Attackers Adjusting Tactics to Evade Reputation Systems

BARCELONA–As in life, reputations on the Internet take time to build up. Attackers interested in making a quick buck aren’t necessarily the most patient lot, so as the various repuation systems on the Web have gotten more sophisticated and accurate, the bad guys have had to adjust their tactics and find new ways to evade them and plant their command-and-control servers.

VBBARCELONA–As in life, reputations on the Internet take time to build up. Attackers interested in making a quick buck aren’t necessarily the most patient lot, so as the various repuation systems on the Web have gotten more sophisticated and accurate, the bad guys have had to adjust their tactics and find new ways to evade them and plant their command-and-control servers.

One of the consequences of the exhaustion of the IPV4 address space is that not only are legitimate companies having a hard time finding IP blocks to use, so are the attackers. The number of IP addresses required for large scale botnets to operate effectively can be considerable, and finding large IP blocks to use for them can be difficult. And if they do find them, the IP addresses often are blacklisted quickly by reputation systems and are then useless for the attackers.

Now, in one effort to get around these systems, some attackers are taking advantage of the lack of IPV4 space by either purchasing or renting blocks of IP space with good reputations that have been built up over the course of several years. A number of legitimate trading and auction sites have appeared as the IPV4 space became scarcer, and the attackers have gotten involved as well, getting their hands on known good IP blocks and using them for C&C or hosting malware.

“The bad guys can buy or rent these as well, getting inside known good IP blocks so that the reputation systems don’t blacklist them as quickly,” Gunter Ollmann, VP of research at Damballa, said in a presentation at the Virus Bulletin conference here Friday.

That technique can be a boon for the attackers, who get the advantage of having some time to use the domains and not having to hop around from block to block in order to evade detection. But it also can have consequences for the legitimate owners of the IP blocks, as the repuations of those IP addresses and domains will be damaged as the systems begin to pick up on the malicious activity. Once that happens, it can be quite difficult to recover a domain’s good reputation and get it back in the good graces of the security companies.

And that’s just one of the techniques that botnet operators and crimeware gangs have adopted. Other crews are using modifications of older tactics, such as using sophisticated domain-generation algorithms to register thousands of new domains every day in an effort to stay a half step ahead of the reputation systems. One botnet operator that Ollmann discussed has roughly 80,000 domains in use at any given time, with an expected loss of about 5,000 per day and new registrations of the same number each day. Many of these bot herders will use free dynamic DNS providers in China or elsewhere as part of their infrastructure.

Another common technique these days is mass hacks of legitimate Web servers. This has been going on for years, but mostly as a way of serving malware through drive-by downloads. Ollmann said that it’s now also being done in order to take advantage of the reputation of the compromised servers.

“They’ll hack servers, mainly Web servers, in order to use their good reputations,” he said. “They’ll use them as C&C servers or just host configuration files on them.”

The better the reputation of the server, the longer the attacker may be able to use the server without detection by the large-scale Web-scanning engines. However, with the advent of IPV6, the address space has increased to such a degree that the scanning engines won’t have any hope of being able to scan the entire space in any reasonable amount of time, Ollmann said. Which just adds another obstacle for defenders and gives attackers one more advantage.

Suggested articles

CyberTab

Tool Estimates Incident Response Cost for Businesses

A new tool called CyberTab will help businesses estimate the cost of real and potential cyberattacks, and the amount a company could possibly save by investing in preventative measures and technologies.

Exploit Kits Now Updated With New Wares Before Patches Are Ready

The creators and maintainers of exploit kits often rely on public reports of new exploits and proof-of-concept exploit code in order to be able to add new exploits to their software. And in many cases, the exploits included in kits such as Black Hole and Eleonore and others will be for vulnerabilities that are older and have long since been patched. But, if recent events are any indication, that could be changing.

Discussion

  • Anonymous on

    "A number of legitimate trading and auction sites have appeared as the IPV4 space became scarcer, and the attackers have gotten involved as well, getting their hands on known good IP blocks and using them for C&C or hosting malware." Dennis, The Slashdot summary is a bit more sensational than the information in this story presents. You seem to have glossed over the most interesting part of your story (the above citation). I'd be interested in hearing more about those trading and auction sites. Got any more information about those? Thanks.
  • Agent X on

    Yes, please tell me where I can buy thousand of IP address for low low prices..

  • Anonymous on

    Guess you missed all the noise when Micro$oft bought the IPv4 addresses from X-Nortel-X. The stories I read mentioned a company called Addrex {www.addrex.net} which OPENLY says they sell addresses ... bet it is keeping the RIRs busy with "what do we do" and "but it is not property" but then again seems the courts allowed this and arin couldn't stop them. 

  • Anonymous on

    set firewall name eth0in rule 201 action drop
    set firewall name eth0in rule 201 description CNC-Group-CHINA
    set firewall name eth0in rule 201 source address 58.20.0.0/16
    set firewall name eth0in rule 201 destination address 0.0.0.0/0

     

    Send spam you get the drop.

    Easy.....

  • Daticc77 on

    :)

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.