Cybercriminals Building New, Stealthier Networks 107
ancientribe writes "Cybercriminals are adopting a new method of hiding and sustaining their malicious Websites and botnet infrastructures so they'll be harder to detect, called "fast-flux," according to an article in Dark Reading. Criminal organizations behind two infamous malware families — Warezov/Stration and Storm — in the past few months have separately moved their infrastructures to so-called fast-flux service networks. The article says bad guys like fast-flux not only because it keeps them up and running, but also because it's more efficient than traditional methods of infecting victims' machines." I'm not exactly sure why this is new/different than the more well known open relay proxy networks.
Block TCP Port 80 (Score:5, Insightful)
The bit about blocking TCP port 80 is troubling. I run a small web-site for learning purposes and to share info with family and friends. I don't especially like the possibility of having to ask or pay extra to have port 80 opened on my end.
Re: (Score:3, Insightful)
Re: (Score:2, Interesting)
How about outbound firewall and proxy configurations?
Re:Block TCP Port 80 (Score:4, Insightful)
And what the other guy said about proxies is valid too. It's very common for outbound corporate firewalls to block non-port-80 traffic for web browsing.
Re: (Score:2)
She does know not to click on URL's unless she's expecting someone to send her info about something.
Ross
Re: (Score:2)
Re: (Score:1)
Re:Block TCP Port 80 (Score:5, Funny)
Re: (Score:2)
Re: (Score:2, Interesting)
Re: (Score:3, Interesting)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
1. A post expressing a different opinion that that of the moderator.
2. A post not read or comprehended by the moderator.
3. A post that was intended as a joke and was not found funny by the moderator.
Yo Mods! (Score:2)
Oh, and can we at least try for some reading comprehension? That's a perfectly reasonable statement and makes no mention whatsoever of Microsoft, Apple, Google or George Bush.
Plenty of good reasons (Score:1)
Maintain a nonstandard port webserver with a dummy index.html file, dump any files you'd like to share with friends in there, have a little alias script which fills in the blanks with your site address (like "/myweb whatever.jpg") and then let rip.
It's a lot easier to show people what your most recent project is without having to deal with crap lik
Re: (Score:2)
Re: (Score:2)
Agreed withthe sentiment plus one extra thing: there's no point to shell out for 9GB of hosting space for the ONE dvd-iso I'd like make accessible to the ONE person who's ever going to download it. On my home machine it'll clog up the tubes overnight and that's all it ever needs.
And then there is
This is assuming you're not completely hardcore and do all of your PHP/HTML/CSS in vi or emacs instead of a more modern code editor
I use emacs. I never realized that made me "hardcore".
(code collapse, color highlighting, and completion is your friend).
emacs had done all this since the eighties. So?
Re: (Score:2)
A large part of it is that it's easy, and the machine and software it lives on would exist anyway (I'm a web developer, among other things). I find it a good place to dump low priority things which I don't want to faff about dealing with remotely; like, photos. I could easily be using GB's of disk space with photos hardly anyone will bother to look at, and that can add up rapidly on a server which ma
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
being able to set mythtv to record any tv program for you, check your cctv camera's at home and access your music collection from anywhere in the world seems reason enough to run a webserver.
obviously you don't make these services available to the general public, but if the pc is going to be on anyway why not.
I would agree that if you want to run a public website then pay
Re: (Score:2)
Then you're not the person to offer opinions on it.
Software versions? Diskspace? are just two off the top of my head.
Re:Block TCP Port 80 (Score:5, Interesting)
The net has grown very fast and so far we've shirked the responsibility issue: Customer's complain about spam and when the spammer's provider says it's not their responsibility, they're called a safe-haven for spammers. On the other hand, when customers get cut off because their computers are scanning and infecting other machines, they complain that it's not their fault and how are they supposed to keep their system clean without a full time admin and it's none of the ISPs business as long as the internet access bills are paid.
Re: (Score:1)
The bit about blocking TCP port 80 is troubling. I run a small web-site for learning purposes and to share info with family and friends. I don't especially like the possibility of having to ask or pay extra to have port 80 opened on my end.
What's wrong with asking for port 80 to be turned on? Does your email not work? Do you have a problem with your gob? Hell, they could even automate it on a web site asking for your username/password/mothers maiden name/name of first pet and you can do it there.
You silly lazy git.
You sure as hell shouldnt have to pay for it, but you don't like the possibility of asking? *sheesh*
Re: (Score:1)
Re:Block TCP Port 80 (Score:4, Insightful)
Two years ago there would have been a frosty piss and a two-page discussion on how this douchebag OP was wrong to use the word "cybercriminals" (or cyberfoo for that matter), and how his article reads like a page out of the script to this flaming piece of shit. [imdb.com] Where did we go? Since when did Slashdot become Eternal September?
That's right point-bearing masses, mod me flamebait because nobody else has the balls to stand up to this kind of terrible quality news. FFS look at the damn article! It says nothing! It literally states something that was true ten years ago when the botnet was invented! News for NERDS? more like News for NEWBS.
Christ alfuckingmighty.
Re: (Score:2)
Re: (Score:1)
Two years is being kind. And back in the 90's the signal-to-noise ratio was amazing. (or maybe I just remember it that way.)
Re: (Score:1, Redundant)
-Steve
Re: (Score:2)
Re: (Score:2)
-Steve
Re: (Score:2)
Nah.. the average user just wants to browse for pr0n!
Re: (Score:2)
Re: (Score:2)
Blocking ports is not a security fix, it is breaking the networks functionality, and is simply putting baling wire and chewing gum over serious security problems, rather than really fixing them.
Whatever ports you allow open, these guys will use, and if you block all ports, your network is not functional.
Re: (Score:2, Insightful)
Re: (Score:1)
Re: (Score:2)
I'm waiting for a worm that exploits STUN and invalidates the whole "block any port you don't use" rule.
Even if such a worm arrives on the scene it will not reverse the ISPs' port blocking policies for the simple reason that they prohibit some kinds of old vectors of attack.
This is much like the old BIOS function to notify tampering with the MBR, this vector of attack in no longer used but the function is still there (although disabled by default) and a few recent incidents show that it was a good choice to leave it there. Nowadays it's used by some of the rootkits, for instance to overcome all Vista securi
So, in the end (Score:2, Interesting)
Re: (Score:1)
Re: (Score:1)
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
These criminals are giving a "smarter" * use for the enormous potential that these hundred thousands of homogeneous (or similar enough) connected machines have than most companies out there does. It is time for 1) Microsoft and its users get their act straight and work on better security for they machines and 2) someone to realize the incredible potential of all this "dark" bandwidth and processing power and give it a good use. Criminals are showing it is possible, all it need is some legitimate application.
Yes, it's time the Empire of Nastiness started to use its powers for good instead of evil.
Re: (Score:1)
Re: (Score:2)
My friend's computer has been acting funny lately as well. The firewall reports (and stops) outbound connection attempts on unusual ports to seemingly random IP addresses at seemingly random intervals, even when the computer is completely idle otherwise. Virus scan with AVG and Norton - nothing. Spybot S&D, AdAware - nothing. Rootkit Revealer - nothing. HijackThis - nothing. ADSRevealer - nothing. Startup list viewer - nothing.
Yet, still with the random connection attempts.
The traffic is coming from l
Re: (Score:1)
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
Re: (Score:1)
News at 11 (Score:1, Flamebait)
News at 11
Was this news? (Score:1)
Possibly makes it incrementally harder to track down every last one of the pwned machines, a tad more if your logs store only resolved names but no IP addresses.
Most
In other words, the world did not change much due to this.
" why is this new/different" (Score:5, Funny)
"I'm not exactly sure why this is new/different than the more well known open relay proxy networks."
Re: (Score:1)
Fall victim? Sir, you are implying that the messages I send out somehow victimize people! I merely want to let everyone know about great financial opportunities, cheap perscription/software options, easy to find love/sex, and the ability to set your personal m_fPenisSize to whatever value you want.
Speaking of which:
Re: (Score:2)
fast flux! apply directly to your bot-net
fast flux! apply directly to your bot-net
What's special about port 80? (Score:3, Interesting)
But I don't really see how blocking port 80 would be an effective way to fight this sort of thing. There's nothing special about port 80 aside from it being the default http port. Unless the victims are typing the URL into their address bar, I don't see any reason the mother ship couldn't have bots listen on another port. I mean, the machine is already owned, so it's not like opening up port 43783 is difficult. And I can't help believing that most - if not all - people going to these sites are clicking links, not typing addresses.
So you close off port 80, and anyone running a legit (well, probably not, given the TOS of most ISPs, but at least not a malicious) web server out of their house/apartment/dorm room can no longer easily direct people to it. Meanwhile, the malicious sites are slowed down by the amount of time it takes some jackass to change one constant in one piece of code.
Unless, of course, there's some other factor I'm unaware of making it more difficult to reach an http host over something other than port 80.
Re: (Score:2)
Re:What's special about port 80? (Score:5, Interesting)
Randomly select a different port each time you connect to the zombie. If you're really worried about users running netstat to check their open ports (and I suspect that zombied machines are more often owned by people who don't even know the CLI exists, much less who generally run network diagnostic tools via the CLI than not - and by a wide margin), then have it only open the port for ten minutes every hour. Windows, by default, updates its clock to NIST weekly, so you can be reasonably sure that your zombies are synced enough for that to work. Round-robin assign the ten minute window to the zombies (xx:00 - xx:09, xx:01 - xx:10, xx:02 - xx:11, etc). During that window, you use the zombie to host content, and you can push a listen port update. At any given time, most of your zombies are running on the same port (they have to be, or your victims can't connect to your content), but blocking that port will only be effective for however long you determine. How fast can ISPs identify a rogue port and block it?
If my experience with spam is any indication, the linked sites go down almost as fast as the spam comes in, but that's (apparently) not a problem for the spammers. So you rotate ports every two, three days.
And this is just the scheme I've come up with off the top of my head in less than a minute.
Come to think of it, you're already executing arbitrary code on the zombied machine. Have them determine when they can listen on their assigned port, with a minimum frequency and duration set, with a bias towards times the user isn't at the console. When the window opens, step one is to notify the mother ship that this machine is active.
There are probably holes in this scheme, but I don't see the problem as being intractable. I do see any effort to just block port 80 as being naive (at best). I don't think ISPs can respond fast enough to block a new port every couple days, but perhaps I'm wrong about that.
Re: (Score:2, Informative)
There are a number of small (and I mean tiny - think 100 clients max) ISPs around my city alone, whose networking expertise is close to nil. They go with default settings of the equipment they get. So even if they put up a firewall of sorts to protect their clients, it is left at default settings.
The fact is there are not only tons of users out there without a clue, but a nice bunch of ISPs as well and sloppy network admins
Re:What's special about port 80? (Score:5, Informative)
Re:The word is a useful filter. (Score:1, Flamebait)
The word "hacker" is a similarly useful filter.
Re: (Score:2)
Which is why it's a useful filter. It tells you that the person you're speaking to gets their ideas about computer security from the media.
Re: (Score:3, Informative)
Checking http://en.wikipedia.org/wiki/Hacker_definition_con troversy [wikipedia.org] gives Linus Torvalds as an example of a hacker of the "other definition"... in what way is he a cybercriminal?
I hope whoever modded your pitifully binary views on the meaning of language terms as Insightful gets his due via meta-moderation... It is true that the new meaning of this term seems to be the more used one now, in what way does that make the old meaning obsolete, or th
The word is "hacker". And has 2 meanings. (Score:1)
> In the computing community, the primary meaning is a complimentary description for a particularly brilliant programmer or technical expert.
In what way is being "a particularly brilliant programmer or technical expert" criminal? Is there some kind of sociological correlation I am unaware of which would lead one to expect that most hackers of this kind would be criminals?
Clear enough now? Ho
Re: (Score:1)
Re: (Score:1)
even most of the "white hat" hackers are "cybercriminals"
Checking http://en.wikipedia.org/wiki/Hacker_definition_con [wikipedia.org] troversy gives Linus Torvalds as an example of a hacker of the "other definition"... in what way is he a cybercriminal?
Usually "hats" only apply to security researchers, not to any clever programmer. It is not uncommon (but perhaps not as common as GP implied) for "white hat" security researchers to break overly restrictive computer crime laws in the course of their jobs, which would indeed make them cybercriminals. Of course, someone who does this regularly is likely to be classed as a "grey hat".
Know Your Enemy paper on Fast Flux just out (Score:5, Informative)
So Windows is used to host illegal materials... (Score:2)
Child porn, illegal websites, etc...
Yawn. How many techies didn't see this coming?
But it will make a great coffee-table conversation topic...
Them: So you don't run Windows? Why not?
Me: Because I don't like supporting child porn.
And then the conversation will turn to how criminals use vulnerabilities in Windows to conduct their illicit affairs.
Re: (Score:3, Funny)
Re:So Windows is used to host illegal materials... (Score:4, Funny)
You: Because criminals use vulnerabilities in children to conduct their illicit affairs.
Missed Opportunity (Score:1)
No, seriously. Cybercriminals fast-fluxed my gag and now I've got nuttin'.
Obvious.... (Score:1)
block the DNS for known phishing sites.
e.g. Spam filter raises a warning to an e-mail that invites you to visit manlynessenhancer.biz.
Solution: in ISP's DNS route manlynessenhancer.biz to a warning site that says:
This is known phishing site, we've blocked it for Your protection.
Re: (Score:2)
Re: (Score:1)
What if they decide that some perfectly legal politically charged website shouldn't be viewed? I'd rather have unlimited access and have to worry about the results myself, thankyouverymuch. Censorship is almost never a good thing.
Fast-flux vulnerability (Score:4, Interesting)
Fast-flux takes advantage of the ability to set extremely low time-to-lives on DNS resource records. The shorter the TTL, the faster changes propagate out through the DNS cache network. This suggests a way of neutering fast-flux: implement a minimum TTL in DNS servers. Since most people depend on their ISP's DNS servers rather than going directly to the roots, this would effectively prevent the fast-flux record changes from propagating as fast as they need to to be effective. If, for example, an ISP put a 30-minute minimum TTL in place, then the A record for a given name would remain fixed for 30 minutes (modulo cache being filled and the record being forced out) regardless of what the fast-flux network did. And since the DNS servers enforcing the minimum typically aren't under the control of either the botnet or the infected machines, there's nothing the botnet operators can do about the situation. As a side-effect, this also cuts the load on the DNS network caused by PHBs who order 60-second TTLs on their records "so customers won't be inconvenience when we change our IP addresses".
Two glitches with the idea:
Defense/Offense , which is legal and why? (Score:2)
My logic, you need defense to be able to do what you need/want to do (like go on the offense).
Also, you need offense to prevent others from doing what you don't want them to do (like they can't go on offense).
IOW: The real purpose of defensive action is to provide force/operations security, until offensive action is possible.
Intel/CoOps (like chicken "coops") are a defensive actions that disrupt the ability of others to take a success
Re: (Score:2)
The only problem with going on the offensive is who to go on the offensive against. On a computer network it's fairly easy for the attacker to mask his identity behind that of third parties who don't even know they're being used, and it's very hard for the attacked party to tell whether any given attacker is a real one or merely an unwitting dupe (and all but impossible to determine who the true party behind it all is). If you lash out at a large number of parties who didn't realize they were involved in an
Yes, I agree, but Defense is problematic? (Score:2)
Putting band-aids/stitches to keep the dirt out and allow healing is defensive, there will always be broken glass and sharp objects available to crackers, phreakers
Fast-flux networks aren't proxies (Score:4, Informative)
Use it against them (Score:1)
JUST SAY IT! "Home PCs" = Windows OS (Score:4, Insightful)
There. I've said it. Why hide the truth?
Are journalist thinking "everyone knows it is Windows that is so vulnerable to mere emails, so there's no use in embarrassing Microsoft"? I don't think so... any more than they "just happened" to get Ferrari laptops for writing good articles about VISTA.