ICANN Targets Fast Flux Hosting, Botnets, Phishing & More
- By Grey McKenzie
- Published Tuesday 11th 2008
Grey McKenzie
National Cyber Security Founder
Cyber security watchdog Grey McKenzie is one of the nation's leading Internet security experts.
Some of his clients include members of the Department of Homeland Security, State Department, Department of Defense & the Federal Bureau of Investigation.
His SpyCop security software products are in use by over 50,000 individuals & companies worldwide
To schedule an interview or consult with Grey call 902-532-2262
ICANN has released a recommendation regarding how to make it very difficult for Botnets to operate.
The following are some excerpts from their report.
"Fast flux" is an evasion technique that cyber-criminals and Internet miscreants use to evade identification and to frustrate law enforcement and anticrime efforts aimed at locating and shutting down web sites used for illegal purposes.
Fast flux hosting is an application of technology that supports a wide variety of cyber-crime activities (fraud, identity theft, online scams) and is considered one of the most serious threats to online activities today.
Basic fast flux hosting uses rapid modification of IP addresses associated with a system that hosts a malicious activity to evade detection and take down efforts.
This technique is also used to rapidly modify the IP addresses of the name servers that resolve the domain names of the fluxed malicious hosts (this variant is sometimes called NS fast flux).
A particularly troublesome variant of fast flux hosting, "double flux", fluxes addresses of both name servers and malicious (web server) hosts.
Security professionals, the anti-cybercrime community, and law enforcement agencies have studied fast flux hosting for some time.
Fast flux hosting operates on top of a large, distributed network of compromised systems that may very well span the globe.
A thriving underground business leases dozens to thousands of compromised systems to Internet miscreants as fast flux service networks1.
Operators of these service networks utilize hierarchical covert (encrypted) communications channels and proxy techniques.
They manage these networks with some diligence by routinely querying the status of compromised systems and base adds and deletes to the networks based on the presence or absence of a response.
Of particular concern to the domain name community is the way these operators automate domain name service updates to hide the location of web sites
where illegal activities – IP Piracy (music, videos, games), hosting of child pornography, hosting of phishing systems, sales of illegal pharmaceuticals, and execution of identity theft and fraud
– are performed.
While considerable attention is paid to the technical aspects of fast flux, an associated set of "business" activities exists and begs description as well.
We consider the case where a miscreant wants to conduct a phishing attack, but other criminal activities make use of fast flux as well.
For our example, the business aspects of fast flux hosting begin with malware authors.
Some malware authors develop phishing kits, software packages that can be customized to deliver phishing email to a list of recipients and host the associated illegal web site where the phish email sends victims.
Others farm email addresses and sell lists for spam.
Still others develop bot software. Bot software is a flexible, remotely controllable agent that can be directed to perform arbitrary functions on behalf of a corresponding command and control center (C&C) software: once covertly installed on a compromised system, bot software facilitates subsequent downloads and remote execution of additional, attack-specific software.
Bot-herders often use email borne worms to infect and compromise thousands of systems, although client-side compromises, such as browser-based exploits, are the most prominent today.
Malware authors and bot-herders are goods providers in the cyber-criminal community.
Goods providers commonly use encrypted and private/secure Internet Relay Chat (iRC) channels or similar underground meeting places to advertise and find buyers for their criminal goods2.
A bot-herder's criminal goods are essentially the facilities he can make
available for fee or lease.
The herder leases the command and control of a negotiated number of compromised systems to a customer, who may use them directly or manage
them on behalf of yet another miscreant; in the latter case, the bot-herder's customer serves as a provider of fast flux hosting services.
In this complex and covert economy, a party who is interested in conducting criminal activities may negotiate with several parties to obtain a spam (phish) list, deploy a phishing system or other attack kit, and a botnet and conduct the attack himself, or he may negotiate with one party, a fast flux service network operator, to direct the phishing attack on his behalf.
Full Report
The following are some excerpts from their report.
"Fast flux" is an evasion technique that cyber-criminals and Internet miscreants use to evade identification and to frustrate law enforcement and anticrime efforts aimed at locating and shutting down web sites used for illegal purposes.
Fast flux hosting is an application of technology that supports a wide variety of cyber-crime activities (fraud, identity theft, online scams) and is considered one of the most serious threats to online activities today.
Basic fast flux hosting uses rapid modification of IP addresses associated with a system that hosts a malicious activity to evade detection and take down efforts.
This technique is also used to rapidly modify the IP addresses of the name servers that resolve the domain names of the fluxed malicious hosts (this variant is sometimes called NS fast flux).
A particularly troublesome variant of fast flux hosting, "double flux", fluxes addresses of both name servers and malicious (web server) hosts.
Security professionals, the anti-cybercrime community, and law enforcement agencies have studied fast flux hosting for some time.
Fast flux hosting operates on top of a large, distributed network of compromised systems that may very well span the globe.
A thriving underground business leases dozens to thousands of compromised systems to Internet miscreants as fast flux service networks1.
Operators of these service networks utilize hierarchical covert (encrypted) communications channels and proxy techniques.
They manage these networks with some diligence by routinely querying the status of compromised systems and base adds and deletes to the networks based on the presence or absence of a response.
Of particular concern to the domain name community is the way these operators automate domain name service updates to hide the location of web sites
where illegal activities – IP Piracy (music, videos, games), hosting of child pornography, hosting of phishing systems, sales of illegal pharmaceuticals, and execution of identity theft and fraud
While considerable attention is paid to the technical aspects of fast flux, an associated set of "business" activities exists and begs description as well.
We consider the case where a miscreant wants to conduct a phishing attack, but other criminal activities make use of fast flux as well.
For our example, the business aspects of fast flux hosting begin with malware authors.
Some malware authors develop phishing kits, software packages that can be customized to deliver phishing email to a list of recipients and host the associated illegal web site where the phish email sends victims.
Others farm email addresses and sell lists for spam.
Still others develop bot software. Bot software is a flexible, remotely controllable agent that can be directed to perform arbitrary functions on behalf of a corresponding command and control center (C&C) software: once covertly installed on a compromised system, bot software facilitates subsequent downloads and remote execution of additional, attack-specific software.
Bot-herders often use email borne worms to infect and compromise thousands of systems, although client-side compromises, such as browser-based exploits, are the most prominent today.
Malware authors and bot-herders are goods providers in the cyber-criminal community.
Goods providers commonly use encrypted and private/secure Internet Relay Chat (iRC) channels or similar underground meeting places to advertise and find buyers for their criminal goods2.
A bot-herder's criminal goods are essentially the facilities he can make
available for fee or lease.
The herder leases the command and control of a negotiated number of compromised systems to a customer, who may use them directly or manage
them on behalf of yet another miscreant; in the latter case, the bot-herder's customer serves as a provider of fast flux hosting services.
In this complex and covert economy, a party who is interested in conducting criminal activities may negotiate with several parties to obtain a spam (phish) list, deploy a phishing system or other attack kit, and a botnet and conduct the attack himself, or he may negotiate with one party, a fast flux service network operator, to direct the phishing attack on his behalf.
Full Report
