|
|
|
Botnets Tighten Defenses Year After McColo Shutdown
By: Brian Prince
2009-11-05
Article Rating: / 6
There are 2 user comments on this Network Security & Hardware story.
In the roughly 12 months since the McColo shutdown caused a short but dramatic drop in spam, botnet operators have changed tactics to minimize the impact of authorities shutting down their ISPs. Security researchers discussed how with eWEEK.In the year since the shutdown of notorious Web hosting firm McColo,
spammers are growing strong. In fact, researchers at McAfee reported
that spam accounted for 92 percent of e-mail in the second quarter of
2009.
Part of this is the result of improvements by botnet operators. Like
anyone who is successful what they do, the people controlling the most
powerful botnets in cyber-space learn from their mistakes.
McColo affected a couple of main botnets seriously, notably Srizbi which has never recovered and Rustock which took an
immediate hit before recovering over time, explained Bradley Anstis,
vice president of technical strategy at M86 Security. One of the
immediate changes was the use of hard coded domains in the malware body
instead of IP addresses. Before, domains could be changed to different
IP addresses to provide a recovery option on their command and
control methods."
In general, he continued, they have improved the availability and
resilience of their command and control servers and in some ways the
McColo take down has driven them more underground and forced them to
use more different methods, making it harder to detect. Some examples
that have already been seen have been the use of Twitter, Google Groups and Facebook.
In the aftermath of the takedown of McColo as well as Internet
Service Provider (ISP) Intercage/Atrivio - some security researchers
predicted there were would be an increase in fast-flux botnets. However
those predictions do not appear to have panned out as much as some
thought.
Fast flux appears to have not been as successful as the spammers
required it to be, opined Matt Sergeant, Senior Anti-Spam Technologist
for Symantec Hosted Services. Or perhaps the additional overhead of
requiring fast performing DNS servers as part of the botnet code wasn't
working for them. Either way, it appears to be less of an issue now.
According to Anstis though, fast-flux is used by up and coming botnets such as Avalanche and is pretty widespread at the moment. Its popularity could easily increase, he said.
Regardless,
the biggest botnets have found other ways to thwart anyone targeting
them. When the FTC shutdown ISP 3FN for example, it disrupted Cutwail
for two days, but the botnet bounced right back, Sergeant noted.
After
that there was no "ramp-up" time, he said. They were just immediately
back to 100 percent operational. They updated their algorithm for
finding new command and control hosts so that it didnt require a
hard-coded ISP location, and could be very well hidden from anyone
wanting to know where the next C&C (command and control) might be.
Rustock
meanwhile is probably the leader in terms of modulating the shield
harmonics on an ongoing basis, noted Joe Stewart, Counter Threat Unit
security
researcher at SecureWorks. While botnet operators may change tactics,
he added, that doesnt mean ISP takedowns should not be a more common
occurrence.
In
my opinion, any ISP that willfully ignores legitimate abuse complaints
about major criminal botnet operations operating on their networks for
months at a time should have their connection to the Internet severed,
he said.
|
|
�������x}r㶲s\@♵M푦d[�keyYq&uT��I)|�e��oP/�gq2D
th4�?�y$sG�̢dw�>56^�;�r9ȹ�3o[nh�=�d9c';���{R'�͑�w2M*-f;)�u8r�
�x08ryj5jfOM�{n�_%z�(u�w<:$]3~bA2xưaIH��l6X@�?�'C�< ۱-C�¿{+׳�߀�ݸ�{��g�E-"'l,R� ?q��>p<=0�;DL<:/��Cg�3aMަlX7Z*kUE9,T}h�L{iM�7o87FyRV5MQe���u�X}��m)k�m�:t;=r2Qy;-͋^m^=~n]tsEN[.�g�:���Wh: Noj�6O{:$O-rK=����j��iT%5�᧓qeL�xy$Y.�Izk��Czn&j�ݒEB_;X]�KŗG)H���k��7��ƐL9�X@/@ש#ז4X�liB!
�9B�:A`�̼厁R�49�Vˡ�8蟉$W�m�4�@r�>ذ�1�"%��hJqO{�e��$�}ВEtBAͨO��%ތ��E:AGA�ticŦwh@7&&�h`CZ=҉:L���
wF|h.��x:� �!a`Nr>FAтMx>tw�&>��l�d
$4o)s�s�LnM)σ�.5�H��ˋ�F0���P�=�� �2/?>�a�xs�̧P�}M�rAݛS9[ݴiǀxt83(.�%w2R}g9>�] #RRP@�t�"AђF��*�4� �gs#X"C"'G�Aww$]I+TbD8�JnO�u$;cJ"ڹLX*QY,p[/ �͙JRd0e Q="`&�Qea*0pRx5Rn.Zb٦By^�ӀIqL�;Z/)�Cz�dE�gm6�|ӆ)쑧�3#Ϧ�̠_#f~pH�$зs_n2MS�/�n^ßf�1�d��_w\ճ&AB
�glCC�2{�ڡ[Z3R;=�=Mrʳ$�#��]_�R/0}KęR48'')La�sW|��]ӨڞYUo)�<4^KՕ�$/gcP*o�u�RaO[�&���ނy�0p��ZZE"b j7�{\X2,#
l,>D4~hN/a2*)4&n�vwla=5G&�&N[ߪ&�TY?>2eiFoՒhCM/Wbzgܰ��K���(�u(m�ʥ�;v\ �cQDY{z�l>q
G�lc�p6hBJmH�ǝ8~L�
cOЭ,��h�ZU%S=#�kQ@�/��ű`�a�{�62rt\X:5u{~a;_XTvOkʎtѐzohMӫfp��v�*:��1f&6X#Ӣ>oZ��IFʫ%e�fn z6,ƴH~�5<2eX]2X�rFe9wٔA�un\?0�SKmڳ�h��9&
zqDe�,Za秺�
#�ؚyE_z?�3�[�䊻��!`Pcf�pu�LTn���glQIBn�m�Lqb
֚p성 �.c"}=��0"t�n�_8R"X @�4h�À<�>�B�
SL@rE\
�~1��~1UŠP=I)�]�g7`u0$_��VT!rB�3�]?w�2_!�挮~7��x!VB�[O�aQT*8Y+
:?#UQ@H.5�ɾ3���>yw⾿F��?�_>k냽ܮ[C.�~g^Ol^�L�cv"O`�^)Ǧo8@|�V�́<^Ik0�1Sle`Sxt �b*��䪢-?݀��l/�#��Џ]���Mt��Akߙ�,
�ܠYA�aiO}Z,,Y~B)'�
_+1�� ��,rֹe=ReW᧘TVQqi?p;h跸4]
Q�|7Z0bƏQ�ajX[�T�}f��zoB6ELt0Ȁ�NÝ�Glȡ0p_AO.q�>:(TX�7cmE{H^ac7U�[@o�F)�'[ǗNj&hT�JD晛>&75V`]r�|8.SozR~��Qby2UG�3��Ⱦ� NM(�R!u♷ "q�Ն��j�h��xUM+%P:g|
�hSIpg#HٚIyUs�l,On?�~
Ɗ_AFp5xb�==#ݸɯ&"!+㧐ks�C/��w�ܒ;� +@X;V-(7O40p�2^>�6,헳fO614D|�\D"pLn�ōap�zGdD"9�zB*>�|/I�0'|�7N�:@"��c�]f.�k�<]~oLQX�x}[RUO4ịV1C
e
4v=.E�Ћr}c�LBئOl�DocO�R�HrX%W*�iv=$c��e�T'
FBR%%^萋IA�2B�0VB3ڛ5^@�M|C�0u%hnzGSqza\/;�n/$hO ^��2�alJ�wXA8fS�qlYV:Up]t3Mb>ҁ�h
03RCٸU
V|�eZU
ՂVD'�fu0�|�aߍ
�uRԣ{{+7}3݀ �G;L)߭q*���ɹT.jZ��b[)Uʹ�w�>"ms8��q=C
H\WK{(,�~w9ـo9�|\V*
rF2�R@BZNb.xœo
-"} �`��wOXO�dK!O�Wƒ"'!Z+�3,�q�vë�
eVqe^?3Z �c��ovۗvvZU}{�"}QL
Xޟp�ف�b�ßy�c(m�'@Ϣ�cI�4M}ڹIv���¼O퇧/;Vչ8|HΚ�g(@?^-;^h\00C�~Z�'_�HΧ�n|hS(
[dz�NR(��!I�]�0}̮��銿ð
7O{a��嵀��uzN[i7>.ėt;+~.R1^R`.'!=�qpqңe4*$yq�|hq\1)6MF��0S5!�k<72lzA���q\48`\5c-ɅH'"���&a�Dq0aU,yy~�ïU��2k~��!���Wtzc}��E9����,׀zB�,2�q^7D:Ky�96P���^S�(+RJ)"4FYM |F�Nǝ�g
<=>G�9NghD~kn/Eb�}CRB'T�˓$/IYO)yqjhd�꒐~�~ i&'ءX�ґԛ�^6.6'8
$O�krisq/x�FMyuS棏G�
9�3rĸnjה`4�ݥovV8}'i?wݷ;ܶdO#@/5-v5|yg>,d9�a}�43�0[ɱ-�Ι��2��HB%F�euw#�S�''Sc3H�F#%k&ϖS˱�mF�@|Ր�g�
;ar*|�b��\<�E� W_L7⎍zkQy}�|x�|SqZ'�+o' g|o#�'_M_j
�S�&5ŷ�!o4y˭0LT�/r�K[��^]lQۍo%n2-��f�F�!?�6#d,G9bQŇ�&Lj�1j+�dXZ9w��a�2ޑ#'3�ƆMk0ԧрtjڰR[N�CVOJm{�t�DPU�b��ev׀/xiU�6A'S^|�LB1jo�_Pa�QTB6M+q�q1&eQ{L�Ho苋L��_'0읧Mv�웲N
��FKR��S0,�<�/0�=zgQƧ$Q?7iE��T_p%�M(5X���ȏ,Ilvĝ�=W R79u8ׁ 6&T�RXi,V$ScDHnj.2R�K�L<�^*�Sz�%}�d_hـ9@~��E}Y�=�M`kԆ4sCDDC��UQ~4,N6?x�?�ȮyO-FLQ}�%$���~�Z횪Kb�&
[�deCEŴ�R0%�r^|BSF�o%]|ܼ��t<z2%`k^1Iك�LNf�e!b �ВZ"%yKDI'%v�GH{IXss�Q>G5%)! l熸x`�>�H�łB8$Hqmϊ)+�E�h-0zt^¥radp_�SE��c^{,ABZ<�l;�Ɔbٙ��H�gz�>�{FĞz
!��&Ye��&8XicC7Ųaŭ\7sqI�N}�r}KGL zW7 ;m �믂?D826Img(
,Ul98Vʥ+�Ix@\ݳݳݳݳ=˥bqtr^i�lh٘GQ�FEoɞ&J/y@DtF�M 1z VO70J��-(@~sސ�ڌ���iNC4mDw&|��Z�OERa�K~(�"A$H�"a�I�G4 7/B9z�OxyC{6)˥-aʌ�ʉ�"�
��VYD'}"'@9n�U7g_o�� +]O�xg�2N%Z��Dn\H ��MOc'�>��$�0QpϞhg�!>sG-z35m$ҙa�!�x|�o+7E�mr+Ngo.�F=!Y߰ln6"<.
mV.���-*�V@e_ɸn]
˟o8^k6fpf�ӁeIx7t;OM[*%a~q3t4L�/`B�@x�lu�YQ��ڎ�a�$I^ɩVF`\?$}<����;!RQBN0
]% 0�I.&Kgh~gb.sr;xG$.�"l$�s .&
0oV[��O?dH`e4rŨ%"響��b�?�`A_M$�'#1�[Q}UɷvE-ᕇR{�g-.�ycW�6x_oJj*j$t�dZk�0�x�G�)()6Z=��o�DZ��X�fbU*NO1q�v�}$dH%�v9n��7|�Jzl#\]}moC��]hKbL ?`e"�\�!ƒA`>xs#7ŵi͕>0�Gx,:\t�v|o/M+��]ދ匝~t��eW&�w,a�_gË^5w3e4uu\�{^���Hj���ep8_솁9E�L>2]A(!AM`&�d;2ULHj�~6}A˽=V49!
mX�[`8,OċT;Ow]�@VE[6bԹ�If�Y�cI7N[M}�߃�[�yG�¡YIj|ubE$t86M�gS&e<[
,~i<$�=��iHb98X O=@�ҽ9>u]Xg�[�Q?k~~i/m~᱁#'-N;
֏/*`5,k;�hOw�>-nb1D�b���@/j�ɐ]"�0&K{S�G}׳�^iW60�8;7�~�k{ʞVS�,�G�Y+
Z�&V8E�)96ivbJb�F�yA y!�Fv?ҏ;�Kb+.,J7;$qH�UkdK� ,���n"��Y�"�'"�KIE�/,]^|�~8�.
41=���^Pl&vn-�*�ۜ95�͂E�
tE��c%5�T(r~zzɟZbiE�.c
2�uuWHk̘xm4�vlNz� yԥ:BMHEGTBh��fx�Ok�kq�Oj�k�b�xm;Xi���Vi
ֵn&+m'h�zBRKo^3C'�ܬDM�n,sG܀���mQ�Na=DXX\<�xb��d��ZM)RӰp-s|ri?�NRezB��9wI�B�?ZA)r
P׃*zؑժTjQ�ܣF +*Pڴa-"+Ucmş�v�,TO<粈�uζü�cnTҊj9yS��:.Ra�)dqgN)D�&ˇtxZڊ�BL�kO�~�S*�l�|}P�.[�o�zpWӸbs���z�kP�y�XC�@��D}#i '�,�t:ãN��D�]%F�R)Ռ�t)6AP��/0ƏļX\snOa.=Xc|g�yZ`3+nslKZIȶ8+ilwNQg)q8�@�șn붩��tbt K��L#�u#VQ�^D�~x#nO5P�uQ)M�L!ڰ+W1儔6�JzN[;�f{�_!&n0xZ^M�1_+�AJL�B(fYiv'
.G���aWC�/?VH|Uݷd]C2<зW}�W|�)wmk `!��}�^MzM
�.��o
^j$op�>G_
�6f^ZgZQ!IG)}!�㗥Gd.$���qp5`G;�5��
boE�іIz# ,@Gyꊍ\D��Q��OB�p�כGF\4^yE��@��3C}m"��:z`w{(��,9�L 4x"o�M@� C�O�
2+ڝY�»�"7��|$rkqC9ҔLoZEWW
�ƈn]da@�p=SѨ�-0Șh
MQ ҖHxD�~2&IBE<
,i0!<���RA~�9wa\F$��шb�10�aچ5c3bwp]���"N뒉1JOs\-uC@e=D�q�yy
�C/u?p��H'�U,%eA�S
"P�F:�
�Ƃ![C P71MF�·:�Mq3+%̔���,0Au�A"�\2,�GAn25:�!�;���&$5Kqf�ldaQ({b8M�t߃3,ȏ]kKlݜ�(�8��s�jq$�P!%�h$bcx=9~adaz~X�e/(�p�
@Ka1c�~PoVR$4
>+�>g�ٕa)豪�ϕo)^�;ees=M蕴B�9^��Ȉq�/Y��_�Ч�6#&Do�ؠqyyvH^5{|պ:�y�P֒�_n՝ɗEuOM�o~�g賲���+z'_˰̠s3�2Я!eߗdnldֺ<$�R+��]Q%>9Mk�[I�2nX_�ȣ�{i� K{Py@��W4<< X1rnmŚ/J�̙Y�mJCsl��Ⱦ7-`T@D1�K�AB0w��Q'
�oL2f~�<'Ԋ2nOALtrw�[MAw�/[�/:)7ڸ=M�y�omG;yh#V2"T_�;Yo�%P/��Isgev'nA}:�*K6:�5Q3[� LjC?�s
H0t��{�zY)W8#~y�^
Ed�ٴV`,!h�|s&pN!3J8?0�
H-M�ԳpNzR�?ѰsW��]�BN_
M镆�ν6�"Θ]ׇ}21Frl VT+[-WJr�
�f�{DD�A.CjJ]N�-~X��,.g
�/(�@#غ7M{%}C�jy�=q̐g�a��1V�J�!'\C�x��aMsWe"e�'�âȗጽJ/X��ā`
�pT\�P}g~�
=u�
XI��m6?|{I�2hؐMs9N-#�1N>@OgÙ��g�HX&58W�!�[Po6@c�
dE�!M1<:,i`�̀NuWЫ�H[O]ڃ�.LySz~�;!8��,_bYd|'mcbm�/-d(
5t0=_4nu�'�*F'B[Nė|/�ɱwؼ!20BNX70
8�[]^L�:χ~��9
^�'��"�n#QULZ�DAۀYn�z�v8Yk�3l�]DiA;-�f@L��V8o,>�/�chd>Mk��+#�P/t} �q]v�`�&�G�� ?�>KGJ=
�94Id�`'Կ�sg���K�rb�{PNd��>x*8�"�FՋpaHz�BG�XO�t ,�Mav;
ă��v,='�IDOl���ӦeMf@g^l(VxRBN-��szlo%()%�y+L9(ن�W�xC*HԴx*�Dಁe"sS
�sm#gTt�r!���̃N��ep(Ŭ¡ɶ��z
S�O~n\(Co݂�k\�+<>c�ip��O1S�u ѫ�v�l>cx��oM�^-1�ue|�nHHUƧf2{M;:��o�0�kn>Q$�L{�x�R}r:7Y �)66-����`⎈Me��eZ:DR�*El'f
,����~sf㿝4�QsWx�9���BuY^|:y-.�E�Ofu�ݎ2Rtlk.��!�Ҷ\)V�bʅ.-S�ܟ=Ba��҅6�.�_�X��(K#�L{7]�n)ZF��1t��B\
(a��t L/Qa˟]�lہR#jH[T�FE�¶":q`xm;ѽ!WLTVc2��X!+�I;s�[__�@�>���{|��wn}#\��:1F`c/�˓
�ɤ{)̅Fda��gZ.2?g'�Q\�F$�30(�y��lH�K9��m5'0X�1'(���R�Qf7=Ma�N*)As�a#Dl���[ApV7�.�4�8LgѸ�;�3E~1㡺_ƻbV~LʙcaPҽk�x�ٚջHR#.i|ԃ!�gnh�]�݄68��]L�l&j1Bi6e1�w1�LX�+0_�k��A�s�L5̳�(`�,��Lv"V�KjMΡmlpR!*a�cT 1L(�M,R�Y��גWv!;�Z~Ƌ�|��E>�WNENE<<�Sf}')VSL_Xџ�_<|T+��6ƕyz@Xqө8Yo7�.ɛ��ByڹIv��$7m}��v,<~v�m��.3J�bQ'.n>���w;W1X�XqK��?\u>]HaE�e遢%!tNi��B"E�w89i]|HVzv
C_&ȕ/g�2F#�oU��AtaMZ%�Nb�j|ۊX�#iQgC\岞+jaKmwN�~늘p6JL?
۔�Us̥D5^JB\rbh6
|
Network Security & Hardware 
