Re: [gnso-ff-pdp-may08] HydraFlux - Or How can things can get even worse...

["Mike O'Connor" <mike@xxxxxxxxxx>]

At 08:54 AM 7/23/2008, RLVaughn wrote:

> Rod Rasmussen wrote:
> > http://securitywatch.eweek.com/exploits_and_attacks/say_hello_to_hydraflux.html?kc=EWKNLSTE072208STR4 
> >
> > This article gets into the details of how "fluxing" botnets are 
> > evolving even further to have decentralized content servers.  As 
> > people in the security world have gotten better at figuring out how 
> > the end-point bots on botnet served systems communicate with their 
> > back-end "mother ships" that have the original content being 
> > distributed, they've been able to make a dent in the overall 
> > operations of these networks by tracking back to that server and 
> > killing it.  Not literally killing it of course, that's a figure of 
> > speech! That is REALLY hard work in most cases, but we're getting 
> > better at it as a community by looking at netflows, deconstructing 
> > the malware, and other things.  Now the bad guys are building 
> > further resilience into their systems with decentralized/redundant 
> > content servers to make taking out a single content server much 
> > akin to taking out a single bot - in the long run the malicious 
> > content remains.
> > What's that mean to us?  Well, these networks provide web content 
> > through the fraudulently registered domain names we're talking about.
> > With these emerging techniques in making the underlying physical 
> > infrastructure that much harder to detect and eliminate, it makes 
> > the one part that's relatively easy to detect, and hopefully 
> > mitigate/prevent - domain names - that much more important to deal 
> > with in some systemic way that significantly raises the "costs" to 
> > the bad guys.  Just another example of the bad guys changing 
> > techniques that we have to keep in mind.
> > Rod
> The TimesOnline published "Asprox computer virus infects key
> government and consumer websites"
> <http://technology.timesonline.co.uk/tol/news/tech_and_web/the_web/article4381034.ece>
> today.  This article indirectly refers to
> <http://www.finjan.com/MCRCblog.aspx?EntryId=2002>
> which provides even more detail about the Asprox
> penetration into government, healthcare, shopping, and
> advertisement web sites.  Both sites are worth a read.
>
> The Asprox/Danmec trojan is being used by the Hydraflux network.
> It appears Asprox was adapted from its original phishing role
> into a SQL Injection vector.
>
> At the risk of boring everyone, one goal of the SQL
> injection is to include an iframe into HTML which
> uses a JavaScript sourced on a VCHSN node in order to
> infect visitors to the exploited site.
>
> RV
Question for y'all.  Does this analogy work?

In cancer treatment, some of my friends extoll the virtues of 
starving the cancer cells rather than cutting them out.  Less 
invasive, easier to target, more nimble, etc.  Does that analogy 
extend to the phishing world too?  The choice could be framed as the 
difference between starving the malicious domain (stopping traffic 
from getting to it) vs cutting the domain out (taking it down).