Looking behind the smoke screen of the Internet and Internationa Infrastructure: DNS recursive attacks, spamvrtised domains, phishing, botnet C&C's and you

[Gadi Evron <ge () linuxbox org>]

[X-posted]

This text is meant for two (main) purposes:
1. Updating the community about recent threats.
2. Showing the community some suggestions of what can be done.

In the recent weeks many people (including on different public ops 
communities such as NANOG) have noticed DDoS attacks going on, which 
appear to be abusing recursive DNS servers.

A couple of documents on the subject:
http://www.us-cert.gov/reading_room/DNS-recursion121605.pdf
http://cc.uoregon.edu/cnews/winter2006/recursive.htm

The attacks generally seem the same as always. Nothing new here. Why the 
big buzz than? (so far these have been kept "quiet" on several 
communities even if it is in plain sight and people speak of it openly).

The buzz may be about the packet size/resulting fragmentation this time 
around, actual attacks seen in the wild on a wide scale, etc. 
Regardless, nothing new. Recursive is bad. Don't do it. :)

For those of us too busy to read the documents linked to above, imagine 
an ICMP echo attack from spoofed sources that get back the replies, only 
in DNS... this is not very technically correct but it will do.

Ignoring the DDoS for a second, in the last year, completely unrelated, 
in the anti virus world we see (and don't really connect the dots) more 
and more Trojan horses (i.e. bots) which use  fast-changing-IP-addresses 
hosts/domains. Changing IP addresses or even name servers very often. 
These are now called "Fast-Flux" domains.

Not connecting the dots as in the samples one sees the DNS RR's, not 
that they keep changing.

Fast-Flux is actually a term which was coined in the anti spam fighters 
world, completely unrelated to the anti virus world. As these hosts are 
used to spamvertise from, or these name servers are used to host such 
bad domains, this is obviously something bad (although some Fast-Flux 
issues are legit, most aren't).

Some of these domains, following certain patterns, are used in Trojan 
horses (maybe we should call them zombies this time) to coordinate. I.e. 
the C&C (Command and Control, also known as C2) servers where the 
different Trojans (bots) bots are controlled from.

These patterns, such as those used by the (now old) Bobax Trojan (worm!) 
often utilize a domain pattern which needs to be ascertained if one 
wants to control these C&C's as it changed with, for example, the 
time-stamp. (old IRC trick from the GirlBots Trojan horses, with 
differentiating channel names)

These can be 3LD's or actually domains, i.e.:
jusdbgvosibs.dynamicdnsprovider.com
msfgsbzxcffh.dynamicdnsprovider.com
vnyjdcjsxngx.dynamicdnsprovider.com

fsbiuabf.com
afouabfo.com
arlkehnm.com

The samples would connect to these based on the algorithm, while these 
will be registered by the bad guys.

In the recent attacks the specific name servers which are vulnerable are 
used while the domains are being spamvertised and then switched back to 
a different NS.

This may indeed be the DNS activity seen, or it may be unrelated. I 
don't believe in coincidences though.

The DDoS (which may be a direct or unrelated result of spamvertising or 
botnet control over DNS) may be a smoke screen for what's really going 
on, or it may be what it seems, just DDoS. As the bot controllers do 
both spam and DDoS, I see no reason why they wouldn't use this 
technology for both purposes (or other purposes yet to be seen).

They (the bad guys) may have even just noticed it in the wild, used by 
other bad guys or they shared the techniques (they have quite a lot of 
cooperation going). While the good guys weren't sharing 
information/cooperating and thus not noticing it happening for a long 
time now.
If they (the good guys) do notice "it", for example, the DDoS, then they 
don't notice the connection between different industries and fields.

-opinion- Thinking a vulnerability or error will not be 
exploited/mistakenly triggered at some point in time just because it is 
left alone for a while is insane. Even if as the saying go, we won't 
attribute malicious intend to what is likely stupidity - any mistake 
which can happen, will happen. Major parts of the US power grid going 
down every few years proved that much.-/opinion-

Fast-Flux hosts have also been used in Phishing for over a year now 
(before that they were indeed in the wild, but mostly in proof of 
concept attempts).

Phishing in its original form of receiving a mail message and going to a 
site is going to be with us 10 years from now (much like 419's are still 
with us today), but it is slowly decreasing in volume for some time now.

Phishing in general however, is in fact increasing with millions on 
millions of USD lost every month. Quite a bit of ROI for the Russian Mob 
and friends from Brazil, Eastern Europe, Nigeria, other hot-spots and 
the rest of the world, don't you think?

The bad guys utilize Trojan horses (sorry, bots) more and more now for 
this activity, rather than the old bulk emailing techniques (even using 
... zombies).

The Trojan horse (sorry, worm) would connect to the DNS RR, which will 
change IP addresses and/OR name servers quite often, and thus while 
thousands, hundreds of thousands and all the way to millions of Trojan 
horses (zombies!!!) send out Phishing emails, the actual sites moves 
constantly (between every 10 minutes to once a day). This makes 
reporting these sites and taking them off the air increasingly difficult.

That is also why anti virus companies become critical to the fight to 
keep the Internet alive, as while network operators can follow network 
traffic, the anti virus researchers and reverse engineers actually see 
what the Trojan horse does and how.

Dynamic DNS providers (most of whom are good.. amazing people) have seen 
this done with 3LD's as botnet C&C servers for a few years now. Use of 
cryptographically strong domain names (with whatever algorithm used) is 
newer, but not that new.

What am I trying to say here?

All these activities are related, and therefore better coordination 
needs to be done much like we do on the DA and MWP groups, 
cross-industry and open-minded. R&D to back up operations is critical, 
as what's good for today may be harmful tomorrow (killing C&C's as an 
example).

The industry needs to get off its high tree and see the light. There are 
good people who never heard about BGP but eat Trojans (sounds bad) for 
breakfast, and others need to see that just because some don't know how 
to read binary code doesn't mean they are not amazingly skilled and 
clued with how the network runs.

This is not my research alone. I can only take credit for seeing the 
macro image and helping to connect the dots, as well as facilitate 
cooperation across our industry. Still, as much as many of this needs to 
remain quiet and done in secret-hand-shake clubs, a lot of this needs to 
get public and get public attention.

Over-compartmentalizing and over-secrecy hurts us too, not just the US 
military. If we deal in secret only with what needs to be dealt in 
secret, people may actually keep that secret better, and more resources 
can be applied to deal with it.
Some things are handled better when they are public, as obviously the 
bad guys already know about them and share them quite regularly. "Like 
candy" when it comes to malware samples, as an example.

Some solutions to think about:
- Help facilitate better cooperation.
- Help facilitate better coordination.
- Join a mitigation group, do something.
- Join a research group, find solutions that won't just kill the current 
- problem and make it far worse 2 years down the road (terrorism, spam, 
botnets, phishing).
- Work with others outside your club, you may learn something.
- Stop ignoring problems until they become yesterday's problems.

Some intermediate solutions:
- Run a clean computer. Secure your machine.
- Run a clean service provider, secure your network and answer abuse 
reports.
- Cooperate and share information.
- Cooperate with law enforcement, as economics such as the ROI the bad 
guys see can only be beaten with changing the cost-benefit/risk-gain 
equation.

Some immediate solutions:
- Block outgoing port 25 on dynamic ranges if it is right for your 
organization ("don't be the Internet's firewall").
- Make sure your DNS servers don't allow recursive requests.

I recently shared with Paul Vixie an idea for a structure of an 
operational group for DNS. Paul Vixie and the DNS folks are taking care 
of their end with the DNS infrastructure where they can.
DNS in general (not the infrastructure) has been neglected for a long time.

Are you taking care of your issues? Are you as responsible as these guys?

A lot more can be done, a lot more can be suggested. There are many 
examples of people doing amazing work. NSP-SEC, DA, MWP and many others.

These ideas should get us started on the next level of taking care of 
business.

Want to be involved? Get involved. See a threat? Share it. Think I am 
wrong? Bring up your own idea and follow through, don't just criticize 
others or try and stop them because you've grown warm and cozy in your 
spot in this world or for whatever other reason or jealousies you may 
have, as eventually they will circumvent you and work without you.

-opinion-One example for this is the anti virus industry and their 
naming conventions (hopefully to change with CME from Mitre). Another is 
the US Government thinking they can control the Internet and China 
showing them that if they won't let them in, they will create their own 
systems. That's just a hint of things to come, with alternate roots as 
just one side of the problem.

The Internet is an "International Infrastructure" and these power 
struggles are self-defeating.-/opinion-

Feel free to ping me if you'd like to know what information sharing 
effort is going on in your area as well as involving your area with 
others (an effort which will actually allow you to join and help), as 
the fault is not only yours but also ours.

-opinion-Our fault, us, the people who run these communities and global 
efforts, for being over-secretive on issues that should be public and 
thus also neglecting the issues that should really remain under some 
sort of secrecy, plus preventing you from defending yourself.

Us, for being snobbish dolts and us, for thinking we invented the wheel, 
not to mention that we know everything or some of us who try to keep 
their spots of power and/or status by keeping new blood out (AV industry 
especially, the net-ops community is not alone in the sin of hubris).

It's time to wake up. The Internet is not about to die tomorrow and 
there is a lot of good effort from a lot of good people going around. 
Amazing even, but it is time to wake up and move, as we are losing the 
battle and the eventual war.

Cyber-crime is real crime, only using the net. Cyber-terrorism will be 
here one day. If we can't handle what we have on our plate today or 
worse, think we are OK, how will we handle it when it is here?

There is a lot yet to be said, a lot which is not 100% accurate and a 
lot that needs to be done as well as already being done. It's not enough 
and it can't all be covered in one write-up.

This text can be found here:
http://blogs.securiteam.com/index.php/archives/298

Future updates can be found here:
http://blogs.securiteam.com/

Thank you.

        Gadi Evron.

--
http://blogs.securiteam.com/

"Out of the box is where I live".
        -- Cara "Starbuck" Thrace, Battlestar Galactica.
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.