Reanimating Botnet Domains Delivers Clues to Cold Cases
Grabbing forgotten domains allows researchers to identify victims and gain more intelligence about botnets and nation-state espionage attacks.SAN FRANCISCO — Security researchers and defenders are using increasingly aggressive tactics to put pressure on attackers and make their adversaries' mistakes more costly.
In the latest example, managed security firm Dell Secureworks discovered a successful campaign that stole information from at least four organizations by co-opting the attackers' command-and-control infrastructure, the firm announced at the RSA Conference here Feb. 27. The company reserved three domains jettisoned by attackers, but to which compromised computers continued to communicate. By injecting themselves into the infrastructure, the researchers built a picture of the attackers' operations and found that, while two domains were connected to cyber-crime networks, a third domain had the hallmarks of a targeted attack."Sinkholing the domains allows us to look more at the targeted space," said Silas Cutler, a security researcher with Dell Secureworks' Counter Threat Unit. "If you have a list of indicators that are targeted attacks, you can weed out the ones that looked targeted but are not." Cutler and other researchers had come across three domains mentioned in reports of a botnet known as Protux, which has been used by cyber-criminals to steal data since 2008. The domains had once been key components for controlling different botnets, but the attackers had let the registration lapse. By reserving the domains and then sinkholing any traffic, researchers are able to link into the remnants of the command-and-control channel. Two botnets consisted of about 300 compromised home computers, suggesting that they were typical criminal operations. Yet, the third domain continued to be a communication point for a small number of systems inside three organizations, Cutler said. Dell Secureworks refused to give detailed information about the organizations.