Cybercriminals are increasingly using an advanced method of hiding and sustaining their malicious Websites and botnet infrastructures — dubbed “fast-flux” — that could make them more difficult to detect, researchers say.

DNS Fast Fluxing is also referred to simply as Fast Fluxing, although some advanced security researchers claim Fast Fluxing of services other than Domain Name Services (DNS) may be possible with future developments in attack-and-command botware and crimeware frameworks; in any case, the International Security Convention Consortium (ISCC) will have to convene to consider an appropriate protocol convention for these issues. In the interest of brevity and throughout this article I will generally only make references to “Fast Fluxing” rather than use the long-hand title of DNS Fast Fluxing, and I humbly deign to apologize in advance for any misunderstandings of confusion.

DNS Fast Fluxers, also known as DFFers (or in some circles, FFers) are classed amongst some of the most dangerous of threats to your online assets. DFFers are notorious for defeating anti-phencing systems using flaws within Domain technology such as DNS Services, and for utilizing these flaws to avoid being detected. This makes the DFFer harder to track down completely, as his peer network command is decentralized through the tunnels provided by the popular Internet naming services.

WHAT IS DNS FAST FLUXING?

Fast flux is an advanced method being used by determined botnet operators to hide and preserve their malicious Websites and botnet infrastructures. The bad guys behind Warezov/Stration and Storm, for instance, have separately moved their infrastructures to fast-flux service networks, according to members of the Honeynet Project & Research Alliance, who monitor fast-flux behavior via their honeypots.

With Fast Flux, infected bot machines serve as proxies or hosts for malicious Websites and get rotated regularly, changing DNS records to evade discovery. IP blacklists are basically useless in finding fast flux-based botnets. The bad guys behind these networks can easily hide their fake online pharmacies, pornography, phishing sites, and other malicious content servers using this “round-robin” process.

• Mark Wade

Mark Wade, 10 year veteran in information security and current manager of Research Content with Computer Associates’ Threat Research Team, and contributer to the Computer Associates Security Advisor Research Blog (CARBS) writes:

“I decided to take a deeper look and see what I could find out about a botnet operation that I stumbled across. This investigation begins from a spammed email message I received, that was selling jewelry.

Since it is common practice we can assume the email was sent or relayed from a compromised computer that may have been part of a botnet. There were two websites in the email message: http://ryih.mhhimto.com and rmfx.mhhimto.com.

Using nslookup, I entered rmfx.mhhimto.com to resolve its IP address. I was not surprised to see eight completely different returned IP addresses returned, all ranging from various IP netblocks. Since I have seen similar types of activity in the past, I ran nslookup again to see if the IP addresses changed. Sure enough, in just under 10 minutes the previously listed IP addresses changed to a completely new set of IP addresses. This seemed to happen about every ten minutes. I quickly identified the ever changing IP addresses as DNS fast fluxing.

Fast fluxing is a method of deception utilized by botnets to conceal the identity of the bot herder or parts of the criminal activity. Fast fluxing works by constantly rotating compromised IP addresses, which are usually acting as a proxy to the end system. This is extremely beneficial to criminals who are involved in phishing scams or using compromised web sites used to deliver malware. “

• The Honeynet Project

The Honeynet Project & Research Alliance defines a fast-flux network as :
“Fast-flux service networks are a network of compromised computer systems with public DNS records that are constantly changing, in some cases every few minutes. These constantly changing architectures make it much more difficult to track down criminal activities and shut down their operations.“

• Adam O’Donnell of Cloudmark

“The purpose of this technique is to render the IP-based block list — a popular tool for identifying malicious systems — useless for preventing attacks,” says Adam O’Donnell, director of emerging technologies at security vendor Cloudmark.

“Fast flux is just the latest method of survival for the bad guys: There are more to come. Any technique that allows a malicious actor to keep his network online longer — and reduce the probability of his messages and attacks being blocked — will be used,” he says. “This is just the latest of those techniques.”

• Ralph Logan, The Logan Group

“All of this research on fast-flux is new. No one had any definitive research on it. [..] We saw a rising trend in illegal, malicious criminal activity here.. [..] Fast-flux helps cybercriminals hide their content servers, including everything from fake online pharmacies, phishing sites, money mules, and adult content sites,” Logan says. “This is to keep security professionals and ISPs from discovering and mitigating their illegal content.”

The bad guys like fast-flux — not only because it keeps them up and running, but also because it’s more efficient than traditional methods of infecting multiple machines, which were easily discovered.

“The ISP would shut down my 100 machines, and then I’d have to infect 100 more to serve my content and relay my spam,” Logan says. Fast-flux, however, lets hackers set up proxy servers that contact the “mother ship,” which serves as command and control. It uses an extra layer of obfuscation between the victim (client) and the content machine, he says.

“Our honeypot can capture actual traffic between the mother ship and the end node,” Logan says. The Alliance is still studying the malicious code and behavior of the fast-flux network it has baited.

A domain has hundreds or thousands of IP addresses, all of which are rotated frequently — so the proxy machines get rotated regularly, too – some as often as every three minutes — to avoid detection. “It’s not a bunch of traffic to one node serving illegal code,” Logan says.

“I send you a phishing email, you click on www.homepharmacy.com — but it’s really taking you to Grandma’s PC on PacBell! .. Which wakes up and says ‘it’s my turn now!‘ threatens Logan. “You’d have 100 different users coming to Grandma’s PC for the next few minutes, and then Auntie Flo’s PC gets command-and-controlled next!” he says, with a menacing tone.

Sources:

http://community.ca.com/blogs/securityadvisor/archive/2007/11/07/web-of-deception.aspx

http://www.darkreading.com/document.asp?doc_id=132720

“A design flaw in the WordPress blog software authentication process makes it easier than previously believed for attackers to compromise a system. Most content management systems and blogs save user passwords as hashes in the underlying database. So even if attackers were to get access to the hashes stored in the database, for instance by means of an SQL injection hole, they have not been able to do much with them up to now.”

http://en.wikipedia.org/wiki/Password_Cracking

“Specifically, if they want to recover the passwords, they would have to compare a hash with entries in a “rainbow table” – a process that can take some time and may not work at all for long passwords, for which there simply are no tables.”

“But according to a security advisory published by Stephen J. Murdoch of the University of Cambridge, a property in WordPress can be exploited to get access without the password. Instead of trying to obtain the password, Murdoch used its hash to generate an authentication cookie to gain access to the system. A member of the core team behind The Onion Router (TOR) anonymization project, Murdoch says that the MD5 hash only has to be hashed a second time with MD5. According to his report, the authentication procedure implemented in WordPress then looks like:

wordpresspass_<MD5(url)>=MD5(user_pass)

Here, the URL is clearly spelled out, and user_pass corresponds to the hash (MD5(password)). Along with the wordpressuser cookie (that wordpressuser_<MD5(url)>=admin), access is then reportedly provided to the WordPress admin account. Murdoch says he has informed the developers of WordPress of the problem, but they have yet to react.”

http://en.wikipedia.org/wiki/HTTP_cookie

“A design flaw in the WordPress blog software authentication process makes it easier than previously believed for attackers to compromise a system.”

This attack is very dangerous 0day for wordpress 2.3, and it only requires the hacker to compromise adminitrator access to wordpress using another more serious hole, and then instead of using admin access or creating new users or modifying user or backdoor into wordpress, he can take encrypted md5 from hacked database and gain access as a user to the wordpress he has previously hacked. All user are encouraged for upgrades. See more:

Sources:

http://heise-security.co.uk/ - Security and Internet Security Expert Consultants.

http://www.cl.cam.ac.uk/users/sjm217/advisories/wordpress-cookie-auth.txt

Hacker Hierarchy

Psychologist and Expert Hacker Marc Rogers says there are several subgroups of hackers —

newbies, cyberpunks, coders and cyber terrorists.

Newbies are hackers who have access to hacking tools but aren’t really aware of how computers and programs work. Cyberpunks are savvier and are less likely to get caught than a newbie while hacking a system, but they have a tendency to boast about their accomplishments. Coders write the programs other hackers use to infiltrate and navigate computer systems. A cyber terrorist is a professional hacker who infiltrates systems for profit — he might sabotage a company or raid a corporation’s databases for proprietary information.

Hackers and Crackers

Many computer programmers insist that the word “hacker” applies only to law-abiding enthusiasts who help create programs and applications or improve computer security. Anyone using his or her skills maliciously isn’t a hacker at all, but a cracker.

Even if the so-called hackers using malicious hacking skills have always, and continue to label themselves and their peers as hackers first and foremost, the nomenclature does not legally apply according to the Arbitration of What Stuff is Called Act of 2002. In addition, loosely organized social groups and clubs have not traditionally been permitted to determine their own names or identities. All definitions related to hacking must be approved by at least one academic over the age of 55 years old in an authorative tone whilst speaking to a relatively-ignorant IT journalist about the latest sensationalized hacker story. - Ed.

Crackers infiltrate systems and cause mischief, or worse. Unfortunately, most people outside the hacker community use the word as a negative term because they don’t understand the distinction between hackers and crackers.

Spying on e-mail: Hackers have created code that lets them intercept and read e-mail messages — the Internet’s equivalent to wiretapping. Today, most e-mail programs use encryption formulas so complex that even if a hacker intercepts the message, he won’t be able to read it.

Hacker Culture

Individually, many hackers are antisocial. Their intense interest in computers and programming can become a communication barrier. Left to his or her own devices, a hacker can spend hours working on a computer program while neglecting everything else.

There are many websites dedicated to hacking. The hacker journal “2600: The Hacker Quarterly” has its own site, complete with a live broadcast section dedicated to hacker topics. The print version is still available on newsstands. Web sites like Hacker.org promote learning and include puzzles and competitions for hackers to test their skills.

Not all hackers try to explore forbidden computer systems. Some use their talents and knowledge to create better software and security measures. In fact, many hackers who once used their skills to break into systems now put that knowledge and ingenuity to use by creating more comprehensive security measures. In a way, the Internet is a battleground between different kinds of hackers — the bad guys, or black hats, who try to infiltrate systems or spread viruses, and the good guys, or white hats, who bolster security systems and develop powerful virus protection software.

Glenn Chapman/AFP/Getty Images
Hackers work together to create “mashups” of Yahoo applications at Google Hack Day 2006.

Hacking For a Living

Hackers who obey the law can make a good living. Several companies hire hackers to test their security systems for flaws. Hackers can also make their fortunes by creating useful programs and applications, like Stanford University students Larry Page and Sergey Brin. Page and Brin worked together to create a search engine they would eventually name Yahoo. Today, they are tied for 26th place on Forbes’ list of the world’s most wealthy billionaires [source: Forbes].

Famous Hackers: Lamo

Adrian Lamo hacked into computer systems using computers at libraries and Internet cafes. He would explore high-profile systems for security flaws (such as open proxies), exploit the flaws (or make use of the proxy) to “hack” into the system, and then send a message to the corresponding company, letting them know about the security flaw. Unfortunately for Lamo, he was doing this on his own time rather than as a paid consultant — his activities were illegal. He also snooped around a lot, reading sensitive information and giving himself access to confidential material. He was caught after breaking into the computer system belonging to the New York Times.

It’s likely that there are thousands of hackers active online today, but an accurate count is impossible. Many (>99%) hackers don’t really know what they are doing — they’re just using dangerous tools they don’t completely understand.

Source: How Computer Hackers Really Work, by a Non Hacker

“One of the world’s most prominent cryptographers issued a warning on Friday about a hypothetical incident in which a math error in a widely used computing chip places the security of the global electronic commerce system at risk.”

“Adi Shamir, a professor at the Weizmann Institute of Science in Israel, circulated a research note about the problem to a small group of colleagues. He wrote that the increasing complexity of modern microprocessor chips is almost certain to lead to undetected errors.”

“A subtle math error would make it possible for an attacker to break the protection afforded to some electronic messages by a popular technique known as public key cryptography.”

Mr. Shamir wrote that if an intelligence organization discovered a math error in a widely used chip, then security software on a PC with that chip could be “trivially broken with a single chosen message.”

Executing the attack would require only knowledge of the math flaw and the ability to send a “poisoned” encrypted message to a protected computer, he wrote. It would then be possible to compute the value of the secret key used by the targeted system. With this approach, “millions of PC’s can be attacked simultaneously, without having to manipulate the operating environment of each one of them individually,” Mr. Shamir wrote.

An Intel spokesman noted that the flaw was a theoretical one and something that required a lot of contingencies.

Mr. Shamir said he had no evidence that anyone is using an attack like the one he described.

Thank you to John Markoff for writing this useful warning article.

Source: John Markoff @ NYTIMES

Dr Craig Wright has described a new attack vector known as Cross-Site Faxing (XSF) that abuses weaknesses in OCR 2.0 anti-phishing technology to bypass commercial anti-CSF appliances such as the i-XSS BloggerShield and UBsecure’s new XRCF Webfender 2.1.

On Nov 18, Dr Craig Wright (cwright@bdosyd.com.au) writes to pen-test:

“I have thought of an alternate path to loading a virus bases on a network OCR’d fax server. In the scenario, we have to assume that the system is sending the output to a web front end or HTTP enabled email (not that uncommon).”

Dr Wright subsequently illustrates to the reader what he has previously written using the following hypothetical scenario:

• The system has no input filters and prints all characters to the email, web app.
• The OCR engine is highly accurate and does not add spaces etc.
• The email or web app displays exactly what it received

“Now given that scenario, we have a possible XSS (cross-site-scripting) attack. If there are no filters for an outgoing connection (i.e. no firewall/proxy that strips scripts) and the client browser/email application allows access to the Internet, the attacker could create a script in the page that makes a call to an external system to download a file … a script could also embed a simple XOR obfuscation key to modify the downloaded code. On the web server it would be inert. When XOR’d with the key in the script (after being downloaded and installed), this will thus bypass the AV server (if there is one) and install the malware on the users system. […] Regards, Dr Craig Wright (GSE-Compliance)”

It is interesting to see this challenge considered by the security community. Are there currently any products we can purchase to scan incoming faxes? What about physical mail? A malicious attacker could embed scripting into an application form that is then printed and sent through snail mail to a recipient mail desk which scans the mail and forwards as a pdf or tiff image to the unsuspecting victim.

This attack is very deadly as it takes advantage of embed or macro or client side exploits against pdf or tiff clients and users. This is a very dangerous attack vector that must be explored, and all security consultants are encouraged to alert the wider community of the dangers of Cross Site Faxing and Cross-Site Postage exploits.

White hat, gray hat, black hat: no, we’re not talking about hat styles, but hackers. What are they, how do they differ, and are all of them super-evil?

SEO search engine manipulators also call each other blackhats. Also discussed is anecdotals about dogs and hacking.