Behind The Scene Look At How Botnet Services Operate & Are Sold On The Global Market
http://www.nationalcybersecurity.com/articles/155/1/Behind-The-Scene-Look-At-How-Botnet-Services-Operate-amp-Are-Sold-On-The-Global-Market/Page1.html
Grey McKenzie
National Cyber Security FounderCyber security watchdog Grey McKenzie is one of the nation's leading Internet security experts.
Some of his clients include members of the Department of Homeland Security, State Department, Department of Defense & the Federal Bureau of Investigation.
His SpyCop security software products are in use by over 50,000 individuals & companies worldwide
To schedule an interview or consult with Grey call 850-708-7660
By Grey McKenzie
Published on Tuesday 11th 2008
In the following report by ICANN, you can see how the whole global Botnet service operates globally.
You will learn how anyone, even those without the skills to create a Botnet, can still hire their services.
Fast and Double Flux Attacks 2
Version 1.0 January 2008
Introduction
"Fast flux" is an evasion technique that cyber-criminals and Internet miscreants use to evade identification and to frustrate law enforcement and anticrime efforts aimed at locating and shutting down web sites used for illegal purposes.
Fast flux hosting is an application of technology that supports a wide variety of cyber-crime activities (fraud, identity theft, online scams) and is considered one of the most serious threats to online activities today.
Basic fast flux hosting uses rapid modification of IP addresses associated with a system that hosts a malicious activity to evade detection and take down efforts.
This technique is also used to rapidly modify the IP addresses of the name servers that resolve the domain names of the fluxed malicious hosts (this variant is sometimes called NS fast flux).
A particularly troublesome variant of fast flux hosting, "double flux",
fluxes addresses of both name servers and malicious (web server) hosts.
This Advisory describes the technical aspects of fast flux hosting and fast flux service networks.
It explains how the DNS is exploited to abet criminal activities that employ fast flux hosting, identifying the impacts of fast flux hosting, and calling particular attention to the way such attacks extend the malicious or profitable lifetime of the illegal activities conducted using these fast flux techniques.
It describes current and possible methods of mitigating fast flux hosting at various points in the Internet. The Advisory discusses the pros and cons of these mitigation methods, identifies those methods that SSAC considers practical and sensible, and recommends that appropriate bodies consider policies that would make the practical mitigation methods universally available to registrants, ISPs, registrars and registries (where applicable for each).
You will learn how anyone, even those without the skills to create a Botnet, can still hire their services.
Fast and Double Flux Attacks 2
Version 1.0 January 2008
Introduction
"Fast flux" is an evasion technique that cyber-criminals and Internet miscreants use to evade identification and to frustrate law enforcement and anticrime efforts aimed at locating and shutting down web sites used for illegal purposes.
Fast flux hosting is an application of technology that supports a wide variety of cyber-crime activities (fraud, identity theft, online scams) and is considered one of the most serious threats to online activities today.
Basic fast flux hosting uses rapid modification of IP addresses associated with a system that hosts a malicious activity to evade detection and take down efforts.
This technique is also used to rapidly modify the IP addresses of the name servers that resolve the domain names of the fluxed malicious hosts (this variant is sometimes called NS fast flux).
A particularly troublesome variant of fast flux hosting, "double flux",
fluxes addresses of both name servers and malicious (web server) hosts.
This Advisory describes the technical aspects of fast flux hosting and fast flux service networks.
It explains how the DNS is exploited to abet criminal activities that employ fast flux hosting, identifying the impacts of fast flux hosting, and calling particular attention to the way such attacks extend the malicious or profitable lifetime of the illegal activities conducted using these fast flux techniques.
It describes current and possible methods of mitigating fast flux hosting at various points in the Internet. The Advisory discusses the pros and cons of these mitigation methods, identifies those methods that SSAC considers practical and sensible, and recommends that appropriate bodies consider policies that would make the practical mitigation methods universally available to registrants, ISPs, registrars and registries (where applicable for each).
Botnets Are Marketable Commodities
variant called "double flux", Internet miscreants complement the service network used to host malicious web sites with a second service network that hosts DNS servers.
The operation of these service networks is described in available detail in the ensuing sections of this Advisory.Terminology
To describe this complicated, multi-faceted fast flux technique to the extent currently possible, SSAC begin by identifying some of the terms the Internet security community associates with fast flux hosting: bot.
A Trojan horse program that is used in a botnet.
Trojan horse programs are installed without notice or authorization on a computer via a spyware download or virus attached to an email message, and more commonly, through browser or other client-side exploits (e.g., compromised banner advertising).
Once the bot is able to execute, it establishes a back-channel to a control infrastructure setup by the attacker.botnet.
A botnet is a network of compromised third-party computers running software (ro)bots.
The traditional botnet design employed a centralized model, and all backchannels connected to an attacker's command-and-control center (C&C).
Recently, botnet operators have employed peer-to-peer models for back-channel operation to thwart detection of the C&C via traffic analysis. botnets are marketable commodities.
Criminal parties pay the “owner” of a botnet for command and control of his botnet and then use the network for any number of unauthorized or illegal activities.bot-herder.
The architect and perpetrator of the distributed attack that is used to create, maintain, and exploit a botnet for financial or other (political) gain.
Once a botnet is established, the bot-herder leases use of their botnet to a facilitate a Fast Flux service operator
Fast flux.
This phrase is used to represent the ability to quickly move the location of a web, email, DNS or generally any Internet or distributed service from one or more computers connected to the Internet to a different set of computers to delay or evade
detection.
Fast Flux facilities. In this paper, facilities refers to the software agents that have been installed without consent onto large numbers of computers across the Internet.
Fast Flux service network.
In this paper, a service network refers to a subset of bots that
the bot-herder assigns to a given Fast Flux service operator who in turn provides its customer with facilities for fast flux hosting or name service. Note that this service network is often times operated by a “middle man”, not by the customer themselves.
Anatomy of Fast Flux Hosting
The description that follows is representative of fast flux hosting. Other manifestations and variations are likely, and attackers may alter future fast flux hosting to evade
The operation of these service networks is described in available detail in the ensuing sections of this Advisory.Terminology
To describe this complicated, multi-faceted fast flux technique to the extent currently possible, SSAC begin by identifying some of the terms the Internet security community associates with fast flux hosting: bot.
A Trojan horse program that is used in a botnet.
Trojan horse programs are installed without notice or authorization on a computer via a spyware download or virus attached to an email message, and more commonly, through browser or other client-side exploits (e.g., compromised banner advertising).
Once the bot is able to execute, it establishes a back-channel to a control infrastructure setup by the attacker.botnet.
A botnet is a network of compromised third-party computers running software (ro)bots.
The traditional botnet design employed a centralized model, and all backchannels connected to an attacker's command-and-control center (C&C).
Recently, botnet operators have employed peer-to-peer models for back-channel operation to thwart detection of the C&C via traffic analysis. botnets are marketable commodities.
Criminal parties pay the “owner” of a botnet for command and control of his botnet and then use the network for any number of unauthorized or illegal activities.bot-herder.
The architect and perpetrator of the distributed attack that is used to create, maintain, and exploit a botnet for financial or other (political) gain.
Once a botnet is established, the bot-herder leases use of their botnet to a facilitate a Fast Flux service operator
Fast flux.
This phrase is used to represent the ability to quickly move the location of a web, email, DNS or generally any Internet or distributed service from one or more computers connected to the Internet to a different set of computers to delay or evade
detection.
Fast Flux facilities. In this paper, facilities refers to the software agents that have been installed without consent onto large numbers of computers across the Internet.
Fast Flux service network.
In this paper, a service network refers to a subset of bots that
the bot-herder assigns to a given Fast Flux service operator who in turn provides its customer with facilities for fast flux hosting or name service. Note that this service network is often times operated by a “middle man”, not by the customer themselves.
Anatomy of Fast Flux Hosting
The description that follows is representative of fast flux hosting. Other manifestations and variations are likely, and attackers may alter future fast flux hosting to evade
Bot Software
methods to detect fast flux hosting as it is described here, or add additional layers of hierarchy or abstraction.
While considerable attention is paid to the technical aspects of fast flux, an associated set of "business" activities exists and begs description as well.
We consider the case where a miscreant wants to conduct a phishing attack, but other criminal activities make use of fast flux as well.
For our example, the business aspects of fast flux hosting begin with malware authors.
Some malware authors develop phishing kits, software packages that can be customized to deliver phishing email to a list of recipients and host the associated illegal web site
where the phish email sends victims.
Others farm email addresses and sell lists for spam.
Still others develop bot software. Bot software is a flexible, remotely controllable agent that can be directed to perform arbitrary functions on behalf of a corresponding command and control center (C&C) software: once covertly installed on a
compromised system, bot software facilitates subsequent downloads and remote execution of additional, attack-specific software.
Bot-herders often use email borne worms to infect and compromise thousands of systems, although client-side compromises, such as browser-based exploits, are the most prominent today.
Malware authors and bot-herders are goods providers in the cyber-criminal community.
Goods providers commonly use encrypted and private/secure Internet Relay Chat (iRC) channels or similar underground meeting places to advertise and find buyers for their criminal goods2.
A bot-herder's criminal goods are essentially the facilities he can make available for fee or lease. The herder leases the command and control of a negotiated number of compromised systems to a customer, who may use them directly or manage them on behalf of yet another miscreant; in the latter case, the bot-herder's customer serves as a provider of fast flux hosting services.
In this complex and covert economy, a party who is interested in conducting criminal activities may negotiate with several parties to obtain a spam (phish) list, deploy a phishing system or other attack kit, and a botnet and conduct the attack himself, or he may negotiate with one party, a fast flux service network operator, to direct the phishing attack on his behalf.
In fast flux hosting, fast flux service networks are used for two purposes:
1) To host referral web sites. Bots in this service network typically do not host the fast flux customer's content but will redirect web traffic to the web server where the fast flux customer hosts unauthorized or illegal activities.
2) To host name servers.
Bots in this service network run name server referrers for the fast flux customer. These name servers forward DNS requests to hidden name servers that host zones containing DNS A resource records for a set of referral web sites.
The hidden name servers do not relay responses back through the
Full ICANN Report
While considerable attention is paid to the technical aspects of fast flux, an associated set of "business" activities exists and begs description as well.
We consider the case where a miscreant wants to conduct a phishing attack, but other criminal activities make use of fast flux as well.
For our example, the business aspects of fast flux hosting begin with malware authors.
Some malware authors develop phishing kits, software packages that can be customized to deliver phishing email to a list of recipients and host the associated illegal web site
where the phish email sends victims.
Others farm email addresses and sell lists for spam.
Still others develop bot software. Bot software is a flexible, remotely controllable agent that can be directed to perform arbitrary functions on behalf of a corresponding command and control center (C&C) software: once covertly installed on a
compromised system, bot software facilitates subsequent downloads and remote execution of additional, attack-specific software.
Bot-herders often use email borne worms to infect and compromise thousands of systems, although client-side compromises, such as browser-based exploits, are the most prominent today.
Malware authors and bot-herders are goods providers in the cyber-criminal community.
Goods providers commonly use encrypted and private/secure Internet Relay Chat (iRC) channels or similar underground meeting places to advertise and find buyers for their criminal goods2.
A bot-herder's criminal goods are essentially the facilities he can make available for fee or lease. The herder leases the command and control of a negotiated number of compromised systems to a customer, who may use them directly or manage them on behalf of yet another miscreant; in the latter case, the bot-herder's customer serves as a provider of fast flux hosting services.
In this complex and covert economy, a party who is interested in conducting criminal activities may negotiate with several parties to obtain a spam (phish) list, deploy a phishing system or other attack kit, and a botnet and conduct the attack himself, or he may negotiate with one party, a fast flux service network operator, to direct the phishing attack on his behalf.
In fast flux hosting, fast flux service networks are used for two purposes:
1) To host referral web sites. Bots in this service network typically do not host the fast flux customer's content but will redirect web traffic to the web server where the fast flux customer hosts unauthorized or illegal activities.
2) To host name servers.
Bots in this service network run name server referrers for the fast flux customer. These name servers forward DNS requests to hidden name servers that host zones containing DNS A resource records for a set of referral web sites.
The hidden name servers do not relay responses back through the
Full ICANN Report