<div id="story-heading">
<h1>Kaspersky impressed by botnet slickness</h1>
<div id="byline">
<h5><a href="http://www.zdnet.com.au/news/security/email.htm?TYPE=editor&AT=339296562-130061744t-110000005c"> Liam Tung, ZDNet.com.au</a></h5>
<h5>21 May 2009 02:05 PM <a href="http://www.zdnet.com.au/news/security/soa/Kaspersky-impressed-by-botnet-slickness/0,130061744,339296562,00.htm">http://www.zdnet.com.au/news/security/soa/Kaspersky-impressed-by-botnet-slickness/0,130061744,339296562,00.htm</a><br>
</h5>
<h5>Tags: <a href="http://www.zdnet.com.au/tag/auscert.htm">auscert</a>, <a href="http://www.zdnet.com.au/tag/botnet.htm">botnet</a>, <a href="http://www.zdnet.com.au/tag/conficker.htm">conficker</a>, <a href="http://www.zdnet.com.au/tag/kaspersky.htm">kaspersky</a>, <a href="http://www.zdnet.com.au/tag/malware.htm">malware</a>, <a href="http://www.zdnet.com.au/tag/storm.htm">storm</a>, <a href="http://www.zdnet.com.au/tag/icann.htm">icann</a>, <a href="http://www.zdnet.com.au/tag/url.htm">url</a></h5>
</div>
</div>
<p><strong>Cybercrime
fighter Eugene Kaspersky can't help but be impressed by the slick
operations behind the Conficker botnet, and says that it could have
been worse had the botnet been after more than just money.</strong></p>
<p>"They are high-end engineers who write code in a good way," Kaspersky told <i><a href="http://ZDNet.com.au">ZDNet.com.au</a></i> yesterday. "They use cryptographic systems in the right way, they don't make mistakes — they are really professional."</p>
<p>Kaspersky says he's "60 per cent certain" that Conficker is being
controlled from the Ukraine, but can't be certain. And while the threat
posed by Conficker seems serious enough, Kaspersky says, "It could be
worse. We are lucky they are just cybercriminals looking to make money
and not worse than that."</p>
<p>The unknown threat posed by Conficker, which hit 10 million Windows
machines prior to the suspected D-Day of 1 April, prompted a
coordinated response. Kaspersky, Symantec, Microsoft, the Internet
Corporation for Assigned Names and Numbers (ICANN), and the Federal
Bureau of Investigations' Cyber Division, amongst others, began a
campaign to frustrate Conficker's attempt to download a software update.</p>
<p>One reason for ICANN's involvement, according to its CEO and
president Paul Twomey, was that Conficker was targeting the internet's
Domain Name Service layer, which is equivalent to the address book of
the internet.</p>
<p>During a keynote delivered at the <a href="http://www.zdnet.com.au/insight/security/soa/AusCERT-2009-Photo-gallery/0,139023764,339296482,00.htm">AusCERT 2009 conference</a>
held on the Gold Coast this week, Twomey noted the change in tack by
botnet operators. "The application layer has typically been used as the
attack vector, but we are beginning to see the DNS resolution used as
the command and control," said Twomey.</p>
<p>Conficker is the current darling of the internet's dark-side,
preceded by others such as Storm, and spam-machine McColo. But all
botnets maintain an edge over their various opponents: they are
centrally controlled, "located" potentially anywhere, generally don't
rely on third-parties, and are free of regulations. </p>
<blockquote class="quote-left">
<p><img src="http://cdn.cbsi.com.au/zdnet/i/x/quote-left.gif" class="quotation"> <span>The
application layer has typically been used as the attack vector, but we
are beginning to see the DNS resolution used as the command and control</span> <img src="http://cdn.cbsi.com.au/zdnet/i/x/quote-right.gif"></p>
<p class="credit">Paul Twomey, ICANN CEO and president</p>
</blockquote>
<p>Botnet operators in Russia, however, have started to cooperate with
each other according to Dmitry Levashev and Ruslan Stoyanov, network
security experts from Russian ISP RTComm.ru. At the AusCERT 2009
conference, via a translator, the two gave a sobering account of what
lies ahead for Australia in the next three years.</p>
<p>"The different botnets work in cooperation. One would say, 'I'm just
a bot herder, I don't care about money laundering'. Or 'I do fraud, we
just do our own task'. So, one is doing spam, like advertising services
and another is doing money laundering. It's like a manufacturing
business," they said.</p>
<p>Indeed it appears to have occurred when Conficker adopted the Waldec
virus, previously used by the Storm botnet as a mechanism to
self-propagate.</p>
<p>Meanwhile, the group working to frustrate Conficker's attempt to
complete a software upgrade on April Fools' Day fought to coordinate
themselves. While ICANN was responsible for coordinating Top Level
Domains, Microsoft pushed out patches to non-pirated versions of
Windows.</p>
<p>Kaspersky says of his company's role that they had found Conficker
was using an algorithm to generate random URLs that it would target in
order to download updates to its malware.</p>
<p>"The worm used an algorithm which generated a list of domains. Every
day it produced a new list. It looked for these URLs, and if they were
online, the worm was designed to download upgrades form the URL. The
initial version of the 10 million machine botnet would just wait and
download. That's why we were really scared on April Fool's Day. We
didn't know what was going to happen."</p>
<p>The group was able to exploit that algorithm and second guess the
URLs that would be targeted, and block requests to those URLs. But,
says Kaspersky, it was only partially successful.</p>
<p>"We blocked all the URL names which the worm was going to generate.
It's an algorithm, so we generated all these URLs and registered these
domain names, except ones which were already owned by someone. And
because of that — the domain names not owned by those in this process —
the Conficker authors managed to take control of one of these domains
and upgraded the worm. That was scary," he said.</p>
<p>ICANN's Twomey insisted the group's efforts against Conficker proved
that key internet players, such as Top Level Domain registrants, are
capable of coordinating a response to such threats. Still, the
Conficker response was the exception and not the rule.</p>
<p>It wasn't the first time a botnet operator has attempted to compromise DNS servers to magnify its capacity to add to its army.</p>
<blockquote class="quote-right">
<p><img src="http://cdn.cbsi.com.au/zdnet/i/x/quote-left.gif" class="quotation"> <span>That's why we were really scared on April Fool's Day. We didn't know what was going to happen.</span> <img src="http://cdn.cbsi.com.au/zdnet/i/x/quote-right.gif"></p>
<p class="credit">Eugene Kaspersky</p>
</blockquote>
<p>At an ICANN conference held in Mexico in March this year, Rod
Rasmussen, chief technology officer of phishing take-down firm Internet
Identity, showed evidence of a recent nine-hour attack on CheckFree, an
online bill payment provider to 22 US financial institutions, which
resulted in a two-day shut down of affected online services and an
estimated 10,000 infections over 48 hours.</p>
<p>"Somebody came in and took over the CheckFree's domain name
portfolio at their registrar. They changed the DNS servers for those
domains and pointed [...] basically every host name that would resolve
under their domain names to a malware server that was in the Ukraine.
Anybody who tried to go to CheckFree.com or any of their other domain
names were redirected, instead, to a malware server and were exposed to
getting malware download on their computer," Rasmussen said.</p>
<p>In a similar vein to the attack on CheckFree, hackers targeted <a href="http://www.zdnet.com.au/news/security/soa/Hackers-deface-New-Zealand-sites/0,130061744,339296043,00.htm">MelbourneIT's New Zealand subsidiary, Domainz</a>.
The hackers, who appeared to be politically motivated, defaced
Coca-Cola, Microsoft, Xerox and F-Secure's websites by injecting name
server records for the domains in question by compromising Domainz'
infrastructure. It didn't knock out critical national infrastructure,
but it was able to take down several large companies' websites for a
few days.</p>
<p>Kaspersky says, "It's a major example of their internet weapon,
because the bad guys can use a botnet this size, not just for
commercial interests, but other interest also."</p>
<p>He insists, "I don't admire them" yet there is an undeniable sense of respect he conveys.</p>