[apops] Looking behind the smoke screen of the Internet and Internationa

  • To: apops at apops dot net
  • Subject: [apops] Looking behind the smoke screen of the Internet and Internationa Infrastructure: DNS recursive attacks, spamvrtised domains, phishing, botnet C&C's and you
  • From: Gadi Evron <ge at linuxbox dot org>
  • Date: Fri, 17 Feb 2006 14:49:23 +0200
  • List-archive: <http://www.apnic.net/mailing-lists/apops>
  • List-help: <mailto:apops-request@apops.net?subject=help>
  • List-id: Asia Pacific Operators Forum <apops.apops.net>
  • List-post: <mailto:apops@apops.net>
  • List-subscribe: <http://mailman.apnic.net/mailman/listinfo/apops>, <mailto:apops-request@apops.net?subject=subscribe>
  • List-unsubscribe: <http://mailman.apnic.net/mailman/listinfo/apops>, <mailto:apops-request@apops.net?subject=unsubscribe>
  • User-agent: Mozilla Thunderbird 1.0.2 (Windows/20050317)
    • [X-posted]
      
      This text is meant for two (main) purposes:
      1. Updating the community about recent threats.
      2. Showing the community some suggestions of what can be done.
      
      
      In the recent weeks many people (including on different public ops communities such as NANOG) have noticed DDoS attacks going on, which appear to be abusing recursive DNS servers.
      
      A couple of documents on the subject:
      http://www.us-cert.gov/reading_room/DNS-recursion121605.pdf
      http://cc.uoregon.edu/cnews/winter2006/recursive.htm
      
      
      The attacks generally seem the same as always. Nothing new here. Why the big buzz than? (so far these have been kept "quiet" on several communities even if it is in plain sight and people speak of it openly).
      
      
      The buzz may be about the packet size/resulting fragmentation this time around, actual attacks seen in the wild on a wide scale, etc. Regardless, nothing new. Recursive is bad. Don't do it. :)
      
      
      For those of us too busy to read the documents linked to above, imagine an ICMP echo attack from spoofed sources that get back the replies, only in DNS... this is not very technically correct but it will do.
      
      
      Ignoring the DDoS for a second, in the last year, completely unrelated, in the anti virus world we see (and don't really connect the dots) more and more Trojan horses (i.e. bots) which use fast-changing-IP-addresses hosts/domains. Changing IP addresses or even name servers very often. These are now called "Fast-Flux" domains.
      
      
      Not connecting the dots as in the samples one sees the DNS RR's, not that they keep changing.
      
      
      Fast-Flux is actually a term which was coined in the anti spam fighters world, completely unrelated to the anti virus world. As these hosts are used to spamvertise from, or these name servers are used to host such bad domains, this is obviously something bad (although some Fast-Flux issues are legit, most aren't).
      
      
      Some of these domains, following certain patterns, are used in Trojan horses (maybe we should call them zombies this time) to coordinate. I.e. the C&C (Command and Control, also known as C2) servers where the different Trojans (bots) bots are controlled from.
      
      
      These patterns, such as those used by the (now old) Bobax Trojan (worm!) often utilize a domain pattern which needs to be ascertained if one wants to control these C&C's as it changed with, for example, the time-stamp. (old IRC trick from the GirlBots Trojan horses, with differentiating channel names)
      
      These can be 3LD's or actually domains, i.e.:
      jusdbgvosibs.dynamicdnsprovider.com
      msfgsbzxcffh.dynamicdnsprovider.com
      vnyjdcjsxngx.dynamicdnsprovider.com
      
      fsbiuabf.com
      afouabfo.com
      arlkehnm.com
      
      
      The samples would connect to these based on the algorithm, while these will be registered by the bad guys.
      
      
      In the recent attacks the specific name servers which are vulnerable are used while the domains are being spamvertised and then switched back to a different NS.
      
      
      This may indeed be the DNS activity seen, or it may be unrelated. I don't believe in coincidences though.
      
      
      The DDoS (which may be a direct or unrelated result of spamvertising or botnet control over DNS) may be a smoke screen for what's really going on, or it may be what it seems, just DDoS. As the bot controllers do both spam and DDoS, I see no reason why they wouldn't use this technology for both purposes (or other purposes yet to be seen).
      
      
      They (the bad guys) may have even just noticed it in the wild, used by other bad guys or they shared the techniques (they have quite a lot of cooperation going). While the good guys weren't sharing information/cooperating and thus not noticing it happening for a long time now. If they (the good guys) do notice "it", for example, the DDoS, then they don't notice the connection between different industries and fields.
      
      
      -opinion- Thinking a vulnerability or error will not be exploited/mistakenly triggered at some point in time just because it is left alone for a while is insane. Even if as the saying go, we won't attribute malicious intend to what is likely stupidity - any mistake which can happen, will happen. Major parts of the US power grid going down every few years proved that much.-/opinion-
      
      
      Fast-Flux hosts have also been used in Phishing for over a year now (before that they were indeed in the wild, but mostly in proof of concept attempts).
      
      
      Phishing in its original form of receiving a mail message and going to a site is going to be with us 10 years from now (much like 419's are still with us today), but it is slowly decreasing in volume for some time now.
      
      
      Phishing in general however, is in fact increasing with millions on millions of USD lost every month. Quite a bit of ROI for the Russian Mob and friends from Brazil, Eastern Europe, Nigeria, other hot-spots and the rest of the world, don't you think?
      
      
      The bad guys utilize Trojan horses (sorry, bots) more and more now for this activity, rather than the old bulk emailing techniques (even using ... zombies).
      
      
      The Trojan horse (sorry, worm) would connect to the DNS RR, which will change IP addresses and/OR name servers quite often, and thus while thousands, hundreds of thousands and all the way to millions of Trojan horses (zombies!!!) send out Phishing emails, the actual sites moves constantly (between every 10 minutes to once a day). This makes reporting these sites and taking them off the air increasingly difficult.
      
      
      That is also why anti virus companies become critical to the fight to keep the Internet alive, as while network operators can follow network traffic, the anti virus researchers and reverse engineers actually see what the Trojan horse does and how.
      
      
      Dynamic DNS providers (most of whom are good.. amazing people) have seen this done with 3LD's as botnet C&C servers for a few years now. Use of cryptographically strong domain names (with whatever algorithm used) is newer, but not that new.
      
      What am I trying to say here?
      
      
      All these activities are related, and therefore better coordination needs to be done much like we do on the DA and MWP groups, cross-industry and open-minded. R&D to back up operations is critical, as what's good for today may be harmful tomorrow (killing C&C's as an example).
      
      
      The industry needs to get off its high tree and see the light. There are good people who never heard about BGP but eat Trojans (sounds bad) for breakfast, and others need to see that just because some don't know how to read binary code doesn't mean they are not amazingly skilled and clued with how the network runs.
      
      
      This is not my research alone. I can only take credit for seeing the macro image and helping to connect the dots, as well as facilitate cooperation across our industry. Still, as much as many of this needs to remain quiet and done in secret-hand-shake clubs, a lot of this needs to get public and get public attention.
      
      
      Over-compartmentalizing and over-secrecy hurts us too, not just the US military. If we deal in secret only with what needs to be dealt in secret, people may actually keep that secret better, and more resources can be applied to deal with it. Some things are handled better when they are public, as obviously the bad guys already know about them and share them quite regularly. "Like candy" when it comes to malware samples, as an example.
      
      Some solutions to think about:
      - Help facilitate better cooperation.
      - Help facilitate better coordination.
      - Join a mitigation group, do something.
      
      - Join a research group, find solutions that won't just kill the current - problem and make it far worse 2 years down the road (terrorism, spam, botnets, phishing).
      - Work with others outside your club, you may learn something.
      - Stop ignoring problems until they become yesterday's problems.
      
      Some intermediate solutions:
      - Run a clean computer. Secure your machine.
      
      - Run a clean service provider, secure your network and answer abuse reports.
      - Cooperate and share information.
      
      - Cooperate with law enforcement, as economics such as the ROI the bad guys see can only be beaten with changing the cost-benefit/risk-gain equation.
      
      Some immediate solutions:
      
      - Block outgoing port 25 on dynamic ranges if it is right for your organization ("don't be the Internet's firewall").
      - Make sure your DNS servers don't allow recursive requests.
      
      
      I recently shared with Paul Vixie an idea for a structure of an operational group for DNS. Paul Vixie and the DNS folks are taking care of their end with the DNS infrastructure where they can.
      DNS in general (not the infrastructure) has been neglected for a long time.
      
      Are you taking care of your issues? Are you as responsible as these guys?
      
      
      A lot more can be done, a lot more can be suggested. There are many examples of people doing amazing work. NSP-SEC, DA, MWP and many others.
      
      
      These ideas should get us started on the next level of taking care of business.
      
      
      Want to be involved? Get involved. See a threat? Share it. Think I am wrong? Bring up your own idea and follow through, don't just criticize others or try and stop them because you've grown warm and cozy in your spot in this world or for whatever other reason or jealousies you may have, as eventually they will circumvent you and work without you.
      
      
      -opinion-One example for this is the anti virus industry and their naming conventions (hopefully to change with CME from Mitre). Another is the US Government thinking they can control the Internet and China showing them that if they won't let them in, they will create their own systems. That's just a hint of things to come, with alternate roots as just one side of the problem.
      
      
      The Internet is an "International Infrastructure" and these power struggles are self-defeating.-/opinion-
      
      
      Feel free to ping me if you'd like to know what information sharing effort is going on in your area as well as involving your area with others (an effort which will actually allow you to join and help), as the fault is not only yours but also ours.
      
      
      -opinion-Our fault, us, the people who run these communities and global efforts, for being over-secretive on issues that should be public and thus also neglecting the issues that should really remain under some sort of secrecy, plus preventing you from defending yourself.
      
      
      Us, for being snobbish dolts and us, for thinking we invented the wheel, not to mention that we know everything or some of us who try to keep their spots of power and/or status by keeping new blood out (AV industry especially, the net-ops community is not alone in the sin of hubris).
      
      
      It's time to wake up. The Internet is not about to die tomorrow and there is a lot of good effort from a lot of good people going around. Amazing even, but it is time to wake up and move, as we are losing the battle and the eventual war.
      
      
      Cyber-crime is real crime, only using the net. Cyber-terrorism will be here one day. If we can't handle what we have on our plate today or worse, think we are OK, how will we handle it when it is here?
      
      
      There is a lot yet to be said, a lot which is not 100% accurate and a lot that needs to be done as well as already being done. It's not enough and it can't all be covered in one write-up.
      
      This text can be found here:
      http://blogs.securiteam.com/index.php/archives/298
      
      Future updates can be found here:
      http://blogs.securiteam.com/
      
      Thank you.
      
      	Gadi Evron.
      
      --
      http://blogs.securiteam.com/
      
      "Out of the box is where I live".
      	-- Cara "Starbuck" Thrace, Battlestar Galactica.