Cybercriminals Building New, Stealthier Networks

ancientribe writes "Cybercriminals are adopting a new method of hiding and sustaining their malicious Websites and botnet infrastructures so they'll be harder to detect, called "fast-flux," according to an article in Dark Reading. Criminal organizations behind two infamous malware families — Warezov/Stration and Storm — in the past few months have separately moved their infrastructures to so-called fast-flux service networks. The article says bad guys like fast-flux not only because it keeps them up and running, but also because it's more efficient than traditional methods of infecting victims' machines." I'm not exactly sure why this is new/different than the more well known open relay proxy networks.

Block TCP Port 80

[quanticle]

What can be done about fast flux? ISPs and users should probe suspicious nodes and use intrusion detection systems; block TCP port 80 and UDP port 53; block access to mother ship and other controller machines when detected; "blackhole" DNS and BGP route-injection; and monitor DNS, the report says.

The bit about blocking TCP port 80 is troubling. I run a small web-site for learning purposes and to share info with family and friends. I don't especially like the possibility of having to ask or pay extra to have port 80 opened on my end.

Re:Block TCP Port 80

[brunes69]

So run it on port 8080 or something else. There is nothing magical about port 80 that you have to run a website on it.

Re:Block TCP Port 80

[Sobrique]

I take it you mean except the IANA assigned port number?

How about outbound firewall and proxy configurations?

Re:Block TCP Port 80

[InsaneMosquito]

Charter.net blocks port 80. It was PITA to figure out why I couldn't connect to my webserver from outside the Charter network. While inside their network I could just fine. Once I figured it out though, its was as simple as moving the webserver to a different port. I picked 443 because they allow secure websites. From there I just set up a little domain forwarding/cloaking so that end users never see they are connected to 443 and don't use SSL - its not needed for the type of site I have hosted.

Re:Block TCP Port 80

[CastrTroy]

I've never got why people want to run a webserver on their home computer over a cheap cable/dsl connection. I tried it for a while but between the cost of the extra computer, the cost of the extra electricity, the trouble of setting up all the server software on my own, and the trouble of dealing with changing IPs, and all the other wonderful cable ISP network oddities, I found it easier to just pay a cheap monthly fee for a shared hosting account. It's nice to run a home server for some things, but if it's going to be used by a lot of people, and accessible from outside your home, then It's way easier to just pay for hosting. That's my opinion anyway.

Re:Block TCP Port 80

[Otis2222222]

That sounds great, I am sure it would be no problem whatsoever to tell your friends "My website is at dub-dub-dub dot mywebsite dot com, colon eighty eighty. And if you don't type the 'eighty eighty' you won't get there. Don't forget to type colon eighty eighty, grandma".

And what the other guy said about proxies is valid too. It's very common for outbound corporate firewalls to block non-port-80 traffic for web browsing.

Re:Block TCP Port 80

[veganboyjosh]

Mr. Potatahead! Mr. PotataHEAD! Getting around port blocks is not secret!

Re:Block TCP Port 80

With power comes responsibility. If you want unfettered internet access, it's your responsibility to make sure that your participation in this network doesn't cause problems for others. Since most residential internet users have neither the ability nor the intention to shoulder that responsibility, their upstream provider has to find ways to protect other internet users from his customers, because if he doesn't, he will ultimately have to pay for the damage that they do (higher traffic costs, less favorable peering agreements, blacklisting, etc.)

The net has grown very fast and so far we've shirked the responsibility issue: Customer's complain about spam and when the spammer's provider says it's not their responsibility, they're called a safe-haven for spammers. On the other hand, when customers get cut off because their computers are scanning and infecting other machines, they complain that it's not their fault and how are they supposed to keep their system clean without a full time admin and it's none of the ISPs business as long as the internet access bills are paid.

Re:Block TCP Port 80

[utopianfiat]

This is what Slashdot has become.
Two years ago there would have been a frosty piss and a two-page discussion on how this douchebag OP was wrong to use the word "cybercriminals" (or cyberfoo for that matter), and how his article reads like a page out of the script to this flaming piece of shit. Where did we go? Since when did Slashdot become Eternal September?
That's right point-bearing masses, mod me flamebait because nobody else has the balls to stand up to this kind of terrible quality news. FFS look at the damn article! It says nothing! It literally states something that was true ten years ago when the botnet was invented! News for NERDS? more like News for NEWBS.
Christ alfuckingmighty.

Re:Block TCP Port 80

[utopianfiat]

I'm waiting for a worm that exploits STUN and invalidates the whole "block any port you don't use" rule.

So, in the end

[vivaoporto]

These criminals are giving a "smarter" * use for the enormous potential that these hundred thousands of homogeneous (or similar enough) connected machines have than most companies out there does. It is time for 1) Microsoft and its users get their act straight and work on better security for they machines and 2) someone to realize the incredible potential of all this "dark" bandwidth and processing power and give it a good use. Criminals are showing it is possible, all it need is some legitimate application.

* Smart but immoral and illegal. I, for one, don't condone nor endorse their actions, and think they are nothing but vile criminals

" why is this new/different"

[tomhudson]

"I'm not exactly sure why this is new/different than the more well known open relay proxy networks."

... which just goes to show that even spammers can fall victim to their own marketing:

Tired of your botnets getting killed off? Use fast-flux. See a 30% increase in only 2 days. She'll love you for it!.

What's special about port 80?

[Control+Group]

I am not a networking guru (IANANG, copyright 2007, me, all rights reserved), so I'd appreciate somebody setting me straight on this if necessary.

But I don't really see how blocking port 80 would be an effective way to fight this sort of thing. There's nothing special about port 80 aside from it being the default http port. Unless the victims are typing the URL into their address bar, I don't see any reason the mother ship couldn't have bots listen on another port. I mean, the machine is already owned, so it's not like opening up port 43783 is difficult. And I can't help believing that most - if not all - people going to these sites are clicking links, not typing addresses.

So you close off port 80, and anyone running a legit (well, probably not, given the TOS of most ISPs, but at least not a malicious) web server out of their house/apartment/dorm room can no longer easily direct people to it. Meanwhile, the malicious sites are slowed down by the amount of time it takes some jackass to change one constant in one piece of code.

Unless, of course, there's some other factor I'm unaware of making it more difficult to reach an http host over something other than port 80.

Re:What's special about port 80?

[GnuDiff]

AFAI have looked, port 80 is the one that is least likely to be stopped by firewalls.

There are a number of small (and I mean tiny - think 100 clients max) ISPs around my city alone, whose networking expertise is close to nil. They go with default settings of the equipment they get. So even if they put up a firewall of sorts to protect their clients, it is left at default settings.

The fact is there are not only tons of users out there without a clue, but a nice bunch of ISPs as well and sloppy network admins, sometimes even of large organizations.

Re:What's special about port 80?

[orclevegam]

The blocking of port 80 they suggest really isn't about stopping the fast flux network, but it's an attempt to make it harder (marginally) to use the systems on that network for phishing attacks. As I understand it one of the uses these networks are being put to is to duplicate a phishing site on a couple hundred zombie systems, then rotate a single phishing URL through all of them making it harder to bring down the phishing site because you'd have to take down every one of the zombies, or find some way of nuking the DNS entry (which apparently the registrars are hesitant to do, even though some recent events seem to show that they'll do it quite happily if a big enough company or corporation asks them to). Personally I think blocking port 80 is a dumb idea and barely constitutes a speed bump for the kinds of people that run these things, but hey, that's never stopped a company from adopting a stupid idea, or marginal positive value and substantial negative (to the customer, if it hurts their bottom line forget it).

Re:What's special about port 80?

[Control+Group]

*shrug*

Randomly select a different port each time you connect to the zombie. If you're really worried about users running netstat to check their open ports (and I suspect that zombied machines are more often owned by people who don't even know the CLI exists, much less who generally run network diagnostic tools via the CLI than not - and by a wide margin), then have it only open the port for ten minutes every hour. Windows, by default, updates its clock to NIST weekly, so you can be reasonably sure that your zombies are synced enough for that to work. Round-robin assign the ten minute window to the zombies (xx:00 - xx:09, xx:01 - xx:10, xx:02 - xx:11, etc). During that window, you use the zombie to host content, and you can push a listen port update. At any given time, most of your zombies are running on the same port (they have to be, or your victims can't connect to your content), but blocking that port will only be effective for however long you determine. How fast can ISPs identify a rogue port and block it?

If my experience with spam is any indication, the linked sites go down almost as fast as the spam comes in, but that's (apparently) not a problem for the spammers. So you rotate ports every two, three days.

And this is just the scheme I've come up with off the top of my head in less than a minute.

Come to think of it, you're already executing arbitrary code on the zombied machine. Have them determine when they can listen on their assigned port, with a minimum frequency and duration set, with a bias towards times the user isn't at the console. When the window opens, step one is to notify the mother ship that this machine is active.

There are probably holes in this scheme, but I don't see the problem as being intractable. I do see any effort to just block port 80 as being naive (at best). I don't think ISPs can respond fast enough to block a new port every couple days, but perhaps I'm wrong about that.

Know Your Enemy paper on Fast Flux just out

Has a lot more detail: http://www.honeynet.org/papers/ff/fast-flux.html

Re:So Windows is used to host illegal materials...

[Hoi+Polloi]

Windows=Kiddie Porn? Sounds like those ads that claim pot=terrorism. A bit of a stretch.

Re:So Windows is used to host illegal materials...

[CaffeineAddict2001]

Them: So you don't like Children? Why not?
You: Because criminals use vulnerabilities in children to conduct their illicit affairs.

Re:The word is "hacker".

[Mathinker]

> even most of the "white hat" hackers are "cybercriminals"

Checking http://en.wikipedia.org/wiki/Hacker_definition_con troversy gives Linus Torvalds as an example of a hacker of the "other definition"... in what way is he a cybercriminal?

I hope whoever modded your pitifully binary views on the meaning of language terms as Insightful gets his due via meta-moderation... It is true that the new meaning of this term seems to be the more used one now, in what way does that make the old meaning obsolete, or the more exact and unambiguous term "cybercriminal" superfluous or undesirable?

Re:Obvious....

[uolamer]

I prefer my ISP not block anything period. I dont want my ISP determining what ports, what services, websites, etc that I can use. ISPs to me should simply provide me with internet that is all. If they are providing e-mail they can have whatever spam/anti-virus/etc stuff they want on it, since im not using it anyways. I'm not installing their 'software' if they have any. etc. All i want is a ethernet plug that through whatever magical means gets the 'internet to me'. I will take care of the rest.. but i know i am not their 'mainstream' customer.

Blocking port 53 and 80 is a temp measure which will just make them use another port, the next ports they use you wont be able to block. Just off the top of my head I would use a port between 1024 and 5000. I believe that is still the default random ports windows uses, you cant block those ports without stopping a ton of every day internet programs from working. im sure there is other ports, either way, solves nothing and the next versions will be using ports you can not block.

Botnets will just evolve. The ISP blocking things isn't the answer, very often. I would say anti-virus software, firewalls, and really eduction would be a much better mix to cut down on this. ISPs can help stop a major worm or something from spreading here and there depending on the circumstances, but usually they are too late in trying to stop that sort of thing.

Also ISPs can just cut peoples internet off till they fix their PC if it is causing that much of a problem, which they do, but usually only in the case of spam. Road Runner cut off a customer I know after about 6 months of having a 'spam bot' of some sort on his pc. I told the guy about it a few months ago, but his PC still worked so he didn't care till his internet was cut off, still took them long enough, they had reports of his IP several times going back at least 5 months.

Fast-flux vulnerability

[Todd+Knarr]

Fast-flux takes advantage of the ability to set extremely low time-to-lives on DNS resource records. The shorter the TTL, the faster changes propagate out through the DNS cache network. This suggests a way of neutering fast-flux: implement a minimum TTL in DNS servers. Since most people depend on their ISP's DNS servers rather than going directly to the roots, this would effectively prevent the fast-flux record changes from propagating as fast as they need to to be effective. If, for example, an ISP put a 30-minute minimum TTL in place, then the A record for a given name would remain fixed for 30 minutes (modulo cache being filled and the record being forced out) regardless of what the fast-flux network did. And since the DNS servers enforcing the minimum typically aren't under the control of either the botnet or the infected machines, there's nothing the botnet operators can do about the situation. As a side-effect, this also cuts the load on the DNS network caused by PHBs who order 60-second TTLs on their records "so customers won't be inconvenience when we change our IP addresses".

Two glitches with the idea:

1. Changes to the NS records for a domain are also slowed down. When changing your NS records you need to make the changes but leave the old servers running in parallel long enough for the changes to trickle out to everybody.
2. Load balancing via round-robin DNS would be broken unless the caching servers also do rotation of the cached records in responses. I think BIND already does that.

Fast-flux networks aren't proxies

[jbsoles]

As the subject implies, fast-flux networks are not proxies. They HAVE proxies. The basic difference is that a proxy redirects incoming and outgoing traffic through a server or router some where else, thus "spoofing" your IP address. Fast-flux networks certainly use proxies, but there's one big difference; fast-flux networks allow you to host content this way. To host your own website (short of technical mastery) you used to need a static IP address that runs directly to one or more servers, making it very easy to catch you if you use a domain name for illegal purposes and even easier to shut you down. Fast-flux networks allow you to use many IP addresses to host content from one central server or set of servers. The IP's on the front end are disposable and more can be generated quickly. It also provides the web site administrator a proxy level to protect his identity while hosting just like the one Tor proxy provides me while surfing. In other words, the difference between fast-flux networks and proxies is that fast-flux networks can be used to host from one computer to many different IP addresses, in part by using proxies. A proxy just doesn't let you do that. Thanks for reading a rather long post. I'm a student and a paper on fast-flux networks just happened to be distributed where I do research for the summer:)

JUST SAY IT! "Home PCs" = Windows OS

[Jerry]

ALL of these zombies are computers running a Windows OS.

There. I've said it. Why hide the truth?

Are journalist thinking "everyone knows it is Windows that is so vulnerable to mere emails, so there's no use in embarrassing Microsoft"? I don't think so... any more than they "just happened" to get Ferrari laptops for writing good articles about VISTA.