Loading ...|
Dec
19
|
A very neat article that outlines part of the process that makes it quite difficult to track and identify the Spammers etc..
Fast Flux DNS and the Online Black Economy
As much as I hate hackers, there is a certain amount of heart-felt respect I have for them. Despite their intentions, their technical ability is at times simply astonishing. It seems nowadays that more and more hackers are becoming astute business people in one of the toughest environments imaginable; and their achieving this through creating worldwide botnets, with the nerve centre hidden using a technique known as ‘fast-flux DNS.’However firstly, the business acumen of these people seems to be something of growing significance. They have created pricing structures to sell off credit card details to bank account information to anyone who might be interested. Furthermore they cover their tracks through money laundering tens of thousands of dollars through bank accounts of vulnerable targets such as businesses in serious debt. The thing that is of interest though is the fact that their business network is loosely coupled, with relationships being built up and torn down in a very short space of time, making them very difficult to track.
So with the online black economy growing, how do the kingpins structure their empires? One of the most prevalent worms in 2007 has been Storm. Rearing it’s ugly head on January 17, it’s compromised countless systems from personal PCs, to business, government, education, and even military computers. The success of the worm has partially been due to a diverse hacker developer base who find new ways to create releases that side-step improvements to a system’s security. Essentially the technical and business model operates in the following way:
Traditionally the botnets have been designed to receive commands from the Botnet Herder through IRC networks. From the defender’s point of view, this single point of weakness has been relatively simple to disable, hence bringing down the threat quite easily.
However the growing trend now is to use what’s called Fast-Flux DNS (this is broken down further into Single-flux and Double-flux). The idea behind fast-flux is to register a domain name, which resolves to a host that changes as quickly as every three minutes. This is achieved through a combination of Round Robin DNS, with a very short TTL. From a defender’s point of view it’s a nightmare, as you could be chasing down a certain IP, the DNS switches, and you’re no longer dealing with a valid host.
Logically, you’d then assume that the single point of weakness would move to the domain registar, and you could simply take down the domain. Unfortunately registrars are somewhat reserved in pulling down the name, as pulling down a valid site would spell catastrophe for them in terms of support calls from the owner of the domain, and the serious threat of severe legal action.
more at source… Geekswithblogs.net
