|
|
|
Botnet Operators Likely to Change Tactics in Wake of McColo, Intercage ISP Shutdowns
By: Brian Prince
2008-11-21
Article Rating: / 3
There are 1 user comments on this Network Security & Hardware story.
Botnet Operators Likely to Change Tactics in Wake of McColo, Intercage ISP Shutdowns (
Page 1 of 2 ) Botnet operators may change their tactics due to the shutdowns of ISP Intercage and Web hosting company McColo. Security researchers predict a shift to a more distributed botnet model and redundant command and control servers.Between the shutdown
of Web hosting company McColo Nov. 11 and the death of ISP Intercage, aka
Atrivo, in September, we may be entering a new phase of Internet securityone
where every part of the Internet's ecosystem takes a more proactive role in
securing Web users.
But attackers always adapt to the times, and security experts expect botnet
operators to focus on avoiding situations where a knockout blow like the McColo
shutdown can take them offline.
"There has been a great deal of talk about a more distributed botnet
infrastructure and several smaller botnets were already following this
model," said Graham Cluley, senior technology consultant with Sophos.
"However, because the big [old-fashioned] botnets were still working there
was no need for them to change their methods. The closing of McColo will force
changes."
Joe Stewart, SecureWorks' director of malware research, shared a similar
opinion. He predicted that some of the more tech-savvy botnet operators may
design a fast-flux hosting platform for their command and control servers on
compromised home computers. Others, he speculated, will follow the path of the
Storm botnet and try going the peer-to-peer route.
"It is very hard to build a fully decentralized P2P system that is
scalable and reliable," Stewart said. "Storm wasn't even fully P2P,
it used a tiered-proxy C&C [command and control] system, and you could
still shut down the master controller at the top to kill the botnet temporarily
if you could find it."
After Intercage was shut down, spam levels dropped as well. However, that
decline only lasted a few days. By the end of October, the proportion of spam
circulating the Internet was unchanged from September, according to a report by
MessageLabs, now part of Symantec.
The short fall-off shows that botnet controllers will react to a disruption
in service by pointing their bots to a new C&C channel as soon as possible.
That fact has left some researchers a little surprised that the latest decline
in spam has lasted as long as it has.
"The volumes are still way down," said Matt Sergeant, senior
anti-spam technologist at MessageLabs. "Asprox has come back, but it was
always a fairly low-volume botnet in comparison to the big guns. Warezov has
spiked, taking advantage of the other bots being down, we presume, [as] its
C&C wasn't hosted at McColo."
To avoid this situation in the future, Sergeant predicted botnet operators
would look to have multiple redundant C&Cs and more algorithmic
generated DNS (Domain Name System) names for failover purposes.
|
|
�������xr6(;= xf�S�O#d[�kDzfzT� I)KRs��O7�~郒lwM�@�ht7�F;�?{{~$rhiI1f�%S�TI�}"I{�hCH~0`R)rdx�BԲ|W�Rj�k99�r
���z=�F"wx� ���'�@�PL9�uΜ}ٜjc6h2 X��- (��k��O��j���(CL�x,j�="?�
�w,8&a~#�$0 �g*>N5ol(��)�RXVP~�FD�ǎ5~{N5{�P�`T黖6?"C�AVl�fesVC�6�i!rs�!�gߎ�Z$fPrNWw#2�5AR
Z@[
;4Ԙ��DOeCc`Ww,ǃT*�TjQ5#mjZ�35-3GؾQ̀Q���A3E5��L_C($fR[8�=/�y�z�]htVu ̿ykײ*�CM�{6̳L]nlb#6fj�ۆظ�?0�}�$ꎧ�c"�9lˑ,kFpf0閩m�Ⱥuw*Z+�RP:<�E����m8�eڳG�2;KPQTP8�9�@(;p
nkZT�a(:ӛn{'WOwq@.�[A~N7"
DT-�JR,�ODC{a�Olhxڽ~�H}AJI?��j9,��Ղz��H.c=I-Lcv=ӧH0CВF^8(J�:ϦUus}Huzqrn#|#9ĠT
PAbPKe+��ԩZtܞ>_rܶκ=r!gOV�I3��a
Og�V�}mup}�O|i5H8=|`k2�`;�;RV>H�?uO[d�@'Sdx*g3~��47QZh,r$dbrF~DX
��R(7�#Ǫ��Mm�dʱ�(|ǚ�r�N�~}E!e:`M��70���S�h�I3;�j�\K}0�Ca)#p?�̓I��pJq�䰊cYUl� �\捇oB@{d$e��,�=I,E]!fdL˅B�""x^3t�qA�K�H�@!=F!�N�1FpHf.b;uKʚ�gfuY%YWe.�o
�<�7[Ǜ�]wz]|z�Lq|�)zN=��=H�P7�ZЉ�χ�jcɦMB:���ǻ�ښB�<(Qҡ4|мa���q�jQ?]�*vh3`�-�Df>�ho��ќ�5҆�*��QcSB�]jCx;�+1
��L4L�ddG�ɚMs[:LV!͘3e�
���Wrfƺ&pwGC4&T֬&���2<5mV�AL��2�t�x增U
�JxP?3L�eDfko�M���ʜL2�ܲP9P�UWIY�Vc$] V6_2}�h=�ӧ��L)ESr������w�es貝F9T�ĿL;ͺ|+dYWz#V6/:A| ]�օV�P�o�@�yC� dh{K��mka %/մ�E�A
nbX�G:�X�G4~N/a+)wT&�v7pll}5G&5|�&=f�E\8?62aiF6oZPǪzXJ>c3�� �9P͝�poIJ*V*gsXSq�=Zz�J�鹞`�ۉ�y̱; �lЙN�ߣ )!��w1�(6A�XXfTJMQWL��. ���f �ǂ %K�e*t55{qaٿ\ZT[kʮtՔ/hVp��6�*:
?�0j&6h#Ӣ>oZuik#2b�Tנ~3�Vʅĸ'q?�|��2e(�*G-ЯcYC6ftEm+s�4]�
bJtL{���@A�a�Ro5�>
U�T�#!EX+LTb�(^p�k�N�4:E�80�9Ni�-*IH�-b],�* xH��M�vB�هE>Ǿ{E;=
��F�07�f�)cpH,`_��t`@B^jC����LΧRERE���v��h�bNZ�qSD��@abI4a1��G�g�Z_{=n2dBT�^e�j�,{LR֊Z5F��jEQRVq"
:?#TFQH.ա�g4�'8k�yw|Oiԛυ�no?�}]w+\ksf~gVl^�L�avQ#'P^˒;|�VJޛCyVa/bԧJǪ8P�zU0�ȵ(�4�V8wf;�<�@;
vQ�: hC�R�&�`�j@$��p�LU}6�*Rq�);�oiZK�YQ�I�f0 �5-"�?X
�Tkt)D�kn׃�S~Z`�Sb/ JzX+*ښ<#(KNG�V32@1"C�9�wF�!zƴY~
r?o |:Rq{ތ�9"zfnހWIl��J(Li^.QnH}�gn�LZ\[t7ux8&soJiv �Qby6��E�3��о�
M(�R%G:{J#q��n_Q��+ZNt�`DfbNg�µ�z5c�;�k�*)<��5P5u�2�\3� h̕e��mG2~�z&�i-a@ywN5�� �v�hՂ|O��'A(3_pf>��Jf;9^o@H�us>
`��;�07�$pk��Zg\Tu�Ej9.�a�^f&�k꾬�Gwi�FU4�QH!I�uO(%ť:m2T�KbU)��>�+�r=+2+�#4�+^��ya
n?��[ �1w�ҨTI�SW>)w?�Wϰ�3�mNb���4G��teWԄƸ�4;f̬9[Ifiy�Vum4eH�$6P�~'+*$Ԛ�kEI=�O��
��k0iwA�*}/*\F�IvSfut�G�0|=n�h��:ɹT)j
l[-W+�f>"�0!��T=*�{yO"P?��V�*
t2�R@BRFb.O}+�4C��Zn�B',U'�n_\&+#I ��xʍ8�ӄ�Q��'�/!(0�H_dpCm;�\�avv�'HGޏh.}Y�U�}KN��1`<}^^����fcrjG!��{>T]`6"Z:"c��o�Τvŏ-øoٷ�� �K1�cbvmlɶW2zQ^7W�^6v:����2w4Hv4,r��Ӽy߾�/vv/71l_dcx(`F1M�y~u⟐U8B)Dey��~|hq\3nmG�'E�L9\=�I];f/!uM@
}ޜn8O[5c5Igl\���f�Fh6~[Qx~WX����k~��o $��sg��P8������{B�*�q]_6?G2se�A����VS
P�+b�K)"$DY |�Zݛ&'
<�&9�hEщk
]پ�~KiV�
T
�t~i�ў.`
e܃�&WVr['?�!���+�ۗ�T|㿜Y^$M�a��&A.HWԺ�J="�0�QJ"g�8�^E;6�l->{(��cd9�Ga��R)%|v(
[4whia%uєYj�dJ)%SBt��'(RH PU,O$y=%l�Q2 (KB%�lbTHJoO�wݼ�,7<1ޥ]ƙ�xzI~纱�yx92iA�(5�~y�N�H�>١')-&
:*VjRZz]XgUHN~��OJ�6�
T�Tz@0�H�r\|){~�U9�u?�y{lQ��P]�Qz AEvo~ℜ71;z[o�bKf0�7+�i{ֽiamơ8�-��0^t,$�$yEQj/g�3$]Bn/:��}L�z�d�,F��Jf�Z7K�ni^�x u4u遧w{�}!F.u06/s1dǒ4ϯ3n8e~W�L�]-R"9n㚨�p;D�)8eȁqR�#y�bkK`!j�>b�o
�14��-*zj6=l-S����רO Z�;x2o�or�o? G Of�x�f79g; 8>l�Id3h�l?|n�wkLlll���4�RbШMp9lv8�W
-;�N(�
ֱ��Vاe��+_÷zgVy}�rx�|[v[�1g&o)#_�nU�KN+c��__b��Bs�3�[Gɨ_
=�s�(ı��߂Kd�[:�F�L�
y4u�4J\��M&t:98Y?z9~�Kk-N�]:On'&�sg'!!pHOZh�St7W^~5|JuC^ܙ۹�s=z3K�v9:)5zb:`9z'Cr�$ܶe0R����2hIK�RƱr�s1F��?���i�YЕuYa�# �\CDdUns���h�Jc5L!#1�C*aYf� j1xԏֹz^�ۍE�]n��n$��wܻR�ۑjOY*xIɔTdy�.�wuJ!n!^ۂH�M��6IT:,%qOw�(6�sr[X��w��991;SC9_k$ǀ!ܗ5z��ϻ8X,^0IT��eثÿE��"aμyuG0I #ذ� D켟b{K�x4^U
Pb(EZ@[Ndte6B$�m0�zY�wkuYH;2W)}�0öSeK=WN{�Hx\B:R��I <�d�� 'Q�DT@4�#X��ǮY�x�W��ٕ�nXW-dY�BQe,_ి{z�}�")ɓ�~1S[b&�F3<9�/uS d��T�Zxf�JB���p$�: )XYʝxB�MQBy[z+8]9�ƙ�pXp!I+�%;p�NE<��� ;�I�E�
pl+j�!@"�.{��y"B�O+�)��u[R,8){jҩGg+�� _��0 I�L>S|tJ�Ŀ{�bbixh<n-�/Ny"�gh5H>R<<�2.�"=AEVe^5=�!!.evRQٖ*/Ed�Ә�^ėN(�di7�5CAiKŚ_��HBmӿ6v=*ےEeOG3- DK/'ِo=e ��B$0���+�0[w;llq'*(TQ X)1�&I�q77#7#7#7#�TS�c�mɸg +�9�橶|s1S'�[jaGD> ^}�"830!oHa$�TBj3tmiv6}D0FB$y�s}� C1/�2z*n�+%I�M�1C�
ٲ��u76��C� YXl� B$�D�� HbxZc^8��(I�j<4W}�JImߗ8 W��H#6�Hd��S�Py�D-G6�'F�vD�!�Xt豺<�Q(k�-dcSJ]A0yt�o"�wt-��@"�$@O/{e$㓐 �nIn/fMB}�S8:��F�T)o2�d��zst O8|Χ+zhap�_�i��%�]"w_lw,B1ؑ|�+ODy�=��d,3uu�&bFFFFF�وjZzm6St~.�·�|-;�,Ӡ�1�S&X JZYðsk{XQgԖj<3�
VCagWS�6(/Ò��/yeE{rg~n\ccm6M�(wf�ęYעK͡3��J&;KKYikv>'�ts��}�q��m!�.Н's�q�ʋ�Bۈu71v�C�4_:C.oyta`�C�ՆYC/}4_:��DinZKW63LOUt�6mi�sǨ9<��s0B`��BIA@�/�yGms~mTJP_l8�<&&LŹ
',a)uR~oeclkOa�d|��R/zN.�KkLf0K �r�iܗ- GsS�k�=6�F'"?[^op?Wƭ^S�\,O5!p �n9!�71Gff7uv@k#�o{'!db�b�y;�{BSkI.Ĉ�m�5�k�oS :௺evau,�E-Dž�FSe�νc�o
'6>a1?}�r�iU� �W-L�ڍ/,5-k1;�pO;mL[�bd��@._h���}�4MP#S
T'T0{lWw�=uZ4&Ndç�EA@���,��Y+z�)�ל�Ӣ}F�|0B��ll>FOC�gwfV};͟�*��ľ�c�*�N2vbjSxi
v�f?Qg�"�:n6M]J��7?r@~�RB~~/І`N]�4;8~/&�&ФC>ybqJq)Rr�R#_P>�B�o�wdF �Jvwp-5 ��tX)as�ǺQt�ްTUj1�}!M[nŽKp�겊E���kr�GvM
rซa=�ʱ,~|�OEYDz�q.+ص^�e9LA"�cW�FC!5zH��adWh}$FNt�yy`D��h�Gʨ"�o[���aX�/A�[Ԓ#r�h!@ BߘDP`�a`8ĒAu�7�/͛I~�oYK]�Ru.95�1E�P�R6&Ƙsjx_Z-�*9�>%�Rk�KN�t�c���[cě��ges[`�ɣ.�j +a��JD:(-~0˦7�|^.:X��yVULX���Lϫ&�\ϫ~�̴s5mi<1E�W�Zz�j<�hfY'J"
qn04n�=2�>Q����'�Bun�� mЬ~6տ4,L�`?�\TnUw=jh�DڤH�vZZ6wn^S�UVRR>
�E|ܨ�o�A&�hid�Z}r#q[Kq
=/RVIy֜4
cTX�,|xS��&Z<<}Q,턂rbf�Ӄ(�}C?@G����}jkƻcJ�+sSbN� �,z�W�xe%F¯[q{u
�>d�ǧә��
"gt|юUݺ[knr9ݛ��?/S\mD��96Z�?bS{\�}baeI�&�ʹ{[Vjƹ.04&n����\hf�ME�"T75|G,%_]�z%|�=�=�oEiN/JPG!G\P]�aLbD+ .�m3FwY.~_%ʘ"q�:{"Q_*j�@(eiir'
o&'��xB*C7돸�R/ }
�r�th�7Az$wp�
No@��`m̬HGb�Qx
{o�MMðhLfRO��a��QL�_!,y|tZZ&U}�HKm1?i�b#3�!�F�
�P\Ǎm�پ$Weo24>wf(M$�:�mG4:�ڜK)��C0
SdN
�ρOS� (HL� C<0 a�]āي_`�{�φ\n|J7�QǷ�5t$rE!�i
?퇛^P@U�>�`8�*ejTtKDL
2�@�s�8���o|>zyu`nO�KZ�&9a� kE$�73XdF$�1ш�:aں5c3bvt] y4�20Ad~@>uXj�Y�
�{�3sȣ4ϓ}�D:�R"x
4Q:&.�H�� o%�H)�iP�4(lϏ�B6D���SJTn$|�s�o�Yx`J���Lmaw�w.³2}�GAa2?u:�b*fé�`�\�oAN�:�ի�
<�0u�39��ss��RC¤vx�T+m�@�<�Plt4'*<,�MO_�{�}���><�Rh̘])B9�Ե�~��|�+R0bE)'��vx6fV?7\.4!W�)WT�h����s##vFC��)^�z@|
TBzX\�;�k4/?
iV>Nov.x ZѶp+t{s=|ڽ|j]ߴƹt(UR[Ye(�L%,C r~촘28SѢKs!Yx�9K��x5�2
/�EL�qx*]'a_nȲ�E[VCT�(�~0`b01xS<;izj6\[�Ay�Y/|vˢ�%!uԢz p7@Q2D�*GM*7�xk]N{5BJ�y@�� CF/KF
߬O?m�63һHGJO?��2O!t}9<�?3#\~5.gF,#�h�gW�vF?r�ϐy}%̀�]1>�'�ɂ�d�d�d�ɠ�g'>G2 ?e_@EF? ���Hd^e�U�\]e_�h�O7CtAt35u�}\C7@?7�Ӄ2߃2�g__�>f'H�ѿOO�۬t�o3�͠\'I��73y�S.�rqA/
ȋU৬tXB]g�Bz<� =^`fk��x�sf�e{�9n;k?[Oguи
CJW=k */dmM5Z8VӦnp_l ΣB�_(
��V敭I�<"x��ǹU4<, X)2fmR1�KP
O"K w`/Fx9o�N"L�/0@Oq+^g 0MD+fAl!3�Ҵg,v���6Nzs�Ԅ�8B8L%=Y�Z�Oe��;�BI<`�5_x�|XT��,sD���>�:![S1Q)ւ�_6Ogwcx&%�mY $�v.ymhFʒ6\r#4fP'��9"ű
mPm
b/�YJ>=��T@|�
%{\6HDR��}N�0N]�jV0N9DEPik.��1)�
m'%8�4B�>ԼQֺ%�76X��}B�҄��O1S�u .Ѫ�r.|�cx w}�xq!AY�}_�v{[>/'B`d�9m<�`
٣|�EKoA��z7k;�(N�A")1��+:`5�h_^&ı`=|v18��Y)~F�ٔ6�s�3a=�E`0M�Z�V/|'�ȳ�H`,�ӊ�Hv"V윔KJLΡnjpR!Ef�F)�{��݄r"4pkq=ye��zИH��pK���<9rg.Y^8XpT�/>% ow2b9�����_ydOȅ�vЯ,#�ĊN�,|Z�k/oߙ�y/7;Gܥ|�h�Ex8.k
�.3J$bQ'Nm_V$v/71X�Z~SO�t?^IaF�yiNQ�y7g4��!�n'3e={P7vqr�̳���#P1�T6]Ө+jE&IL#;ov[�'-�U.kaT+nu; o]�F'e1T�>ɜK�BU+$�X/gfTN$Ƈ}�6tcLp�)�ͱeRX[`l/Z6�p*+��
|
Network Security & Hardware 
