Cybercriminals Building New, Stealthier Networks

ancientribe writes "Cybercriminals are adopting a new method of hiding and sustaining their malicious Websites and botnet infrastructures so they'll be harder to detect, called "fast-flux," according to an article in Dark Reading. Criminal organizations behind two infamous malware families — Warezov/Stration and Storm — in the past few months have separately moved their infrastructures to so-called fast-flux service networks. The article says bad guys like fast-flux not only because it keeps them up and running, but also because it's more efficient than traditional methods of infecting victims' machines." I'm not exactly sure why this is new/different than the more well known open relay proxy networks.

Re:What's special about port 80?

[Control+Group]

*shrug*

Randomly select a different port each time you connect to the zombie. If you're really worried about users running netstat to check their open ports (and I suspect that zombied machines are more often owned by people who don't even know the CLI exists, much less who generally run network diagnostic tools via the CLI than not - and by a wide margin), then have it only open the port for ten minutes every hour. Windows, by default, updates its clock to NIST weekly, so you can be reasonably sure that your zombies are synced enough for that to work. Round-robin assign the ten minute window to the zombies (xx:00 - xx:09, xx:01 - xx:10, xx:02 - xx:11, etc). During that window, you use the zombie to host content, and you can push a listen port update. At any given time, most of your zombies are running on the same port (they have to be, or your victims can't connect to your content), but blocking that port will only be effective for however long you determine. How fast can ISPs identify a rogue port and block it?

If my experience with spam is any indication, the linked sites go down almost as fast as the spam comes in, but that's (apparently) not a problem for the spammers. So you rotate ports every two, three days.

And this is just the scheme I've come up with off the top of my head in less than a minute.

Come to think of it, you're already executing arbitrary code on the zombied machine. Have them determine when they can listen on their assigned port, with a minimum frequency and duration set, with a bias towards times the user isn't at the console. When the window opens, step one is to notify the mother ship that this machine is active.

There are probably holes in this scheme, but I don't see the problem as being intractable. I do see any effort to just block port 80 as being naive (at best). I don't think ISPs can respond fast enough to block a new port every couple days, but perhaps I'm wrong about that.

Re:Block TCP Port 80

With power comes responsibility. If you want unfettered internet access, it's your responsibility to make sure that your participation in this network doesn't cause problems for others. Since most residential internet users have neither the ability nor the intention to shoulder that responsibility, their upstream provider has to find ways to protect other internet users from his customers, because if he doesn't, he will ultimately have to pay for the damage that they do (higher traffic costs, less favorable peering agreements, blacklisting, etc.)

The net has grown very fast and so far we've shirked the responsibility issue: Customer's complain about spam and when the spammer's provider says it's not their responsibility, they're called a safe-haven for spammers. On the other hand, when customers get cut off because their computers are scanning and infecting other machines, they complain that it's not their fault and how are they supposed to keep their system clean without a full time admin and it's none of the ISPs business as long as the internet access bills are paid.