Threat Level: green Handler on Duty: Bojan Zdrnja

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2005-05-03 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Botnets Host DNS; 'leet Names and Security Tools

Published: 2005-05-03
Last Updated: 2005-05-04 21:39:07 UTC
by Lenny Zeltser (Version: 1)
0 comment(s)

Botnets Used to Host DNS for Phishing



A recent post to the Dailydave mailing list, titled , described an incident similar to the report we received yesterday. The report outlined a large organization's battle against a botnet that implemented a phishing attack against the organization's customers. The trend to use bots for hosting phishing websites on compromised systems is not new, and was documented in the Register article titled . Using bots in this manner makes it difficult to shut down the malicious site, because the attacker can quickly modify the domain record to point to another compromised system. One way to defend against such attacks is to work with the company hosting the DNS server that resolves the malicious domain name to remove or modify the offending records.



Attacks that we're observing now are becoming more elaborate. In the most recent report, the attacker was using a botnet to host not only the malicious websites, but also the DNS servers that provided domain resolution services for the targeted domain name. This setup allowed the attacker to move to a new DNS server when one of the malicious servers got shut down. An organization battling this threat typically has to deal with the registrar of the malicious domain, instead of attempting to shut down the individual DNS server. Unfortunately, many domain registrars don't have formal procedures for dealing with such requests, which makes it difficult for organizations to defend against such attacks.



Some ISP can help their customers combat such attacks by implementing a type of domain hijacking, intercepting and redirecting malicious DNS traffic that traverses their network. While this approach does not entirely mitigate the issue, it does mitigate it within the ISP's network; it is particularly effective if implemented by a large ISP. Considering the limitations of this mechanism, having domain registrars develop processes for addressing this attack scenario would be very helpful.

'leet Names and the Distribution of Security Tools



The file name of Stinger, McAfee's stand-alone tool for detecting and removing popular malware specimens, has been changed from stinger.exe to ST1NGER.EXE; notice the use of number "1" instead of letter "i". (See "Update 1" below to learn how this has changed since this diary was originally published.) This is a response to the
self-defense tactic of looking for programs named stinger.exe. Using a name other than stinger.exe allows McAfee's tool to run on the infected system. This is briefly mentioned in the , and on the . One of our readers wrote to us, suspicious of the new file name. It didn't help that the screen shot on the Stinger's download page showed the original file name of stinger.exe.



The use of number "1" in the new name to replace letter "i" is a poor choice because of its resemblance to techniques attackers use to fool victims. Consider, for example, an attack that employs the domain name paypa1.com, using the number "1" (one) rather than the letter "l" (L), in a phishing scheme. Computer users are starting to pay attention to common letter replacements like this, and are learning to become suspicious of them. We should shy away from naming schemes that interfere with this learning process.



Perhaps a better tactic would be to automatically assign a random file name to a tool such as Stinger when the user downloads it. A similar approach
for naming anti-rootkit utilities such as Sysinternals and F-Secure to get around the tactic of rootkits modifying their behavior when scanned by known security tools.



Regardless of the file naming scheme, it would be very helpful to see MD5 hashes of the security tools we download, which the vendors could make available on websites other than those hosting the tools. Having a SHA-1 hash of the executable as well would be even nicer. Those worried about potential
and MD5 might argue for the use of another algorithm. Regardless of the algorithm, having a cryptographic hash or signature of the executable would help concerned users and administrators verify the integrity of the downloaded tool.



Update 1: McAfee notified us that they've now changed the file name of the Stinger tool from ST1NGER.EXE to s-t-i-n-g-e-r.exe. Thanks for addressing the immediate problem so quickly! McAfee is in the process of evaluating other methods of circumventing anti-Stinger tactics.



Update 2: I modified the diary to correct the fact that the Stinger description page actually includes a note about the change in the tool's name. This information was in the Update History section at the bottom of the page. I originally stated that this information was not included in the page at all. This information is also now included next to the download link on that page.





Lenny Zeltser

ISC Handler of the Day

http://www.zeltser.com
Keywords:
0 comment(s)
Diary Archives