A worrying news from SecurityFocus came out today:
Network security analyst Lawrence Baldwin has helped take down his share of bot nets, but he worries that those days may largely be over.
Why worry? Well, botnets are used to send spam and launch denial-of-service attacks. If you’re still not concerned, imagine the amount of spam e-mails about penis enlargement, stock investments, and other promotions you get everyday. Add to that an unusual moment wherein you can’t access your Webmail account in Yahoo! MSN or Google, or your favorite Web sites such as MySpace and Facebook (denial-of-service). These are a few of what botnets can do.
Botnets having a bright future can indeed be alarming. To begin with, I encourage you to watch this news video about the arrest of SPAM king, Robert Alan Soloway last May 30, 2007.Loading...
According to the report:
An increasingly popular technique, known as fast-flux domain name service (DNS), allows bot nets to use a multitude of servers to hide a key host or to create a highly-available control network. The result: No single point of weakness on which defenders can focus their efforts.
Traditional Botnets vs. Fast-Flux Botnets
Based on the report, traditional botnets have used IRC as a means of monitoring and controlling compromised computers. The video shown below shows compromised computers that are being registered into the server. Pay attention to the green texts scrolling upwards. They indicate zombie computers joining the channel and awaiting instructions.Loading...
One weakness of this method is the fact that it has a central server. Shutting down the server would mean stopping the bot master thus, halting the attack. However, as Lawrence Baldwin would point out, “It’s (already) ridiculous trying to get an IRC command-and-control server taken down.”
Fast-flux botnets on the other hand, aren’t entirely different. They’re still botnets. The list below describes how fast-flux botnets operate in a nutshell (based on the report):
- Fast-flux bot nets use the Internet’s look-up system for domain names against defenders. With a typical domain, the IP address associated with the domain does not change often, if at all. Fast-flux DNS uses a large number of servers and a fast-changing domain record to turn shutdown attempts into a game of whack-a-mole.
- A related technique, known as rock phishing, uses a large number of proxies to hide the location of a smaller number of critical servers.
- A recent Storm Worm infection, for example, connected to a bot net that had more than 2,000 redundant hosts spread amongst 384 providers in more than 50 countries.
- By design, fast-flux bot nets last much longer and, just by their ability to outlive IRC-based bot nets, will likely soon make up the majority of attack networks on the Internet.
How Do We Stop the Fast-Flux Botnets?
Chief engineer for the Okie Island Trading Company, Tom Shaw said that the only way to stop them is to convince the domain registrar to shut down the domain that’s being victimized. However, Adam Waters, chief operating officer for Support Intelligence would argue:
When you call them up, you are asking them to take their customers offline. Any business that you ask to do that, well, they are going to be gun shy.
Fast flux is not about the bad guys hiding where they are. They are in your face and saying, ‘Come take us out.’ And you can’t.
As Internet users, we too have a role to take. We have to stop bot software from spreading, and it begins with the way we use our computers online. You might want to read Best Security Practices for Internet Safety by Harry Waldron. His 12 outlined suggestions can surely help you have a glimpse of online safety.
As Symantec Internet security expert, Vincent Weaffer said in a TV interview, “People need to secure their machines so that they don’t become part of the problem”.