Security Watch

Bot Herders Taking to Fast Flux DNS

Internet domain registrars need to step up and help customers, not bot herders. Plus: rootkits grow up, and the GAO analyzes result of data breaches.

• By Russ Cooper
• 08/27/2007

Bots historically looked to an IRC server, by FQDN, for commands. If the IRC server provides an IP address to a bot, the address can be easily identified and the systems at that address either can be disinfected or shut down. By providing a FQDN, the bot herder can change the IP address associated with the name, in case the machine they were using for this purpose is cleansed. In this way, the bot maintains control. However, bot herders still face the problem that, historically, a domain’s zone information is offered by a limited number of machines, usually using long-lived IP addresses. If you can’t get to the actual control machine, kill the DNS server offering up the domain’s zone to the Internet and you’ll bring down the bot network.

Using fast flux DNS, the bot herder sets up hundreds or thousands of DNS servers that offer up the domain’s zone. Then, with the acquiescence of the domain’s registrar, they constantly change the IP addresses the registrar refers lookups to. So even if you discover one bad DNS server and shut it down, there are hundreds ready to take its place.

This demonstrates the ever-escalating war between criminals and the legitimate Internet. With the Internet designed to be resilient, many of these criminal activities are taking that resiliency to the extreme. Thwarting the resiliency of the Internet hardly seems the right approach to solving the criminal problem.

Instead, registrars could limit the changes made to its files or limit the time between changes. That can eliminate Fast Flux DNS. However, even if many did, some registrars would continue to happily offer the service, even if they knew it was being used primarily by criminals.

Rootkits Get Smarter
Marco Giuliani from the security company Prevx posts an excellent and highly technical write-up of some of the new (and old) techniques being used by a couple of new rootkit modules (particularly citing Almanahe and Srizbi). Highly respected security researcher Thor Larholm explains how these techniques can be used to bypass some rootkit detectors, and possibly fool others into believing they’ve detected a false positive.

Well worth the read.

New Ad Tech = New Way To Expose Your Data?
Scott Bradner at Network World writes about NebuAd, a new company offering a suite of services to ISPs and content publishers. The idea is that ISPs offer their customers the ability to opt out of user-specific advertising. The NubuAd service uses non-personally identifiable usage statistics to present ads that they believe are more suited to the individual. According to NebuAd, ISPs must give their customers 30 days advanced notice and a clear method of opting out.

This concept has some privacy advocates up in arms; calling for it to be stopped before it can get started. The problem, they say, is that it may be too easy to identify an individual from amongst the data collected, and, that data may then be used against you in some fashion.

Clearly your usage data is already readily available to ISPs, and many lack the wherewithal to correlate that usage information with demographics that would be of interest both to content publishers and advertisers. The question will be whether the data that is collected is truly anonymous, and, how secure that data is kept to ensure it isn’t stolen for abuse by others.

At the very least, this may become yet another repository of information about consumers that could be targeted for attack by criminals. Only time will tell.

Bootable CD Bypasses Virii
An Australian university professor has cobbled together a CD which, when inserted and booted from, permits a secure session with any Web site that is considered highly sensitive. The idea is to use such a CD to conduct online banking or purchases. While loaded, any malware which may be present on the underlying system will not be active, and so such transactions could be conducted with a higher level of assurance they are not being eavesdropped or manipulated.

There’s no doubt it’s a great idea, and it would definitely make it more difficult for many of the current criminal activities. Phishing, for example, would be virtually impossible -- that is, as long as the potential victims don't click on a link in a phishing e-mail and instead swapped in the CD. The question is: How can a site ensure that their visitors are using only such a CD and not connecting via normal systems?

Data Theft Often Doesn't Result in ID Theft
The U.S. Government Accountability Office has conducted an analysis of 24 significant data breaches between 2000 and 2006. In those cases, they found that only four have resulted in proven indentity fraud associated with the breach. As such, the GAO is recommending that the U.S. Congress consider National Breach notification laws carefully or risk imposing significant cost on companies with insufficient justification.

Like the GAO, we have long felt that the vast majority of breaches or data loss occur as a result of errors or crimes where there is no intent to obtain or abuse the sensitive information contained in the records. While this does not mean there is no risk from, say, a lost laptop containing such information, the GAO proposes that laws consider the means by which the breach occurs before insisting on notification of clients. We concur, providing, of course, that the assessment occurs fast enough to ensure that individuals are notified in time for them to actually take action that may save them money or effort.