[gnso-ff-pdp-may08] HydraFlux - Or How can things can get even worse...

[Rod Rasmussen <rod.rasmussen@xxxxxxxxxxxxxxxxxxxx>]

http://securitywatch.eweek.com/exploits_and_attacks/say_hello_to_hydraflux.html?kc=EWKNLSTE072208STR4

This article gets into the details of how "fluxing" botnets are  
evolving even further to have decentralized content servers.  As  
people in the security world have gotten better at figuring out how  
the end-point bots on botnet served systems communicate with their  
back-end "mother ships" that have the original content being  
distributed, they've been able to make a dent in the overall  
operations of these networks by tracking back to that server and  
killing it.  Not literally killing it of course, that's a figure of  
speech! That is REALLY hard work in most cases, but we're getting  
better at it as a community by looking at netflows, deconstructing the  
malware, and other things.  Now the bad guys are building further  
resilience into their systems with decentralized/redundant content  
servers to make taking out a single content server much akin to taking  
out a single bot - in the long run the malicious content remains.
What's that mean to us?  Well, these networks provide web content  
through the fraudulently registered domain names we're talking about.   
With these emerging techniques in making the underlying physical  
infrastructure that much harder to detect and eliminate, it makes the  
one part that's relatively easy to detect, and hopefully mitigate/ 
prevent - domain names - that much more important to deal with in some  
systemic way that significantly raises the "costs" to the bad guys.   
Just another example of the bad guys changing techniques that we have  
to keep in mind.
Rod