RE: [gnso-ff-pdp-may08] HydraFlux - Or How can things can get even worse...

["Greg Aaron" <gaaron@xxxxxxxxxxxx>]

Well, no, that analogy doesn't work.

The browser makers have installed anti-phishing filters.  So when you try to
visit a known phishing page, the browser will first give you 
a warning page.  Try it in IE or Firefox by pasting in and fixing this
broken URL:
http://tklab.math.spbu. ru/moneybookers/directory.php?app=login.pl

You can then decide whether to click through to your destination.  That is
crucial, because the browser maker is still giving you the ability to go
where you want to go on the Internet.

Having a network or ISP prohibit traffic to a particular URL may present
various problems and can negatively impact innocent users.  I know some do
it sometimes when a piece of malware etc. gets really bad. 

The phish above is on what we call a compromised domain.  The domain itself
it owned by an innocent party.  In this case it's St. Petersburg State
University, and the phish was inserted on its site either via hack, malware,
or inside job.  So, we would not want to shut down this legit domain, nor
would we want to blacklist traffic to the domain.  The phish is therefore
best addressed by contacting the registrant and its hosting provider, who
can remove the offending page from the server.  

So, the best practices are:
* for a compromised phishing site: surgically remove the content at the
server, and do not shut down or blacklist the entire domain.  
* if a phisher registered the domain: you can take the domain down without
harming an innocent registrant.  
* For fast-flux domains: the domain is owned by the bad guy, and the domain
can be taken offline without harming an innocent registrant.

All best,
--Greg



-----Original Message-----
From: owner-gnso-ff-pdp-may08@xxxxxxxxx
[mailto:owner-gnso-ff-pdp-may08@xxxxxxxxx] On Behalf Of Mike O'Connor
Sent: Wednesday, July 23, 2008 10:40 AM
To: RLVaughn; Fast Flux Workgroup
Subject: Re: [gnso-ff-pdp-may08] HydraFlux - Or How can things can get even
worse...


At 08:54 AM 7/23/2008, RLVaughn wrote:

>Rod Rasmussen wrote:
>>http://securitywatch.eweek.com/exploits_and_attacks/say_hello_to_hydraflux
.html?kc=EWKNLSTE072208STR4 
>>
>>This article gets into the details of how "fluxing" botnets are 
>>evolving even further to have decentralized content servers.  As 
>>people in the security world have gotten better at figuring out how 
>>the end-point bots on botnet served systems communicate with their 
>>back-end "mother ships" that have the original content being 
>>distributed, they've been able to make a dent in the overall 
>>operations of these networks by tracking back to that server and 
>>killing it.  Not literally killing it of course, that's a figure of 
>>speech! That is REALLY hard work in most cases, but we're getting 
>>better at it as a community by looking at netflows, deconstructing 
>>the malware, and other things.  Now the bad guys are building 
>>further resilience into their systems with decentralized/redundant 
>>content servers to make taking out a single content server much 
>>akin to taking out a single bot - in the long run the malicious 
>>content remains.
>>What's that mean to us?  Well, these networks provide web content 
>>through the fraudulently registered domain names we're talking about.
>>With these emerging techniques in making the underlying physical 
>>infrastructure that much harder to detect and eliminate, it makes 
>>the one part that's relatively easy to detect, and hopefully 
>>mitigate/prevent - domain names - that much more important to deal 
>>with in some systemic way that significantly raises the "costs" to 
>>the bad guys.  Just another example of the bad guys changing 
>>techniques that we have to keep in mind.
>>Rod
>
>The TimesOnline published "Asprox computer virus infects key
>government and consumer websites"
><http://technology.timesonline.co.uk/tol/news/tech_and_web/the_web/article4
381034.ece>
>today.  This article indirectly refers to
><http://www.finjan.com/MCRCblog.aspx?EntryId=2002>
>which provides even more detail about the Asprox
>penetration into government, healthcare, shopping, and
>advertisement web sites.  Both sites are worth a read.
>
>The Asprox/Danmec trojan is being used by the Hydraflux network.
>It appears Asprox was adapted from its original phishing role
>into a SQL Injection vector.
>
>At the risk of boring everyone, one goal of the SQL
>injection is to include an iframe into HTML which
>uses a JavaScript sourced on a VCHSN node in order to
>infect visitors to the exploited site.
>
>RV

Question for y'all.  Does this analogy work?

In cancer treatment, some of my friends extoll the virtues of 
starving the cancer cells rather than cutting them out.  Less 
invasive, easier to target, more nimble, etc.  Does that analogy 
extend to the phishing world too?  The choice could be framed as the 
difference between starving the malicious domain (stopping traffic 
from getting to it) vs cutting the domain out (taking it down).