Rooting Out The Bad Actors presented at SOURCE Boston 2010

by Alex Lanstein,

Tags: Security Malware Botnets

Summary : Considering the remarkably small number of data centers that host services for those groups who operate the most sophisticated malware and botnets on the Internet, it's surprisingly difficult to detect and stop the illicit activities of these bad actors. Why? There are three primary reasons. First, it's due in part to the international nature of their business. While hosting providers in the Eastern Bloc might openly market Spam Email Services,ICQ Based Spam and Spam Hosting among their service offerings, their operations are much more covert, leveraging US-based hosting fronts, multi-national partnerships, IP space sharing and more. Cyber security experts say this handful of ISPs and domain name registrars work closely with cyber criminals to support spam operations (still a highly lucrative business), Web sites that sell fake software, and other scams. Starline Web Services hosted out of Estonia, ZlKon hosted out of Latvia, and Atrivo’s relationship with Chinese provider HostFresh are some examples that illustrate the global reach of bad actors and their hosting providers. Another difficulty in stopping bad actors is their speed and agility in responding to shut downs and countermeasures. Botnets are designed from the ground up to be highly complex, intertwined and reliable. Cyber criminals program contingency plans into their bots through DNS algorithms and other schemes. The Mega-D botnet take down involved a coordinated shutdown of C&C servers, DNS relays, and domain name registrars lead by FireEye research. As another example, when San Jose-based hosting provider McColo was shut down in the fall of 2008, stranded Srizbi bots utilized a DNS algorithm to search out new rogue servers. Hackers were then able to get those bots back online within days through another ISP in Estonia. It's not only the shut downs that cyber criminals are prepared for; their scams showcase increasing stealth and sophistication to evade detection at every step and execute their payloads. Some popular exploits include the DNSChanger Trojan that can override ISP settings to reroute traffic through rogue DNS servers, redirectors that take users to exploit sites; fake antivirus sites and other counterfeit software, .gif files that appear harmless but in actuality house stolen data, and more. Cyber criminals increasingly marry a Web-based infiltration exploit with a call back to the C&C infrastructure, establishing an unmonitored callback channel to siphon information and resources from victims. The third chief obstacle in combating bad actors and their providers is the lack of law enforcement resources and interest. Hosting providers wishing to maintain a semblance of legitimacy may respond to complaints or pressure from their upstream ISPs to shut down suspected malicious servers. However, the rogue IPs usually pop up elsewhere, either through a sister organization or another less scrupulous hosting provider. Domestic law enforcement wields what force it has, but without a multi-national effort among authorities, providers and domain name registrars, there is little systemic impact protecting the health of the Internet. This session will examine the most recent Web exploits perpetrated by Starline Web Services, ZlKon, Atrivo/Intercage, HostFresh, UralNet and other bad actors. Discussion will include popular attack schemes, obfuscation tactics and hosting models. Extensive research findings and case studies will be shared to illuminate key points and discuss malware and botnet activity.