Security researchers have uncovered evidence of a highly organized phishing network implementing a new tactic to keep malicious Web sites online: using botnets as DNS (Domain Name System) servers.
"This is a clever trick that makes it more difficult to dismember the methods theyre using to host the phishing sites," said Mike Poor, founder and senior security analyst at Intelguardians Network Intelligence LLC.
Poor, who doubles as an incident handler for the SANS Internet Storm Center, said the elaborate attack scenario involves the use of hijacked computers to host not only the malicious phishing site but also the DNS servers that provide domain resolution services for the targeted domain name.
A botnet is a collection of compromised machines infested with malware like keystroke loggers, Trojan horses or back doors. Malicious hackers control the botnets remotely, usually via IRC (Internet Relay Chat) sessions, sending instructions to the infected machines to launch spam runs or host malicious sites.
By turning the botnets into DNS servers, the attackers are able to automate the cat-and-mouse game with ISPs that routinely shut down the malicious servers.
"Theyre basically serving up lots of different IP addresses for the malicious site and changing those IP addresses every five minutes. This makes it virtually impossible to shut down the malicious server," Poor said.
"We now have the hijacked computers serving up the phishing sites and also handling DNS resolution. And its rapidly changing, almost in an automated manner. This is quite new as far as using DNS servers to work in conjunction with phishing," he added.
The latest tactic has been described as a "distributed phishing scam" that provides further evidence that a well-organized ring is operating the scheme.
Thor Larholm, a senior security researcher with PivX Solutions Inc., is convinced that the use of botnets to handle name-server resolution is the work of a small, well-organized group. "Id say no more than 200 people, primarily from the United States, are responsible for 90 percent of all spam worldwide. You can fit these guys into that group," Larholm said in an interview with Ziff Davis Internet News.
Larholm said the ability to move to a new DNS server every time a malicious server is shut down gives the scammers a major advantage and effectively blunts most anti-phishing initiatives.
The SANS ISC said the onus now shifts to domain name registrars to offer a formal procedure for dealing with requests to shut down a particular domain name.
The Center, which tracks and reports on malicious Internet activity, said ISPs can also combat the attacks by implementing a form of domain hijacking to intercept and redirect malicious DNS traffic passing through the network.
"While this approach does not entirely mitigate the issue, it does mitigate it within the ISPs network; it is particularly effective if implemented by a large ISP. Considering the limitations of this mechanism, having domain registrars develop processes for addressing this attack scenario would be very helpful," the Center said.
Joe Stewart, senior security researcher at managed services vendor LURHQ Corp., said the latest trick looks eerily similar to Migmaf, the reverse-proxy Trojan that handled spam runs in 2003.
With Migmaf installed on compromised machines connected to cable modems, Stewart said, the spammers could move Web sites around at will, minute by minute. "Back then, the press zeroed in on the porn sites that were being served up, but there was a phishing element to that attack. The intent was to steal credit card numbers when people visited those sites and signed up," Stewart explained.
Stewart said the latest misuse of DNS resolution points to an "escalating war" between phishers and companies deploying anti-phishing technologies. "It has picked up to the point where its similar to how the anti-virus companies try to stay ahead of virus writers. Theyre usually a day behind."
"If they keep getting shut down at one ISP, theyre simply moving that DNS server to another infected cable modem user in a matter of minutes. They have a large pool of available servers so it exacerbates the problem," Stewart added.
The latest botnet-as-DNS scenario follows recent reports of DNS cache poisoning attacks that redirected Web surfers to malicious sites. Cache poisoning occurs when incorrect or false DNS records are inserted into a DNS servers cache tables, overwriting a valid-name server record with its own DNS server address.
Last month, Microsoft responded to the cache poisoning attacks with a knowledge base article that provided guidance on how to protect vulnerable servers.
The company has added DNS cache poisoning protection by default in Microsoft Windows 2003.