BARCELONA–As in life, reputations on the Internet take time to build up. Attackers interested in making a quick buck aren’t necessarily the most patient lot, so as the various repuation systems on the Web have gotten more sophisticated and accurate, the bad guys have had to adjust their tactics and find new ways to evade them and plant their command-and-control servers.
One of the consequences of the exhaustion of the IPV4 address space is that not only are legitimate companies having a hard time finding IP blocks to use, so are the attackers. The number of IP addresses required for large scale botnets to operate effectively can be considerable, and finding large IP blocks to use for them can be difficult. And if they do find them, the IP addresses often are blacklisted quickly by reputation systems and are then useless for the attackers.
Now, in one effort to get around these systems, some attackers are taking advantage of the lack of IPV4 space by either purchasing or renting blocks of IP space with good reputations that have been built up over the course of several years. A number of legitimate trading and auction sites have appeared as the IPV4 space became scarcer, and the attackers have gotten involved as well, getting their hands on known good IP blocks and using them for C&C or hosting malware.
“The bad guys can buy or rent these as well, getting inside known good IP blocks so that the reputation systems don’t blacklist them as quickly,” Gunter Ollmann, VP of research at Damballa, said in a presentation at the Virus Bulletin conference here Friday.
That technique can be a boon for the attackers, who get the advantage of having some time to use the domains and not having to hop around from block to block in order to evade detection. But it also can have consequences for the legitimate owners of the IP blocks, as the repuations of those IP addresses and domains will be damaged as the systems begin to pick up on the malicious activity. Once that happens, it can be quite difficult to recover a domain’s good reputation and get it back in the good graces of the security companies.
And that’s just one of the techniques that botnet operators and crimeware gangs have adopted. Other crews are using modifications of older tactics, such as using sophisticated domain-generation algorithms to register thousands of new domains every day in an effort to stay a half step ahead of the reputation systems. One botnet operator that Ollmann discussed has roughly 80,000 domains in use at any given time, with an expected loss of about 5,000 per day and new registrations of the same number each day. Many of these bot herders will use free dynamic DNS providers in China or elsewhere as part of their infrastructure.
Another common technique these days is mass hacks of legitimate Web servers. This has been going on for years, but mostly as a way of serving malware through drive-by downloads. Ollmann said that it’s now also being done in order to take advantage of the reputation of the compromised servers.
“They’ll hack servers, mainly Web servers, in order to use their good reputations,” he said. “They’ll use them as C&C servers or just host configuration files on them.”
The better the reputation of the server, the longer the attacker may be able to use the server without detection by the large-scale Web-scanning engines. However, with the advent of IPV6, the address space has increased to such a degree that the scanning engines won’t have any hope of being able to scan the entire space in any reasonable amount of time, Ollmann said. Which just adds another obstacle for defenders and gives attackers one more advantage.