting account. It's nice to run a home server for some things, but if it's going to be used by a lot of people, and accessible from outside your home, then It's way easier to just pay for hosting. That's my opinion anyway.

Re:Block TCP Port 80 (1)

somersault (912633) | more than 7 years ago | (#19901429)

I'm amazed that you were modded a troll for expressing your justified opinion in a non confrontational manner.. guess I'll have to not take it so personally next time it happens to me!

Re:Block TCP Port 80 (1)

geniusj (140174) | more than 7 years ago | (#19902633)

Overflow from digg? :-\

Re:Block TCP Port 80 (1)

GundamFan (848341) | more than 7 years ago | (#19903349)

Troll Post, noun:
1. A post expressing a different opinion that that of the moderator.
2. A post not read or comprehended by the moderator.
3. A post that was intended as a joke and was not found funny by the moderator.

Yo Mods! (1)

ColdWetDog (752185) | more than 7 years ago | (#19901621)

Prozac time! Or at least some decent coffee. It's not the OP's fault that you haven't gotten laid.

Oh, and can we at least try for some reading comprehension? That's a perfectly reasonable statement and makes no mention whatsoever of Microsoft, Apple, Google or George Bush.

Plenty of good reasons (1)

Bat Country (829565) | more than 7 years ago | (#19902611)

I find it's a great way to share information with friends if you happen to use IRC as your preferred means of digital communication instead of IM.
 
Maintain a nonstandard port webserver with a dummy index.html file, dump any files you'd like to share with friends in there, have a little alias script which fills in the blanks with your site address (like "/myweb whatever.jpg") and then let rip.
 
It's a lot easier to show people what your most recent project is without having to deal with crap like Flickr, MySpace, Facebook, and whatnot. Saves you having to upload everything first to your web host, then have your friends download it, especially when it's just something small like 35kb jpeg or the like (or even something larger, like your most recent composition in mp3 format). A good DSL connection these days can push 80kb/s, which is fast enough to stream a low-fi mp3 to 4 or more people at once.
 
Additionally, having your own local webserver set up was a tremendous help when I was teaching myself PHP, and later when I was developing some rather tricky websites for subcontract work. Beats having to hit upload in your HTML editor of choice, or having to deal with the lag of working over SFTP, then refresh the web browser after the transfer finishes.
 
This is assuming you're not completely hardcore and do all of your PHP/HTML/CSS in vi or emacs instead of a more modern code editor (code collapse, color highlighting, and completion is your friend).

Re:Plenty of good reasons (1)

daem0n1x (748565) | more than 7 years ago | (#19903487)

Vi and Emacs have more features than you imagine.

Re:Plenty of good reasons (0)

Anonymous Coward | more than 7 years ago | (#19903937)

"This is assuming you're not completely hardcore and do all of your PHP/HTML/CSS in vi or emacs"

Guess again, 'notepad'...

Re:Plenty of good reasons (1)

Iron Condor (964856) | more than 7 years ago | (#19907043)

Agreed withthe sentiment plus one extra thing: there's no point to shell out for 9GB of hosting space for the ONE dvd-iso I'd like make accessible to the ONE person who's ever going to download it. On my home machine it'll clog up the tubes overnight and that's all it ever needs.

And then there is

This is assuming you're not completely hardcore and do all of your PHP/HTML/CSS in vi or emacs instead of a more modern code editor

I use emacs. I never realized that made me "hardcore".

(code collapse, color highlighting, and completion is your friend).

emacs had done all this since the eighties. So?

Re:Block TCP Port 80 (1)

Fweeky (41046) | more than 7 years ago | (#19902841)

I have plenty of my own hosting (several racks, a few dozen machines), but I still run a webserver at home.

A large part of it is that it's easy, and the machine and software it lives on would exist anyway (I'm a web developer, among other things). I find it a good place to dump low priority things which I don't want to faff about dealing with remotely; like, photos. I could easily be using GB's of disk space with photos hardly anyone will bother to look at, and that can add up rapidly on a server which may only have a few 36G HD's shared between various users. In the mean time, the users most likely to be interested (me, others in the house) would actually end up with slower access, while everyone suffers from the increased time it takes to add new images.

There other stuff too; prototype applications, or things with dependencies which don't happen to match those on a handy server. I can use mod_proxy to give them nice URLs and even provide caching from a "proper" server, while still serving them from home where I can keep an eye on them and develop them safely and comfortably.

Re:Block TCP Port 80 (1)

CastrTroy (595695) | more than 7 years ago | (#19903133)

So basically you're saying what I said. For stuff that's just used within your house, definitely a home server makes sense. But for stuff that others are going to be accessing from outside your house, shared hosting can get rid of a lot of issues. Even using your home server as a staging area for the stuff you put up on you shared hosting account is a good idea. So, I'm not saying that nobody should be running a home server, just that I don't see the usefulness of using it as a machine that the whole world, or a bunch of people outside your house, are supposed to access.

Re:Block TCP Port 80 (1)

guywcole (984149) | more than 7 years ago | (#19904353)

Because we're nerds, so it's neat to do? Or because it's a great way to learn about networks?

Re:Block TCP Port 80 (1)

blackest_k (761565) | more than 7 years ago | (#19907151)

mythtv (more specifically mythweb), zoneminder, slimserver spring to mind as possible reasons to run your own web server,
  being able to set mythtv to record any tv program for you, check your cctv camera's at home and access your music collection from anywhere in the world seems reason enough to run a webserver.
  obviously you don't make these services available to the general public, but if the pc is going to be on anyway why not.

I would agree that if you want to run a public website then paying for hosting or using your isp provided webspace is far easier.

Re:Block TCP Port 80 (5, Interesting)

Anonymous Coward | more than 7 years ago | (#19901005)

With power comes responsibility. If you want unfettered internet access, it's your responsibility to make sure that your participation in this network doesn't cause problems for others. Since most residential internet users have neither the ability nor the intention to shoulder that responsibility, their upstream provider has to find ways to protect other internet users from his customers, because if he doesn't, he will ultimately have to pay for the damage that they do (higher traffic costs, less favorable peering agreements, blacklisting, etc.)

The net has grown very fast and so far we've shirked the responsibility issue: Customer's complain about spam and when the spammer's provider says it's not their responsibility, they're called a safe-haven for spammers. On the other hand, when customers get cut off because their computers are scanning and infecting other machines, they complain that it's not their fault and how are they supposed to keep their system clean without a full time admin and it's none of the ISPs business as long as the internet access bills are paid.

So, in the end (2, Interesting)

vivaoporto (1064484) | more than 7 years ago | (#19899955)

These criminals are giving a "smarter" * use for the enormous potential that these hundred thousands of homogeneous (or similar enough) connected machines have than most companies out there does. It is time for 1) Microsoft and its users get their act straight and work on better security for they machines and 2) someone to realize the incredible potential of all this "dark" bandwidth and processing power and give it a good use. Criminals are showing it is possible, all it need is some legitimate application.

* Smart but immoral and illegal. I, for one, don't condone nor endorse their actions, and think they are nothing but vile criminals

Re:So, in the end (1)

HappySmileMan (1088123) | more than 7 years ago | (#19900053)

There are ways of utilising the bandwidth for good purposes, there's SETI(good if you believe that your bandwidth can actually find aliens) and Folding@Home(a bit more useful, helps understand diseases development)

Re:So, in the end (0)

Anonymous Coward | more than 7 years ago | (#19901311)

seti@home and folding@home use processor cycles, not bandwidth.

Re:So, in the end (1)

LnxAddct (679316) | more than 7 years ago | (#19900091)

With regard to point 2, have you never heard of folding@home or world community grid? Or did I miss understand what you were saying?

Re:So, in the end (1)

misanthrope101 (253915) | more than 7 years ago | (#19900775)

The dark fiber is dark, and the unused cycles are unused, not because there aren't enough good reasons to use them, but because there aren't enough economically profitable reasons to use them. Folding@home may cure disease, but if doesn't make a buck...scratch that, if it doesn't maximize revenue as part of a dynamic global strategy to leverage something or other, then they can't be bothered. Making a buck isn't enough anymore.

Re:So, in the end (1)

EveryNickIsTaken (1054794) | more than 7 years ago | (#19900129)

It is time for 1) Microsoft and its users get their act straight and work on better security for they machines
Given that Windows has hundreds of millions (if not billions) of users, and that a significant portion run pirated versions (and therefore avoid installing all flavors of patches), how exactly do you expect all of them to close up their machines? Do you suddenly expect the Chinese, Koreans, and others to have a conscience about this kind of shit?

Re:So, in the end (1)

mrbluze (1034940) | more than 7 years ago | (#19900445)

These criminals are giving a "smarter" * use for the enormous potential that these hundred thousands of homogeneous (or similar enough) connected machines have than most companies out there does. It is time for 1) Microsoft and its users get their act straight and work on better security for they machines and 2) someone to realize the incredible potential of all this "dark" bandwidth and processing power and give it a good use. Criminals are showing it is possible, all it need is some legitimate application.

Yes, it's time the Empire of Nastiness started to use its powers for good instead of evil.

Re:So, in the end (1)

ToriaUru (750485) | more than 7 years ago | (#19901093)

In the end this really does scare me. My husband has a terrible habit of surfing for porn (yeah guys chuckle all you want, doesn't bother me too much). He does use Firefox, and I've got Adblock installed, but still I'm positive something is wrong in there. All the antivirus checks are negative, no rootkits found using the f-secure BlackLight, and the sysinternals rootkit detector. But just have a sinking horrible feeling something isn't "right". Check out my blog http://toriauru.blogspot.com/ [blogspot.com] to see what I've noticed in the last few days. Really scary stuff. Let's get all the eggheads that love writing software to start working for security companies :P

Re:So, in the end (1)

dosquatch (924618) | more than 7 years ago | (#19903279)

My friend's computer has been acting funny lately as well. The firewall reports (and stops) outbound connection attempts on unusual ports to seemingly random IP addresses at seemingly random intervals, even when the computer is completely idle otherwise. Virus scan with AVG and Norton - nothing. Spybot S&D, AdAware - nothing. Rootkit Revealer - nothing. HijackThis - nothing. ADSRevealer - nothing. Startup list viewer - nothing.

Yet, still with the random connection attempts.

The traffic is coming from lsass. No, not a virus, the real one. I've replaced it with a known good copy. STILL with the random connection attempts. I've booted into safe mode w/ networking support. Still with the random connection attempts.

Something in there is doing things it aught not, but I'll be damned if I can find it.

Re:So, in the end (1)

ToriaUru (750485) | more than 7 years ago | (#19903695)

Yeah, that's the scary thing, that a semi-competent person like myself, just knows enough to know what's wrong, but not how to fix it. I'm dreading yet another wipe, and reinstall, but sure enough, that's really the only great way to fix it all. Ugh, such a fucking pain in the arse. Sorry, yes, I do know Linux, and Ubuntu is *safer* but I do need Windows for certain things. I can't just completely switch to Linux like that *snaps fingers*. It's taking time for me to learn it all.

Re:So, in the end (1)

Torvaun (1040898) | more than 7 years ago | (#19904507)

Pull the drive, and hook it into a known-good system. Boot from the other disk, and run your tests from there. Nothing gets run from the infected drive, so you should get a clear picture of what's really there.

Re:So, in the end (1)

ToriaUru (750485) | more than 7 years ago | (#19905659)

Okay, will try that. Thanks. :) (and thanks for the no-attitude reply like why don't you use Linux all the time stuff) :P

Re:So, in the end (1)

Torvaun (1040898) | more than 7 years ago | (#19906023)

I don't actually use Linux very much. My gamer ways have kept me with Windows.

So, in the end-Dowload and distribute. (0)

Anonymous Coward | more than 7 years ago | (#19903807)

"Criminals are showing it is possible, all it need is some legitimate application."

Piratebay and P2P is leading the way with move-countermove in an effort to get Linux iso's [slashdot.org] like Baby, one more time [thepiratebay.org] out to the public.

Re:So, in the end (1)

Abuzar (732558) | more than 7 years ago | (#19910773)

Dude, criminals are kewl, we wouldn't have civilization without them :)

News at 11 (0, Flamebait)

spikedvodka (188722) | more than 7 years ago | (#19899967)

translate: Scum of the earth trying to stay 1 step ahead of kings horses & men

News at 11

Was this news? (1)

badger.foo (447981) | more than 7 years ago | (#19900021)

The essence of the article really boils down to "botnet herders may have the ability to update their DNS info quickly".
Possibly makes it incrementally harder to track down every last one of the pwned machines, a tad more if your logs store only resolved names but no IP addresses.

Most /.ers likely knew this already, but I imagine this may be exciting and scary to some suits.

In other words, the world did not change much due to this.

Don't bury me... (0)

Anonymous Coward | more than 7 years ago | (#19900123)

...cuz, really, I shorted out a zombo compy...you dig?

" why is this new/different" (4, Funny)

tomhudson (43916) | more than 7 years ago | (#19900155)

"I'm not exactly sure why this is new/different than the more well known open relay proxy networks."

... which just goes to show that even spammers can fall victim to their own marketing:

Tired of your botnets getting killed off? Use fast-flux. See a 30% increase in only 2 days. She'll love you for it!.

Re:" why is this new/different" (0)

Actually, I do RTFA (1058596) | more than 7 years ago | (#19900859)

... even spammers can fall victim to their own marketing

Fall victim? Sir, you are implying that the messages I send out somehow victimize people! I merely want to let everyone know about great financial opportunities, cheap perscription/software options, easy to find love/sex, and the ability to set your personal m_fPenisSize to whatever value you want.

Speaking of which:

Re:" why is this new/different" (1)

Pollardito (781263) | more than 7 years ago | (#19902941)

fast flux! apply directly to your bot-net
fast flux! apply directly to your bot-net
fast flux! apply directly to your bot-net

What's special about port 80? (2, Interesting)

Control Group (105494) | more than 7 years ago | (#19900159)

I am not a networking guru (IANANG, copyright 2007, me, all rights reserved), so I'd appreciate somebody setting me straight on this if necessary.

But I don't really see how blocking port 80 would be an effective way to fight this sort of thing. There's nothing special about port 80 aside from it being the default http port. Unless the victims are typing the URL into their address bar, I don't see any reason the mother ship couldn't have bots listen on another port. I mean, the machine is already owned, so it's not like opening up port 43783 is difficult. And I can't help believing that most - if not all - people going to these sites are clicking links, not typing addresses.

So you close off port 80, and anyone running a legit (well, probably not, given the TOS of most ISPs, but at least not a malicious) web server out of their house/apartment/dorm room can no longer easily direct people to it. Meanwhile, the malicious sites are slowed down by the amount of time it takes some jackass to change one constant in one piece of code.

Unless, of course, there's some other factor I'm unaware of making it more difficult to reach an http host over something other than port 80.

Re:What's special about port 80? (0)

Anonymous Coward | more than 7 years ago | (#19900317)

Dear Control Group,

Blocking port 80 is bad. When we infect machines, we look at their hard disks. If there is any pr0n, we set up a webserver and send the URL out to our friends. You can join our network of friends. All you need to do is send us your username and password, your IP address and what operating system you use. Don't bother lying because we already know your IP address. Thanks!

Sincerely,
Spammers

Re:What's special about port 80? (1)

timeOday (582209) | more than 7 years ago | (#19900393)

I'm not saying it's a good idea. But the intruders do need some way to access the machine at will. If they leave a port listening, the OS knows and can tell the user (netstat) or firewall it unless the OS is also compromised. If the OS is compromised, it still wouldn't be long until somebody figures it out and massive blocking on that port could occur by ISPs (as is being suggested). The bot could poll some website to update itself, such as triggering a switch listening on a new port, but that would be obvious and the update site easily blocked. I'm not savvy enough to know how attackers solve this problem in general.

Re:What's special about port 80? (4, Interesting)

Control Group (105494) | more than 7 years ago | (#19900699)

*shrug*

Randomly select a different port each time you connect to the zombie. If you're really worried about users running netstat to check their open ports (and I suspect that zombied machines are more often owned by people who don't even know the CLI exists, much less who generally run network diagnostic tools via the CLI than not - and by a wide margin), then have it only open the port for ten minutes every hour. Windows, by default, updates its clock to NIST weekly, so you can be reasonably sure that your zombies are synced enough for that to work. Round-robin assign the ten minute window to the zombies (xx:00 - xx:09, xx:01 - xx:10, xx:02 - xx:11, etc). During that window, you use the zombie to host content, and you can push a listen port update. At any given time, most of your zombies are running on the same port (they have to be, or your victims can't connect to your content), but blocking that port will only be effective for however long you determine. How fast can ISPs identify a rogue port and block it?

If my experience with spam is any indication, the linked sites go down almost as fast as the spam comes in, but that's (apparently) not a problem for the spammers. So you rotate ports every two, three days.

And this is just the scheme I've come up with off the top of my head in less than a minute.

Come to think of it, you're already executing arbitrary code on the zombied machine. Have them determine when they can listen on their assigned port, with a minimum frequency and duration set, with a bias towards times the user isn't at the console. When the window opens, step one is to notify the mother ship that this machine is active.

There are probably holes in this scheme, but I don't see the problem as being intractable. I do see any effort to just block port 80 as being naive (at best). I don't think ISPs can respond fast enough to block a new port every couple days, but perhaps I'm wrong about that.

Re:What's special about port 80? (2, Informative)

GnuDiff (705847) | more than 7 years ago | (#19900559)

AFAI have looked, port 80 is the one that is least likely to be stopped by firewalls.

There are a number of small (and I mean tiny - think 100 clients max) ISPs around my city alone, whose networking expertise is close to nil. They go with default settings of the equipment they get. So even if they put up a firewall of sorts to protect their clients, it is left at default settings.

The fact is there are not only tons of users out there without a clue, but a nice bunch of ISPs as well and sloppy network admins, sometimes even of large organizations.

Re:What's special about port 80? (4, Informative)

orclevegam (940336) | more than 7 years ago | (#19900597)

The blocking of port 80 they suggest really isn't about stopping the fast flux network, but it's an attempt to make it harder (marginally) to use the systems on that network for phishing attacks. As I understand it one of the uses these networks are being put to is to duplicate a phishing site on a couple hundred zombie systems, then rotate a single phishing URL through all of them making it harder to bring down the phishing site because you'd have to take down every one of the zombies, or find some way of nuking the DNS entry (which apparently the registrars are hesitant to do, even though some recent events seem to show that they'll do it quite happily if a big enough company or corporation asks them to). Personally I think blocking port 80 is a dumb idea and barely constitutes a speed bump for the kinds of people that run these things, but hey, that's never stopped a company from adopting a stupid idea, or marginal positive value and substantial negative (to the customer, if it hurts their bottom line forget it).

and in 3.. 2.. 1.. (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#19900165)

The word is "hacker". (0, Flamebait)

Anonymous Coward | more than 7 years ago | (#19900255)

Save the song-and-dance about what the word meant in the 70s and accept that language is fluid and the meaning has changed. ...or has it, even?

Crime is defined by the law, not by what you think the laws should be -- and by that standard, even most of the "white hat" hackers are "cybercriminals". So just call them hackers, please. Don't use feeble euphemisms. Canute couldn't hold back the tide and you can't change the meaning of words through minority boycotting.

Re:The word is a useful filter. (0, Flamebait)

argent (18001) | more than 7 years ago | (#19900895)

If some white guy starts casually using terms like "nigger" you know something useful about them: they're an idiot racist.

The word "hacker" is a similarly useful filter.

Re:The word is a useful filter. (0, Offtopic)

geek2k5 (882748) | more than 7 years ago | (#19901779)

The media is very good at taking a word and giving their own spin to it. Thus hacker gets a negative connotation.

Do note that 'hack' has a negative connotation in the media industry. Perhaps those of us in the computer world can link that word to various media 'hacks' that need vocabulary training. We do, after all, know how computer based media works.

I seem to recall a sage commenting that one should "Never argue with an organization that buys ink by the barrel."

Perhaps we should update that with "Never argue with geeks whose home computers would make the world's largest computing array."

Re:The word is a useful filter. (1)

argent (18001) | more than 7 years ago | (#19902109)

The media is very good at taking a word and giving their own spin to it. Thus hacker gets a negative connotation.

Which is why it's a useful filter. It tells you that the person you're speaking to gets their ideas about computer security from the media.

Re:The word is "hacker". (2, Informative)

Mathinker (909784) | more than 7 years ago | (#19900899)

> even most of the "white hat" hackers are "cybercriminals"

Checking http://en.wikipedia.org/wiki/Hacker_definition_con troversy [wikipedia.org] gives Linus Torvalds as an example of a hacker of the "other definition"... in what way is he a cybercriminal?

I hope whoever modded your pitifully binary views on the meaning of language terms as Insightful gets his due via meta-moderation... It is true that the new meaning of this term seems to be the more used one now, in what way does that make the old meaning obsolete, or the more exact and unambiguous term "cybercriminal" superfluous or undesirable?

Re:The word is "hacker". (0)

Anonymous Coward | more than 7 years ago | (#19901203)

even most of the "white hat" hackers are "cybercriminals"


Checking http://en.wikipedia.org/wiki/Hacker_definition_con [wikipedia.org] troversy gives Linus Torvalds as an example of a hacker of the "other definition"... in what way is he a cybercriminal?


In what way does "most" mean "all"?

The word is "hacker". And has 2 meanings. (1)

Mathinker (909784) | more than 7 years ago | (#19905637)

From the Wikipedia article [wikipedia.org] (sorry about the broken link in the last post, the URL: autolinker failed or something):

> In the computing community, the primary meaning is a complimentary description for a particularly brilliant programmer or technical expert.

In what way is being "a particularly brilliant programmer or technical expert" criminal? Is there some kind of sociological correlation I am unaware of which would lead one to expect that most hackers of this kind would be criminals?

Clear enough now? Hopefully I haven't left any trivial points you can quibble with?

Re:The word is "hacker". (1)

torgis (840592) | more than 7 years ago | (#19902823)

I, for one, welcome our new cybercriminal overlords. Hail Linus!

Re:The word is "hacker". (1)

wirelessbuzzers (552513) | more than 7 years ago | (#19910389)

even most of the "white hat" hackers are "cybercriminals"
Checking http://en.wikipedia.org/wiki/Hacker_definition_con [wikipedia.org] troversy gives Linus Torvalds as an example of a hacker of the "other definition"... in what way is he a cybercriminal?
Usually "hats" only apply to security researchers, not to any clever programmer. It is not uncommon (but perhaps not as common as GP implied) for "white hat" security researchers to break overly restrictive computer crime laws in the course of their jobs, which would indeed make them cybercriminals. Of course, someone who does this regularly is likely to be classed as a "grey hat".

Re:The word is "hacker". (0)

Anonymous Coward | more than 7 years ago | (#19901151)

To hack is to code. That's it.

Stop lumping hackers in with criminals!

Mod parent up. (0)

Anonymous Coward | more than 7 years ago | (#19902045)

"Hacker" originally referred to axe-wielding cabinetmakers. Words are only symbols, and meanings inevitably change.

"2600: The Hacker Quarterly," "Phrack" and other self-described hacker-oriented zines regularly feature articles geared towards illegal systems intrusion and information theft.

"Hackers," the movie starring Academy Award winner Angelina Jolie, is all about hackers and their battle against law enforcement.

"DEF CON: The Hacking Convention" and "Hackers On Planet Earth" have never convened without multiple presentations on activities which when implemented would be against the law. Law enforcement regularly surveils such gatherings.

Bruce Sterling's "The Hacker Crackdown" carries the subtitle "Law and Disorder on the Electronic Frontier," which is self-explanatory.

Any newspaper article of the past 20 years with the word "hacker" in the title will be referring to criminal activity.

The word's changed. It had changed 10 years ago.

-- Lightning of Peoria.

Know Your Enemy paper on Fast Flux just out (5, Informative)

Anonymous Coward | more than 7 years ago | (#19900535)

Has a lot more detail: http://www.honeynet.org/papers/ff/fast-flux.html [honeynet.org]

So Windows is used to host illegal materials... (1)

gillbates (106458) | more than 7 years ago | (#19900573)

Child porn, illegal websites, etc...

Yawn. How many techies didn't see this coming?

But it will make a great coffee-table conversation topic...

Them: So you don't run Windows? Why not?

Me: Because I don't like supporting child porn.

And then the conversation will turn to how criminals use vulnerabilities in Windows to conduct their illicit affairs.

Re:So Windows is used to host illegal materials... (2, Funny)

Hoi Polloi (522990) | more than 7 years ago | (#19900631)

Windows=Kiddie Porn? Sounds like those ads that claim pot=terrorism. A bit of a stretch.

Re:So Windows is used to host illegal materials... (0)

Anonymous Coward | more than 7 years ago | (#19901721)

Windows=Kiddie Porn? Sounds like those ads that claim pot=terrorism. A bit of a stretch

Neither one is a stretch. The pwned machines ARE being used to host kiddie porn, as well as spam (and as well as DDOS extortion).

As to pot, well, if the terrorists [wikipedia.org] find you with a big enough stash you'll wish one of the less dangerous terrorists [wikipedia.org] had you instead, so that one isn't the tiiest stretch either.

Re:So Windows is used to host illegal materials... (3, Funny)

CaffeineAddict2001 (518485) | more than 7 years ago | (#19900655)

Them: So you don't like Children? Why not?
You: Because criminals use vulnerabilities in children to conduct their illicit affairs.

So Tor is used to host illegal materials... (0)

Anonymous Coward | more than 7 years ago | (#19903955)

"Me: Because I don't like supporting child porn."

Not running Tor, are we?

Missed Opportunity (1)

JudgeSlash (823985) | more than 7 years ago | (#19900785)

Nothing to see here.

No, seriously. Cybercriminals fast-fluxed my gag and now I've got nuttin'.

Cybercriminals? Pshaw! (0)

Anonymous Coward | more than 7 years ago | (#19901273)

Meatspace [sj-r.com] criminals [chicagotribune.com] worry me [slashdot.org] a lot more.

Last year I had my car, cell phone, debit card (and pin) and checks stolen by a meatspace woman I was trying to help. At least they can't kill you [stltoday.com] or injure you [stltoday.com] over the internet!

Dark Enderle (-1, Troll)

Anonymous Coward | more than 7 years ago | (#19901287)

Dark Reading is Rob Enderle crap. No news here folks - please go back to your homes. If and when this pops up at another trusted non-Enderle site I'll read about it but not before. Fuck Rob Enderle, his wife, and his dog.

Obvious.... (1)

TrueKonrads (580974) | more than 7 years ago | (#19901849)

How about ISPs try the obvious:
block the DNS for known phishing sites.

e.g. Spam filter raises a warning to an e-mail that invites you to visit manlynessenhancer.biz.
Solution: in ISP's DNS route manlynessenhancer.biz to a warning site that says:
This is known phishing site, we've blocked it for Your protection.

Re:Obvious.... (2)

uolamer (957159) | more than 7 years ago | (#19902465)

I prefer my ISP not block anything period. I dont want my ISP determining what ports, what services, websites, etc that I can use. ISPs to me should simply provide me with internet that is all. If they are providing e-mail they can have whatever spam/anti-virus/etc stuff they want on it, since im not using it anyways. I'm not installing their 'software' if they have any. etc. All i want is a ethernet plug that through whatever magical means gets the 'internet to me'. I will take care of the rest.. but i know i am not their 'mainstream' customer.

Blocking port 53 and 80 is a temp measure which will just make them use another port, the next ports they use you wont be able to block. Just off the top of my head I would use a port between 1024 and 5000. I believe that is still the default random ports windows uses, you cant block those ports without stopping a ton of every day internet programs from working. im sure there is other ports, either way, solves nothing and the next versions will be using ports you can not block.

Botnets will just evolve. The ISP blocking things isn't the answer, very often. I would say anti-virus software, firewalls, and really eduction would be a much better mix to cut down on this. ISPs can help stop a major worm or something from spreading here and there depending on the circumstances, but usually they are too late in trying to stop that sort of thing.

Also ISPs can just cut peoples internet off till they fix their PC if it is causing that much of a problem, which they do, but usually only in the case of spam. Road Runner cut off a customer I know after about 6 months of having a 'spam bot' of some sort on his pc. I told the guy about it a few months ago, but his PC still worked so he didn't care till his internet was cut off, still took them long enough, they had reports of his IP several times going back at least 5 months.

Re:Obvious.... (1)

cshake (736412) | more than 7 years ago | (#19906901)

The possibility for misuse on the ISP side is enormous. Do you really want an ISP to be able to arbitrarily block any websites?
What if they decide that some perfectly legal politically charged website shouldn't be viewed? I'd rather have unlimited access and have to worry about the results myself, thankyouverymuch. Censorship is almost never a good thing.

Fast-flux vulnerability (3, Interesting)

Todd Knarr (15451) | more than 7 years ago | (#19903417)

Fast-flux takes advantage of the ability to set extremely low time-to-lives on DNS resource records. The shorter the TTL, the faster changes propagate out through the DNS cache network. This suggests a way of neutering fast-flux: implement a minimum TTL in DNS servers. Since most people depend on their ISP's DNS servers rather than going directly to the roots, this would effectively prevent the fast-flux record changes from propagating as fast as they need to to be effective. If, for example, an ISP put a 30-minute minimum TTL in place, then the A record for a given name would remain fixed for 30 minutes (modulo cache being filled and the record being forced out) regardless of what the fast-flux network did. And since the DNS servers enforcing the minimum typically aren't under the control of either the botnet or the infected machines, there's nothing the botnet operators can do about the situation. As a side-effect, this also cuts the load on the DNS network caused by PHBs who order 60-second TTLs on their records "so customers won't be inconvenience when we change our IP addresses".

Two glitches with the idea:

  1. Changes to the NS records for a domain are also slowed down. When changing your NS records you need to make the changes but leave the old servers running in parallel long enough for the changes to trickle out to everybody.
  2. Load balancing via round-robin DNS would be broken unless the caching servers also do rotation of the cached records in responses. I think BIND already does that.

Re:Fast-flux vulnerability (0)

Anonymous Coward | more than 7 years ago | (#19920991)

This suggests a way of neutering fast-flux: implement a minimum TTL in DNS servers

Great... there are already enough broken DNS implementations out there (servers who change all TTLs to 3 days), do we really want to encourage this behavior even more?

If you change something like a mail server IP address, it can take almost a *week* before you stop seeing legitimate mail trickle in on the old address - due to broken DNS implementations.

Defense/Offense , which is legal and why? (1)

OldHawk777 (19923) | more than 7 years ago | (#19904495)

Defense is legal, Offense is illegal, and why? "I don't know." THIRD-BASE!

My logic, you need defense to be able to do what you need/want to do (like go on the offense).
Also, you need offense to prevent others from doing what you don't want them to do (like they can't go on offense).

IOW: The real purpose of defensive action is to provide force/operations security, until offensive action is possible.

Intel/CoOps (like chicken "coops") are a defensive actions that disrupt the ability of others to take a successful offensive action, while allowing you to develop effective and successful offensive actions. It all (technology security) confuses an old war monger like me.

Anyway; any/all defense will fail, unless the purpose is "Offense". So; with my way of thinking, the laws/regs/policies for preventing the use of technology (gun, lock, Internet, encryption ...) are the problem. If someone a/o some country/religion tries to crack your network ... it is a hell of allot more reasonable to go on the offensive and destroy the enemy ... collecting forensics and bits/body data is important to defense (as defined above), but legally can be insubstantial false-trail/trap for debate and for court worthless.

If you want to win you must always be on the offense. Offense or Defense will always win a battle, but only offense can win the war.

So; put the criminal crackers out of business with brilliant offense, don't legislate technology out of business with draconian idiotic "defense-only". Defense-only is as dumb as all the ObSec (Obscurity Security) governments and business want to implement. Clear the decks, clear the laws, clear for battle, take the SOBs out, and don't provoke the good public and citizens with further legislative/regs/policies stupidity.

Advice: If you have a Defense-only/ObSec policy get rid of it quick (as legally as possible), If you have a Defense-only/ObSec consultant/service company get rid of it quick (as legally as possible). Always look to solve problems permanently, because always being reactionary is a dogmatic (non-thinking) suicidal tactic. Gut-feelings truthyness (comically) is always fun for the clueless losers.

Re:Defense/Offense , which is legal and why? (1)

Todd Knarr (15451) | more than 7 years ago | (#19909995)

The only problem with going on the offensive is who to go on the offensive against. On a computer network it's fairly easy for the attacker to mask his identity behind that of third parties who don't even know they're being used, and it's very hard for the attacked party to tell whether any given attacker is a real one or merely an unwitting dupe (and all but impossible to determine who the true party behind it all is). If you lash out at a large number of parties who didn't realize they were involved in an attack on you and who the public at large views as innocent parties, you give yourself a major public-image problem along with a major legal problem. If you want to go on the offensive, you'd best be absolutely completely certain you're right and be able to back it up in court. And even then, I'd think twice before doing it.

Fast-flux networks aren't proxies (4, Informative)

jbsoles (1129855) | more than 7 years ago | (#19904563)

As the subject implies, fast-flux networks are not proxies. They HAVE proxies. The basic difference is that a proxy redirects incoming and outgoing traffic through a server or router some where else, thus "spoofing" your IP address. Fast-flux networks certainly use proxies, but there's one big difference; fast-flux networks allow you to host content this way. To host your own website (short of technical mastery) you used to need a static IP address that runs directly to one or more servers, making it very easy to catch you if you use a domain name for illegal purposes and even easier to shut you down. Fast-flux networks allow you to use many IP addresses to host content from one central server or set of servers. The IP's on the front end are disposable and more can be generated quickly. It also provides the web site administrator a proxy level to protect his identity while hosting just like the one Tor proxy provides me while surfing. In other words, the difference between fast-flux networks and proxies is that fast-flux networks can be used to host from one computer to many different IP addresses, in part by using proxies. A proxy just doesn't let you do that. Thanks for reading a rather long post. I'm a student and a paper on fast-flux networks just happened to be distributed where I do research for the summer:)

Use it against them (1)

Otisserie (618411) | more than 7 years ago | (#19905703)

Why not use fast-flux against the botnet itself? If I know that a certain website is being hosted by a rotating array of bots, then I just query the IP address of the website every 30 seconds or so and the spammer will, over time, reveal the IP address of every bot in his network. That's got to be useful somehow, especially if you could work with the ISPs to have them notify the owners of the compromised machines, or block them if necessary (although that kind of cooperation may be a vain hope).

JUST SAY IT! "Home PCs" = Windows OS (3, Insightful)

Jerry (6400) | more than 7 years ago | (#19905987)

ALL of these zombies are computers running a Windows OS.

There. I've said it. Why hide the truth?

Are journalist thinking "everyone knows it is Windows that is so vulnerable to mere emails, so there's no use in embarrassing Microsoft"? I don't think so... any more than they "just happened" to get Ferrari laptops for writing good articles about VISTA.

I'm no 'cracker' but.... (0)

Anonymous Coward | more than 7 years ago | (#19914801)

I just bought fast-flux.com and fast-flux.net.
any takers?
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>