[AfrICANN-discuss] Kaspersky impressed by botnet slickness

Anne-Rachel Inné annerachel at gmail.com
Thu May 21 17:07:28 SAST 2009 

 Kaspersky impressed by botnet slickness  Liam Tung,
ZDNet.com.au<http://www.zdnet.com.au/news/security/email.htm?TYPE=editor&AT=339296562-130061744t-110000005c>
21
May 2009 02:05 PM
http://www.zdnet.com.au/news/security/soa/Kaspersky-impressed-by-botnet-slickness/0,130061744,339296562,00.htm
Tags: auscert <http://www.zdnet.com.au/tag/auscert.htm>,
botnet<http://www.zdnet.com.au/tag/botnet.htm>,
conficker <http://www.zdnet.com.au/tag/conficker.htm>,
kaspersky<http://www.zdnet.com.au/tag/kaspersky.htm>,
malware <http://www.zdnet.com.au/tag/malware.htm>,
storm<http://www.zdnet.com.au/tag/storm.htm>,
icann <http://www.zdnet.com.au/tag/icann.htm>,
url<http://www.zdnet.com.au/tag/url.htm>

*Cybercrime fighter Eugene Kaspersky can't help but be impressed by the
slick operations behind the Conficker botnet, and says that it could have
been worse had the botnet been after more than just money.*

"They are high-end engineers who write code in a good way," Kaspersky told *
ZDNet.com.au* yesterday. "They use cryptographic systems in the right way,
they don't make mistakes — they are really professional."

Kaspersky says he's "60 per cent certain" that Conficker is being controlled
from the Ukraine, but can't be certain. And while the threat posed by
Conficker seems serious enough, Kaspersky says, "It could be worse. We are
lucky they are just cybercriminals looking to make money and not worse than
that."

The unknown threat posed by Conficker, which hit 10 million Windows machines
prior to the suspected D-Day of 1 April, prompted a coordinated response.
Kaspersky, Symantec, Microsoft, the Internet Corporation for Assigned Names
and Numbers (ICANN), and the Federal Bureau of Investigations' Cyber
Division, amongst others, began a campaign to frustrate Conficker's attempt
to download a software update.

One reason for ICANN's involvement, according to its CEO and president Paul
Twomey, was that Conficker was targeting the internet's Domain Name Service
layer, which is equivalent to the address book of the internet.

During a keynote delivered at the AusCERT 2009
conference<http://www.zdnet.com.au/insight/security/soa/AusCERT-2009-Photo-gallery/0,139023764,339296482,00.htm>held
on the Gold Coast this week, Twomey noted the change in tack by botnet
operators. "The application layer has typically been used as the attack
vector, but we are beginning to see the DNS resolution used as the command
and control," said Twomey.

Conficker is the current darling of the internet's dark-side, preceded by
others such as Storm, and spam-machine McColo. But all botnets maintain an
edge over their various opponents: they are centrally controlled, "located"
potentially anywhere, generally don't rely on third-parties, and are free of
regulations.

 The application layer has typically been used as the attack vector, but we
are beginning to see the DNS resolution used as the command and control

Paul Twomey, ICANN CEO and president

Botnet operators in Russia, however, have started to cooperate with each
other according to Dmitry Levashev and Ruslan Stoyanov, network security
experts from Russian ISP RTComm.ru. At the AusCERT 2009 conference, via a
translator, the two gave a sobering account of what lies ahead for Australia
in the next three years.

"The different botnets work in cooperation. One would say, 'I'm just a bot
herder, I don't care about money laundering'. Or 'I do fraud, we just do our
own task'. So, one is doing spam, like advertising services and another is
doing money laundering. It's like a manufacturing business," they said.

Indeed it appears to have occurred when Conficker adopted the Waldec virus,
previously used by the Storm botnet as a mechanism to self-propagate.

Meanwhile, the group working to frustrate Conficker's attempt to complete a
software upgrade on April Fools' Day fought to coordinate themselves. While
ICANN was responsible for coordinating Top Level Domains, Microsoft pushed
out patches to non-pirated versions of Windows.

Kaspersky says of his company's role that they had found Conficker was using
an algorithm to generate random URLs that it would target in order to
download updates to its malware.

"The worm used an algorithm which generated a list of domains. Every day it
produced a new list. It looked for these URLs, and if they were online, the
worm was designed to download upgrades form the URL. The initial version of
the 10 million machine botnet would just wait and download. That's why we
were really scared on April Fool's Day. We didn't know what was going to
happen."

The group was able to exploit that algorithm and second guess the URLs that
would be targeted, and block requests to those URLs. But, says Kaspersky, it
was only partially successful.

"We blocked all the URL names which the worm was going to generate. It's an
algorithm, so we generated all these URLs and registered these domain names,
except ones which were already owned by someone. And because of that — the
domain names not owned by those in this process — the Conficker authors
managed to take control of one of these domains and upgraded the worm. That
was scary," he said.

ICANN's Twomey insisted the group's efforts against Conficker proved that
key internet players, such as Top Level Domain registrants, are capable of
coordinating a response to such threats. Still, the Conficker response was
the exception and not the rule.

It wasn't the first time a botnet operator has attempted to compromise DNS
servers to magnify its capacity to add to its army.

 That's why we were really scared on April Fool's Day. We didn't know what
was going to happen.

Eugene Kaspersky

At an ICANN conference held in Mexico in March this year, Rod Rasmussen,
chief technology officer of phishing take-down firm Internet Identity,
showed evidence of a recent nine-hour attack on CheckFree, an online bill
payment provider to 22 US financial institutions, which resulted in a
two-day shut down of affected online services and an estimated 10,000
infections over 48 hours.

"Somebody came in and took over the CheckFree's domain name portfolio at
their registrar. They changed the DNS servers for those domains and pointed
[...] basically every host name that would resolve under their domain names
to a malware server that was in the Ukraine. Anybody who tried to go to
CheckFree.com or any of their other domain names were redirected, instead,
to a malware server and were exposed to getting malware download on their
computer," Rasmussen said.

In a similar vein to the attack on CheckFree, hackers targeted MelbourneIT's
New Zealand subsidiary,
Domainz<http://www.zdnet.com.au/news/security/soa/Hackers-deface-New-Zealand-sites/0,130061744,339296043,00.htm>.
The hackers, who appeared to be politically motivated, defaced Coca-Cola,
Microsoft, Xerox and F-Secure's websites by injecting name server records
for the domains in question by compromising Domainz' infrastructure. It
didn't knock out critical national infrastructure, but it was able to take
down several large companies' websites for a few days.

Kaspersky says, "It's a major example of their internet weapon, because the
bad guys can use a botnet this size, not just for commercial interests, but
other interest also."

He insists, "I don't admire them" yet there is an undeniable sense of
respect he conveys.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.afrinic.net/pipermail/africann/attachments/20090521/feabdb19/attachment.htm

More information about the AfrICANN mailing list