[afnog] Looking behind the smoke screen of the Internet and Internationa Infrastructure: DNS recursive attacks, spamvrtised domains, phishing, botnet C&C's and you
Gadi Evron
ge at linuxbox.org
Fri Feb 17 15:49:09 EAT 2006
[X-posted]
This text is meant for two (main) purposes:
1. Updating the community about recent threats.
2. Showing the community some suggestions of what can be done.
In the recent weeks many people (including on different public ops
communities such as NANOG) have noticed DDoS attacks going on, which
appear to be abusing recursive DNS servers.
A couple of documents on the subject:
http://www.us-cert.gov/reading_room/DNS-recursion121605.pdf
http://cc.uoregon.edu/cnews/winter2006/recursive.htm
The attacks generally seem the same as always. Nothing new here. Why the
big buzz than? (so far these have been kept "quiet" on several
communities even if it is in plain sight and people speak of it openly).
The buzz may be about the packet size/resulting fragmentation this time
around, actual attacks seen in the wild on a wide scale, etc.
Regardless, nothing new. Recursive is bad. Don't do it. :)
For those of us too busy to read the documents linked to above, imagine
an ICMP echo attack from spoofed sources that get back the replies, only
in DNS... this is not very technically correct but it will do.
Ignoring the DDoS for a second, in the last year, completely unrelated,
in the anti virus world we see (and don't really connect the dots) more
and more Trojan horses (i.e. bots) which use fast-changing-IP-addresses
hosts/domains. Changing IP addresses or even name servers very often.
These are now called "Fast-Flux" domains.
Not connecting the dots as in the samples one sees the DNS RR's, not
that they keep changing.
Fast-Flux is actually a term which was coined in the anti spam fighters
world, completely unrelated to the anti virus world. As these hosts are
used to spamvertise from, or these name servers are used to host such
bad domains, this is obviously something bad (although some Fast-Flux
issues are legit, most aren't).
Some of these domains, following certain patterns, are used in Trojan
horses (maybe we should call them zombies this time) to coordinate. I.e.
the C&C (Command and Control, also known as C2) servers where the
different Trojans (bots) bots are controlled from.
These patterns, such as those used by the (now old) Bobax Trojan (worm!)
often utilize a domain pattern which needs to be ascertained if one
wants to control these C&C's as it changed with, for example, the
time-stamp. (old IRC trick from the GirlBots Trojan horses, with
differentiating channel names)
These can be 3LD's or actually domains, i.e.:
jusdbgvosibs.dynamicdnsprovider.com
msfgsbzxcffh.dynamicdnsprovider.com
vnyjdcjsxngx.dynamicdnsprovider.com
fsbiuabf.com
afouabfo.com
arlkehnm.com
The samples would connect to these based on the algorithm, while these
will be registered by the bad guys.
In the recent attacks the specific name servers which are vulnerable are
used while the domains are being spamvertised and then switched back to
a different NS.
This may indeed be the DNS activity seen, or it may be unrelated. I
don't believe in coincidences though.
The DDoS (which may be a direct or unrelated result of spamvertising or
botnet control over DNS) may be a smoke screen for what's really going
on, or it may be what it seems, just DDoS. As the bot controllers do
both spam and DDoS, I see no reason why they wouldn't use this
technology for both purposes (or other purposes yet to be seen).
They (the bad guys) may have even just noticed it in the wild, used by
other bad guys or they shared the techniques (they have quite a lot of
cooperation going). While the good guys weren't sharing
information/cooperating and thus not noticing it happening for a long
time now.
If they (the good guys) do notice "it", for example, the DDoS, then they
don't notice the connection between different industries and fields.
-opinion- Thinking a vulnerability or error will not be
exploited/mistakenly triggered at some point in time just because it is
left alone for a while is insane. Even if as the saying go, we won't
attribute malicious intend to what is likely stupidity - any mistake
which can happen, will happen. Major parts of the US power grid going
down every few years proved that much.-/opinion-
Fast-Flux hosts have also been used in Phishing for over a year now
(before that they were indeed in the wild, but mostly in proof of
concept attempts).
Phishing in its original form of receiving a mail message and going to a
site is going to be with us 10 years from now (much like 419's are still
with us today), but it is slowly decreasing in volume for some time now.
Phishing in general however, is in fact increasing with millions on
millions of USD lost every month. Quite a bit of ROI for the Russian Mob
and friends from Brazil, Eastern Europe, Nigeria, other hot-spots and
the rest of the world, don't you think?
The bad guys utilize Trojan horses (sorry, bots) more and more now for
this activity, rather than the old bulk emailing techniques (even using
... zombies).
The Trojan horse (sorry, worm) would connect to the DNS RR, which will
change IP addresses and/OR name servers quite often, and thus while
thousands, hundreds of thousands and all the way to millions of Trojan
horses (zombies!!!) send out Phishing emails, the actual sites moves
constantly (between every 10 minutes to once a day). This makes
reporting these sites and taking them off the air increasingly difficult.
That is also why anti virus companies become critical to the fight to
keep the Internet alive, as while network operators can follow network
traffic, the anti virus researchers and reverse engineers actually see
what the Trojan horse does and how.
Dynamic DNS providers (most of whom are good.. amazing people) have seen
this done with 3LD's as botnet C&C servers for a few years now. Use of
cryptographically strong domain names (with whatever algorithm used) is
newer, but not that new.
What am I trying to say here?
All these activities are related, and therefore better coordination
needs to be done much like we do on the DA and MWP groups,
cross-industry and open-minded. R&D to back up operations is critical,
as what's good for today may be harmful tomorrow (killing C&C's as an
example).
The industry needs to get off its high tree and see the light. There are
good people who never heard about BGP but eat Trojans (sounds bad) for
breakfast, and others need to see that just because some don't know how
to read binary code doesn't mean they are not amazingly skilled and
clued with how the network runs.
This is not my research alone. I can only take credit for seeing the
macro image and helping to connect the dots, as well as facilitate
cooperation across our industry. Still, as much as many of this needs to
remain quiet and done in secret-hand-shake clubs, a lot of this needs to
get public and get public attention.
Over-compartmentalizing and over-secrecy hurts us too, not just the US
military. If we deal in secret only with what needs to be dealt in
secret, people may actually keep that secret better, and more resources
can be applied to deal with it.
Some things are handled better when they are public, as obviously the
bad guys already know about them and share them quite regularly. "Like
candy" when it comes to malware samples, as an example.
Some solutions to think about:
- Help facilitate better cooperation.
- Help facilitate better coordination.
- Join a mitigation group, do something.
- Join a research group, find solutions that won't just kill the current
- problem and make it far worse 2 years down the road (terrorism, spam,
botnets, phishing).
- Work with others outside your club, you may learn something.
- Stop ignoring problems until they become yesterday's problems.
Some intermediate solutions:
- Run a clean computer. Secure your machine.
- Run a clean service provider, secure your network and answer abuse
reports.
- Cooperate and share information.
- Cooperate with law enforcement, as economics such as the ROI the bad
guys see can only be beaten with changing the cost-benefit/risk-gain
equation.
Some immediate solutions:
- Block outgoing port 25 on dynamic ranges if it is right for your
organization ("don't be the Internet's firewall").
- Make sure your DNS servers don't allow recursive requests.
I recently shared with Paul Vixie an idea for a structure of an
operational group for DNS. Paul Vixie and the DNS folks are taking care
of their end with the DNS infrastructure where they can.
DNS in general (not the infrastructure) has been neglected for a long time.
Are you taking care of your issues? Are you as responsible as these guys?
A lot more can be done, a lot more can be suggested. There are many
examples of people doing amazing work. NSP-SEC, DA, MWP and many others.
These ideas should get us started on the next level of taking care of
business.
Want to be involved? Get involved. See a threat? Share it. Think I am
wrong? Bring up your own idea and follow through, don't just criticize
others or try and stop them because you've grown warm and cozy in your
spot in this world or for whatever other reason or jealousies you may
have, as eventually they will circumvent you and work without you.
-opinion-One example for this is the anti virus industry and their
naming conventions (hopefully to change with CME from Mitre). Another is
the US Government thinking they can control the Internet and China
showing them that if they won't let them in, they will create their own
systems. That's just a hint of things to come, with alternate roots as
just one side of the problem.
The Internet is an "International Infrastructure" and these power
struggles are self-defeating.-/opinion-
Feel free to ping me if you'd like to know what information sharing
effort is going on in your area as well as involving your area with
others (an effort which will actually allow you to join and help), as
the fault is not only yours but also ours.
-opinion-Our fault, us, the people who run these communities and global
efforts, for being over-secretive on issues that should be public and
thus also neglecting the issues that should really remain under some
sort of secrecy, plus preventing you from defending yourself.
Us, for being snobbish dolts and us, for thinking we invented the wheel,
not to mention that we know everything or some of us who try to keep
their spots of power and/or status by keeping new blood out (AV industry
especially, the net-ops community is not alone in the sin of hubris).
It's time to wake up. The Internet is not about to die tomorrow and
there is a lot of good effort from a lot of good people going around.
Amazing even, but it is time to wake up and move, as we are losing the
battle and the eventual war.
Cyber-crime is real crime, only using the net. Cyber-terrorism will be
here one day. If we can't handle what we have on our plate today or
worse, think we are OK, how will we handle it when it is here?
There is a lot yet to be said, a lot which is not 100% accurate and a
lot that needs to be done as well as already being done. It's not enough
and it can't all be covered in one write-up.
This text can be found here:
http://blogs.securiteam.com/index.php/archives/298
Future updates can be found here:
http://blogs.securiteam.com/
Thank you.
Gadi Evron.
--
http://blogs.securiteam.com/
"Out of the box is where I live".
-- Cara "Starbuck" Thrace, Battlestar Galactica.
More information about the afnog
mailing list