Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Phishers Dodge Shutdowns by Striking via Botnets



 By: Ryan Naraine
2005-05-05
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
Security researchers have uncovered evidence of a highly organized phishing network implementing a new tactic to keep malicious Web sites running by using corrupted systems as DNS servers.

Phishing attacks may be on the decline, but dont think for a minute that the Internet scam artists have found new jobs.

Security researchers have uncovered evidence of a highly organized phishing network implementing a new tactic to keep malicious Web sites online: using botnets as DNS (Domain Name System) servers.

"This is a clever trick that makes it more difficult to dismember the methods theyre using to host the phishing sites," said Mike Poor, founder and senior security analyst at Intelguardians Network Intelligence LLC.

Poor, who doubles as an incident handler for the SANS Internet Storm Center, said the elaborate attack scenario involves the use of hijacked computers to host not only the malicious phishing site but also the DNS servers that provide domain resolution services for the targeted domain name.

A botnet is a collection of compromised machines infested with malware like keystroke loggers, Trojan horses or back doors. Malicious hackers control the botnets remotely, usually via IRC (Internet Relay Chat) sessions, sending instructions to the infected machines to launch spam runs or host malicious sites.

By turning the botnets into DNS servers, the attackers are able to automate the cat-and-mouse game with ISPs that routinely shut down the malicious servers.

Resource Library:
"Theyre basically serving up lots of different IP addresses for the malicious site and changing those IP addresses every five minutes. This makes it virtually impossible to shut down the malicious server," Poor said.

"We now have the hijacked computers serving up the phishing sites and also handling DNS resolution. And its rapidly changing, almost in an automated manner. This is quite new as far as using DNS servers to work in conjunction with phishing," he added.

The latest tactic has been described as a "distributed phishing scam" that provides further evidence that a well-organized ring is operating the scheme.

Read more here about phishing as organized crime.

Thor Larholm, a senior security researcher with PivX Solutions Inc., is convinced that the use of botnets to handle name-server resolution is the work of a small, well-organized group. "Id say no more than 200 people, primarily from the United States, are responsible for 90 percent of all spam worldwide. You can fit these guys into that group," Larholm said in an interview with Ziff Davis Internet News.

Larholm said the ability to move to a new DNS server every time a malicious server is shut down gives the scammers a major advantage and effectively blunts most anti-phishing initiatives.

The SANS ISC said the onus now shifts to domain name registrars to offer a formal procedure for dealing with requests to shut down a particular domain name.

The Center, which tracks and reports on malicious Internet activity, said ISPs can also combat the attacks by implementing a form of domain hijacking to intercept and redirect malicious DNS traffic passing through the network.

"While this approach does not entirely mitigate the issue, it does mitigate it within the ISPs network; it is particularly effective if implemented by a large ISP. Considering the limitations of this mechanism, having domain registrars develop processes for addressing this attack scenario would be very helpful," the Center said.

Joe Stewart, senior security researcher at managed services vendor LURHQ Corp., said the latest trick looks eerily similar to Migmaf, the reverse-proxy Trojan that handled spam runs in 2003.

With Migmaf installed on compromised machines connected to cable modems, Stewart said, the spammers could move Web sites around at will, minute by minute. "Back then, the press zeroed in on the porn sites that were being served up, but there was a phishing element to that attack. The intent was to steal credit card numbers when people visited those sites and signed up," Stewart explained.

Stewart said the latest misuse of DNS resolution points to an "escalating war" between phishers and companies deploying anti-phishing technologies. "It has picked up to the point where its similar to how the anti-virus companies try to stay ahead of virus writers. Theyre usually a day behind."

Click here to read about AOLs moves to block phishing sites.

"If they keep getting shut down at one ISP, theyre simply moving that DNS server to another infected cable modem user in a matter of minutes. They have a large pool of available servers so it exacerbates the problem," Stewart added.

The latest botnet-as-DNS scenario follows recent reports of DNS cache poisoning attacks that redirected Web surfers to malicious sites. Cache poisoning occurs when incorrect or false DNS records are inserted into a DNS servers cache tables, overwriting a valid-name server record with its own DNS server address.

Last month, Microsoft responded to the cache poisoning attacks with a knowledge base article that provided guidance on how to protect vulnerable servers.

The company has added DNS cache poisoning protection by default in Microsoft Windows 2003.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.



  Reader Comments: Phishers Dodge Shutdowns by Striking via Botnets
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Ryan Naraine
 


x}ksȒvf`i6ns6>nO B4$lӳ'7̪ҋ?zzvmC=*2{$ K\ZÙAIzj .z7M$[O@>&T.[ ,gHz*"5 V5|ج4jzI5u{#|Fr޼w A:|@D 41q:}Nf bhCbIlG5tCܠ%9H#kuɳ#C6%H\Ї57/>LOrT| ,ϳ"q:cd_H0H!‡h4"#|xTGsڵ2`n|!+oaTMCݵ u~DM K ,ؓ-CUlT ' f9[8tTOa_dYf f4еI=Y3jJX*l/JlZ3߉*ZG2hݝVok"[)J6[^ϯS(P;` mQUU+UM9둫[yи}  oeu+5y`bTk(_4j::fv}j_"ty[ny%Ԕ|٥RӢ,f] 3+i3K."[ǽSҺnoNΏoڭ3do̲5<r岢?BJk3B~5VgmunicEVdB: OgɗV}k!-z b Mf 55]KTU)ziE&Ժp|>!)Io'|;%./!=G5]jr*ERQg,g,nGEjf0Ś q!%9)"-:5SP;}3N*o4z!0JD5fMS,eg:0AM)71sv!fB9-Q _R9_B%*\DhԄTw17#D@ vx0r!DKI88쁉!cṶ.S3T9?~ww,/UմYBޞcYp:%U.[n} 8^$g 5? ,heݴ%!8W%MG\nc",Tj沵*:rL̶)ae)!3˨nM.NRGuj0}JlZIEa"|Pdmx1Z.sSNXn`vt&hgX{Pc3~KW >]O)U0} mr\LRulZ.tYw1HS0`9w0[S衛#^ѽ[: ?`=$0.Z 꺇 Ce^~u¢zPױ,h̥}wuA=S9꽪@7c@:iG[r%Ea1C.C)g:'hI#r Bг1,`@o"`9`P,sB .<BIbp&,b,BV-KLPf9i2niڪń񍜀=`&Qea*0pRx5Vn-`o ٚTKTQoBk450sҺ<tcHͯSLF2pq!2>i0MYgU6t:̐*L*%vGn:mb0s> k2'w=g:.QƟjuϙܑ ݼ"߄V 9u} \ r}͚X 4ؐ |&B77&7wz@je`U.F(*2/+TD1g0dWtz?m/nD)hMaࡇV|\vΖuVkͲF^ӛAx(, B[+C@x $lKkV(.Q|u$"! aY^`(9tq}x Gը 7=T} . Xs7 )KCaR^˚c+ L 4YC Tg`bT0 `NyXxI>vzl.>&*'|`>eH˞XnHS CN5,v&"{em1Jhxse\X,[b)0;sg2S[Wabia=k- ;US]HQ2nZ- Ӗ!҃ LsCm0 G"U]ݘ#{G')+"寻0iTҗ|.~%[b"ud\6˰@kYa=$Od3jΉiɥn< MfuV hPΕC8/eƖ<[f.uVN0\h}єa˘5|t֓e *IB>-Ex!5O.Um"]INtxO=F ‘"]yj% u!rr>Dx"$c+ YAV.:(ݦ݁¤z*,x"2Bj3ݧ]=1g匬~=w!{ d+|RL ˵B\.fU`q͌xO?5Th/OpW}2~wL>7>e}zK]SMw+\s>!l\`QazƖ4FX` $̮EfG` c5[,F)/Qc^rU@ 07 uj^Aj%gs&{ ? "X:Sf.jg֐JXRznRBrdLÖ8+с,Xr%r U zw@t tHzH A&`QtEIuҜy)u:+@ r ? kwέZ)D N3ވ@Z]ɲSb_@srϱƬ}Zb\:> (C `K{ZCA9eSt}q@l#!R~9k*O<(,!c1s*? y13pӯ`Mɧb_+`p1\Ac>V-f9|m*uun1}J9ަ0ͬ)6@yZUʉxmUUZJ`Y Vo8Dg{uFDgox3I*%ff3[̖Jy0=+@"VARg.3W=5WVg*Ӧvy" r>}PTʌYP@hO \ k8X8DD2$Me"-_ˮpe l&SB\/Vtφ`>[ɕj`\PEQ>`uHEi(xmB{(OU?FR6r+f#>*rOk ىVPVW`Zd&\CKwfl!/`.QȣS/jfa^yF=+[nK-%. ^ذ2 MSm6EQ讻h^!c̘Òf%s,2.IG*-efGF*u(kwrNTsuJER򕼔0L=H@+ b}'0ԇC: &J\heG$ r]6_)| vE-HX,$d Yx]!6uPXx|{ `7󛛊XXD>Gӊ0 aw0D| g&d:~C0 ~T*A-2@ ED@;n}2?% [-l8*F:~ݕDw{onۧ#W>Y'5/&C~gUM׿{aa歑Vy/WKKxiïR)Z~~pu*/[n? ]L@I 4pHŰ9}/%vnK7Oh2?Eԯr:e}J|sѹWj}Ւ:ע΃ 5;R9!hǫ<'i)qڎ7MGYzIla3+"AKuÙN/|DV}U=}٠ih4&lGuk`!f bB!ArNk1 +JGO{iD$-brY(+RJ1"4FYO |iM3_f Rt4zUrwۿnEB}}]8/k󂏜V o n"HxS#2чCjIkN)<{-~=?, /䎑a==;u9{7ݺCOغ[MS 1m`GAGJ脲fy\Tcfj # ħ_4PPW ۳^7'8+ $ ktwisq^]Ҿ|sX$`_M`RpHCbC}Ҽ'B}DXyKw8Ťb%D?Wu^n4~xr'x'xjz}qUy&W2{WNsjYbם{3eDY5u";2Q=dzP+[_YL.t0o}9]ޓd=tW:'cv-Q&}9Lu DK쐃6;=7vc͐{n\AzswOɭ2SXƱܦJ}hil+¿|A ̯>w I t:Dx5}ϿM>8u~*s‡AL^dT9㹕h?}mzv'3 M~oO)-{kZ}EStRT{d{Q6ӱ$Bdr9%tln r9'sᔤMWû1G_ boZ`@L6}Of=KfsT:f1v^3}P"noGqi& ~2]9P(wHq7PRi[tU"5"v sJa·0(aV {"F3i>L#[Nؠ}[uc ?:&'K-x<)wB"?q(eE_Nyt:h9#GC֮G9{v =>`x?R `@و=B|$Xv%oB&UyHǪyK IW@䆃$id:4Zs'+Iټe‹^sJ]YHMc&s|EmJ]͡L`6@BPI8vA|'lޕu Rٖu/:/Cb=%&}&ua$tfRgOI m..{JDzaϪj9|frb,в+`< PRC"`XG`|]eN7v*Us%ؗ>j9b|"[= ,-nl]tKNx1)Q\ESU]Yjx#{.' [7gѹ6Ts{aaxL+J//Iڅ6ߒ^1O.۶`j)sjy':%t6 5=8|L ?zb_ Dk-5Lt<|?͚JYb({ xC#*"j&adl}7 Hr_*Mcu+u *)\LOPaIpmv=Ԙ$][NBZ(W׌?o@C-& K^f^L&lly[y[y[y[#jpβówtd SjЇc{UÝ|QbSC6cڈ]cc/8] TN(,„:S,:uqLoa% / 67S<S?Godp7!|}ù=ض)}`_Yܢ5s:{k潠a5'1[Qc]Η 5%|_R޹zO#S|+:kRL5%?ē^ڬ`܈\cc/mM*|ӕ.T+ u}0PS]O.’$j(|tЪn f|6+]M-#Gŗ4(6'$_axV5=fv9;A>i_`}fV_ ʭ5I7=`TcoWj_s]W7WpAI}ֿV\|Tl{p O|p_\RKLSlV Oyk")_\T%wŷIff65 /B#`LQh}G q6ul~=v@K3u#RAٶ:a+@mU,-0VG8YAzXQmQVk#fN{ )b%Jr?"cq5N{M8B @gh֒+N %8&U#ޡ?T2LQ gfG jp@D h<[u+kH |>L[f)5҇Yjx_ʋK٪_x5ء꾅Ѥ"re^ a,+I8b'N0bdЋgx1$q vnfjŶĸ {6g1XaA'f f^=*,es>טo| [ۘqҡЁ7Jl.FcCRրBa}B$:׿v`]PAgt~e&0aS:6M=g"I ,@>-ǃb=x*LN||7 a-BY.ԏ=z;{a'Hp {)D<=Ww{⸀V]cF9-(x _)*e~ԍiG-V-%8!`b>LOdϑ { s/*0#n/xS3 b"28b(+abtDƮ(!/d}^={’wMd1Ix(`UVTKc+ ,UϩkVJYOtY$V.#>lQXRr g_\6`ZT5Pm.ͬͼE_tM#c%S)gՒt\R,w1d@o50=j֐15`*B Eٜt 9Ԧ*B ^*Z!ҤF -%נg5̈ Rka,f^ĤZ3B{ݱL^?Be{ι\`{dqϘ2:+ 6Ƕ˕#n58 ¨㔸EJL`srA]It M5]i~RD?o%:*+sT 1oq'w=5h)"mF(qqyh!5ĿL E=#+pS CR$6$Ae5T?(Pu ɗJ6}Pl~#F;}*j|%w[ۆ۶?2|LW =^8 ;~>{X* Fd>hґu _`{H1K= o~{@< s q ҉/oX{+$ʽO޵IP46:n%df\n^uE+@ܚ֑  <9jsTdb G\9[S|~6 !2,#=劑/w) ;ܟP z+qx<POIJ WPɸU$t͈ɵ7Qͻ>XF9ܐ&9iHq}kwqs7}T'Sw;N:ןWU.:v%QlB]d_T iϢ,} rvռl1;eFq(A1B"rKx"/%Lqx&{I{(%lGyї1(oٕץ?F2z 񛧧7nWIVXj!h>m?+gw:^69 ZK y6^A!}ʜ4]V084ħEG:WT7yH}Qyx3+7Ö́w{O?Y9K{矷Si>MȇUB>݄Oi}H]2a|./e|e}/> /LKDJ#L?@?/!2!*a|@~ *a:NB;: _?_'ԿI.M w >ׇ }}L-&&--mE:IJ gk\8=b'S~)@_$/<%,! ~v%X^'йO5 MSؿ2~2Am_tN aq+7IKx%KTՍcn9:H@b}a/! c|*,xW&RWyd#Bbye?F=1>wIxsi@Lw<_[nNJ>s\9 'q6G\>=`a)b@~;?|K28750@ۣ{\pۭoᦠ˻݈>-*W=M.nm;}`Of0"X;Yo%P/"IsweC}:7 ߊX-J C7s H38ns5 ,*?fz:p}bS;usռ_7߷X9쓡νz}MOHT)pF #0$H=;Im0v{CS}9jhN_qÅzcn -k :kH$eR(\~Jb}' I_9w9 5,V)eB`"0 X:QȀFuo*K0:T2z!r1 4bԭhK_Q7p E  б/úV,D'͠ጽNۯP ͎,j-.#bl, O^,'8d$;FI2hؐ$%dή|']ǣUǙkIX&30V!{Po.@C d׹G!ϺI B~ObG-ՅoR1 hJ/.GE΅G9/AbYD"Dj*Վ+kkw:aKƀ# D%'F'V!m"CYrhy061wH zahL+j=645~ɱa% (^uW kEF(^x#by9~b_/wag;AGkz)ˏ ]M5pz6UױʱE sݕ]ݍ;c䯌j@@tv~J =%]Ro"Kwb/C&\v"ax>O!e&xxBlvK:_19{dul p7,t. a"2G}VvbeJɐ$q_B);.#0{uw$>}P.a5sEEWE,&JhӄZ{\fBt 'KYǞe҈2_Z8#_"f4u׌ezԠ2"hI2f=8_xa`a?>N@:FՋpO`ՁzBGXt ,%vY{N6 )4Mϫ΢R{jX6֋PRr. ?fwUheV D$E a'_B L72GD!aYбߚR TDO"vy>m$Koe;-Yn N@6awWۦ f"qů@|!PɒX)uoG|o{)0XP9B=.X$">mvo>Mc'LXjjc.QYCm'#4|>ؼqlQ޺%\k<>҄&:bx:CA\W (|p@NlMٴ :SW3$+U`g+~$3V[ś,!Lt0͡o0kn>ʷA$L:ˍ/Asl2[ '"ۂK<i}j-KEp*e71LP`ุO3EdZx)rȱl}k6/f)+kt%(%x0{nfNVyc$v/-Ǭ yvJNS.u 7tleB @ .DT %`GYU`k84JѪ V7"60wxn,ɀ@"6 v)E=k농\VѨ6pSUD'sk'3u|Ua=kca&igNbkc'b@xVm{~k}'> =}x}z!}đ7,,H[Z']ZGa$#0Sd+TR`C vp`vX3]"@a)5BLN;~ӣf<3%hB6AmAb?ܫ2tma$ӂq993E~c-W*U9 %Ӭoe~vtgsOs̋- @WD_ă|C]O,N=d.}Doo!П ^85D< ׿Ͼŗx̢1Ӛq?Pe^ g05{b8$pe5P<qduuPb0Bv̠.VAJaK럢g'}M 2.~F́^tjdeOXhGS]p5\\:Mo?{PI` Nܡ&QA (^zd7o昱ڼ%ʛ3`DW33S]4J5b06DctKGR1hn@%VP5 V`>7-忓MtOn::bQ<`V*o] zJ-&o4>W^|`l;"\#o62-*c|PtxƙUyIS|>@",5vS5|5}FQm@|@` ]XQp$LdfcLtK-2HM|9g񀀿D|E&ՀuD}t;GToڜMI^YL_.DOoiB lbŞA*M~K(ʉDiH',Ӯ,,]0 &/e :$xqHj Ef`u-1L~FP&R9_B͞[m+4긴\h 񼧎1~<5 o4ntH妍a2rl0d⯗cjxovBH!m*H]AMt|m3Uj)6GZLI5~,(wa뙰[\vLᄎ6H=za-ڧmؼۦA݄߯xg)s*!dE.f˼|JVˆ6]oR&?酫a6|UIxP,ie z,\~+$ 7a./D&sdc+@!@)q Fe.;|YYz ~:E ذ<]/Z#بDMg?IY4QIH RX)[q`4!f^+٥wVVnv1r1>[4R9,'Sz쪭iEC+qḓ;_!X\]ޣGDk~tɾ>]Vgtּl_|:<׹׫mF {%>0~;Z}ҹ͓t>\J~AytNqVܜ 'u}>Z_A5Vfo=a,6#?J~G