ICANN ICANN Email List Archives

[gnso-ff-pdp-may08]


<<< Chronological Index >>>    <<< Thread Index >>>

Re: [gnso-ff-pdp-may08] HydraFlux - Or How can things can get even worse...

  • To: Fast Flux Workgroup <gnso-ff-pdp-May08@xxxxxxxxx>
  • Subject: Re: [gnso-ff-pdp-may08] HydraFlux - Or How can things can get even worse...
  • From: RLVaughn <RL_Vaughn@xxxxxxxxxx>
  • Date: Wed, 23 Jul 2008 08:54:09 -0500

Rod Rasmussen wrote:
http://securitywatch.eweek.com/exploits_and_attacks/say_hello_to_hydraflux.html?kc=EWKNLSTE072208STR4 

This article gets into the details of how "fluxing" botnets are evolving 
even further to have decentralized content servers.  As people in the 
security world have gotten better at figuring out how the end-point bots 
on botnet served systems communicate with their back-end "mother ships" 
that have the original content being distributed, they've been able to 
make a dent in the overall operations of these networks by tracking back 
to that server and killing it.  Not literally killing it of course, 
that's a figure of speech! That is REALLY hard work in most cases, but 
we're getting better at it as a community by looking at netflows, 
deconstructing the malware, and other things.  Now the bad guys are 
building further resilience into their systems with 
decentralized/redundant content servers to make taking out a single 
content server much akin to taking out a single bot - in the long run 
the malicious content remains.
What's that mean to us?  Well, these networks provide web content 
through the fraudulently registered domain names we're talking about.  
With these emerging techniques in making the underlying physical 
infrastructure that much harder to detect and eliminate, it makes the 
one part that's relatively easy to detect, and hopefully 
mitigate/prevent - domain names - that much more important to deal with 
in some systemic way that significantly raises the "costs" to the bad 
guys.  Just another example of the bad guys changing techniques that we 
have to keep in mind.
Rod
The TimesOnline published "Asprox computer virus infects key
government and consumer websites"
<http://technology.timesonline.co.uk/tol/news/tech_and_web/the_web/article4381034.ece>
today.  This article indirectly refers to
<http://www.finjan.com/MCRCblog.aspx?EntryId=2002>
which provides even more detail about the Asprox
penetration into government, healthcare, shopping, and
advertisement web sites.  Both sites are worth a read.

The Asprox/Danmec trojan is being used by the Hydraflux network.
It appears Asprox was adapted from its original phishing role
into a SQL Injection vector.

At the risk of boring everyone, one goal of the SQL
injection is to include an iframe into HTML which
uses a JavaScript sourced on a VCHSN node in order to
infect visitors to the exploited site.

RV



<<< Chronological Index >>>    <<< Thread Index >>>

Privacy Policy | Terms of Service | Cookies Policy