Today marks another day of momentous change for McAfee’s research teams.

I just spent two days with my new colleagues from Secure Computing and some of my team members from McAfee Avert Labs. It was two grueling days of discussion and education as we both came up to speed on our research methodologies and technologies. Let me say that I am truly excited to be working with Dmitri Alperovitch, Sven Krasser, and Paula Greve, who head up the research group there. These are sharp and capable research leaders who have done amazing things. TrustedSource is a great technology and has so many applications that McAfee can leverage. Once our new Artemis technology begins to leverage TrustedSource capabilities McAfee will become the undisputed leader in security intelligence in the Internet “cloud.” Together we will see millions of spam messages, evaluate thousands of web sites, and see thousands of new pieces of malware–all in the span of 24 hours. We now have the ability to see and react to the threat landscape better than ever before. This is something that every McAfee product, technology, appliance, and SAAS (software as a service) solution will come to leverage, differentiating themselves from the competition even more.

At first we thought we would have overlapping technologies, but this is definitely not the case. In combating spam, web, and malware we have approached these threats from very different directions; thus we find our technologies very complementary. In the case of anti-spam protection, for example, we have two technologies that provide better than 99% detection using very different methodologies and approaches. Once combined, we will have the most robust solution on the market. The same holds true for the SmartFilter and SiteAdvisor technologies, as well as our malware solutions.

Today we have very good security intelligence. Tomorrow, with a bit of nurturing, we will have great security intelligence.

We welcome Secure Computing to the McAfee research family.

Jeff Green
Senior Vice President
McAfee Avert labs

I never thought I’d see the day!

ICANN found it’s dentures down the back of the sofa and taken a bite out of the criminals domain registration empire. ESTDomains will no longer be a registrar as of Nov 12th. [pdf]

So I’ve got a question… Who’s got the balls to take on ESTDomains problems “customers” ?

“ICANN Seeks Expressions of Interest from Registrars to Receive Bulk Transfer of Names from De-Accredited Registrar EstDomains”

I recently presented at APWG to encourage the anti-phishing community that registrars and registries can actually act rather than pleading innocence or the classic “our hands are tied” type excuses. In the case of fast-flux they are probably the only ones that can help in fact. I encouraged participants to point out that registrars and registries are guilty of acting illegally in many jurisdictions by facilitating illegal or infectious sites.

The general stance was that if Directi can clean them out then so can anyone else.

I pointed out that between 2 registrars (EST and Klik/Vivids) about $1.5M of revenue had taken place with Directi (who gives a healthy proportion of it to Verisign Etc…). I concluded with a slide to motivate participants to “Hug a Registrar” and I implore our readers to help out too. Anyone scoring over 30% on this uribl page is a prime candidate for advocates in the community to reach out and “help”.

So here is my top 5 for today:

#1 Moniker - Infested with spammers and pirated software sites. (MSOffice isn’t €79.95 delivered in a zip file)
#2 XIN NET - This is where the Pill spammers moved to and have given the .cn TLD a bad name.
#3 35 Tech & OnlineNic - Same as above but with more variety in pill sites and some casinos thrown in too.
#4 Planet Online - (Surprised to see them so high) Home of the unique URL “snowshoe” spammers ? almost legit ? The real world doesn’t care for their bulk and whois protected domains (via directi’s Logicboxes), or fake contacts.
#5 Dynamic Dolphin - Owned by Scott Ricter’s Media Breakaway, formerly bankrupted OptinRealBig . MS won cases against him in New York in 2005. This accreditation is probably against ICANN’s policy. These days they generally annoy via social networks.
#Bonus - *.directNIC [Mikko’s open letter]

This is almost 2 years too late and took far too much media attention to shake their tree. The worst of the criminals left EST for other registrars after the “defecation meets the rotary oscillator” in August, but never the less, that (so I’m told) this is quick for ICANN

Hip Hip…

Recent phishing attempts have been targeting some popular social networking sites and jobs websites, such as facebook.com and monster.com. Due to the amount of personal and sensitive information which is saved there, they are very valuable to phishers. This data could be used to further target or spear phish individual victims by name and even work interests.

We have seen phishing attacks which targeted careerbuilder.com in the past. The latest target is another big recruitment site - monster.com. Just like typical financial phishing emails, the Monster phishing emails have subjects including imperatives like “Monster customer service: important notice” or “Monster customer service: please confirm your data!”

But please do not be fooled! These are not from Monster at all!!

The phishing domain would appear to be hosted on a new UK domain with dns leading to a bot in Turkey. We can see from this phishing site, the phisher is mainly targeting recruiters for their logins and passwords. This would enable them to access hundreds or even thousands of job seekers’ CVs which often contain a gold mine of sensitive data. Other elements of the recruiters account could be useful as well.

The level of personal data on a CV is pretty high, and in the wrong hands outright dangerous. Be vigilant against unsolicited emails!

It’ll come as no surprise that there are a bunch of domain registrars that are effectively supporting criminal gangs by not acting on reports of domains run for evil deeds and criminal activities. (Or as we say: They don’t wear a glowing white hat!)

I was chatting on email with Garth Bruen from KnujOn the other day and we agreed that it’s been well known for a long time in the industry that certain registrars are “black hat” and he questioned what was being done about it and pointed me at a story they had worked with the Washington Post on the subject of their top ten documented here: http://www.knujon.com/registrars/#the_list.

For a different data source (and one that looks very much like our own ) URIBL’s “hall of shame” has been on line for ages and can be viewed here: http://rss.uribl.com/nic/

I don’t take these things at face value but I’ve been aware of this issue for a couple of years and have even stood up at an APWG conference and shook my finger at registries and registrars in the room after an early presentation on double-flux and made sure they knew only they could help fight it.

Well it looks like Garths article and PR worked, the wheels of power at ICANN have turned and they have told the worst registrars to act!

So my hat tip for the month of May has to go to Garth, Cool.. Nice one… and congratulations!

ICANN state

“But if those registrars, including those publicly cited, do not investigate and correct alleged inaccuracies reported to ICANN, our escalation procedure can ultimately result in ICANN terminating their accreditation and preventing them from registering domain names,”

I suspect however that the “inaccuracies” relate to the accuracy of whois information and if that is the case I suspect that the registrars will simply start their own privacy services.

NB: Privacy and anonymity are different things if your a LEA (Law Enforcement Authority) within your jurisdiction, but to me the humble lower middle-class sysadmin (Hi @SRS) and those outside of their primary jurisdiction they are effectively the same impenetrable barrier. We repute against domains registered with privacy services because statistically speaking (in the filtering metric truck-loads of email world) they are used as anonymity services more than privacy.

Competition time: Just for fun, I’m going to open a book on the first registrar to expire date and put a black McAfee Baseball Cap up for grabs. (We engineers don’t get much SWAG, let alone give it away). Just leave a message with the registrar you think will stop trading (or be disaccredited by ICANN) first and the date you think they will be gone on.

^{Employees of McAfee, KnujOn and ICANN need not apply, I’m the judge and my decision is final!}

Final thoughts: All we need now is a few of the heavily abused cc-TLD’s to do the same and dive into the fight before we see more of these.

When a registrar registers a domain name, there is a five-day Add Grace Period (AGP) where he may cancel his request and receive a full credit for the registration fee from the registry. This trend has been gaining popularity since mid 2005, and although it was originally set up for avoiding mistakes, the practice now is frequently abused.

Beside the fact that some domainers use it to track names with a high potential to generate traffic and thus pay-per-click revenues, people who use the fast-flux and rockphish techniques, which we have already discussed here in detail, now use it in proportions that would be interesting to measure. Domain Tasting involves registering names only to release them very quickly and without paying for them. This practice exploded in 2007, and an incredible number of temporary domain names, having definitely been used to carry out malicious activities, were deleted at the end of this add-grace period.

A quick analysis of the activity of registrars that are accredited by the ICANN (Internet Corporation for Assigned Names and Numbers) helps to measure the phenomenon. Already in 2006, during an organizational meeting, a workshop called domain name marketplace looked at figures from Verisign, the register for .COM and the one for .NET. Between May 1 and 31, 2006, they listed 616 registrars that had registered at least one name. Only 18 of them were responsible for 98.1% of this type of activity.

The following graph from Nick Ashton-Hart (Director for At-Large at ICANN) makes this clear:

It shows that the phenomenon is continuing to grow and that it involves more than just a few companies speculating on highly attractive domain names.

Last Friday, I started some analysis on fast-flux techniques. I stopped my discussion with single-flux so today I will improve on the camouflage!! To do this, the fake site’s IP addresses are varying as well as the IP addresses of the name servers that define them in the DNS architecture. This is double-flux.

Here, the criminal has a genuine control and monitoring workstation. These machines are no longer just for relaying http traffic; they simulate the domain name servers and resend the various IP addresses for the connection which - as before - are valid only for a moment.

When the victim tries to reach the site he would like to visit, a request is sent to the name server with authority over the zone. Just like with single-flux, the short lifespan of the address leads the name server request to the criminal network. First used at this level, the fast-flux technique causes the request to be redirected to a first zombie machine inside the botnet (fast-flux on name servers - IP_A to IP_E). This machine requests the response from the C&C workstation and forwards it to the requestor by using the same method a second time (fast_flux on web site - IP_1 to IP_9).

In return, the IP address of another zombie machine is sent to the victim. This second bot relays the traffic, preserving the criminal’s anonymity.

As the hereafter blurred image suggests, this third example deals with an adult site that tries to remain discreet about its origins. Two dig commands launched a few minutes apart show us the result.

On the web site side, the expiration dates are reduced to 10 minutes (600 seconds), and the site’s IP addresses are very varied (fast-flux on web site). It’s the same for the domain name servers, which changed within a short period of time (fast-flux on name servers).

Combining the three previous methods gives a major headache :-). But as result, we obtain the scheme used in the mysterious RockPhish structures. The ingredients are:

• lots of domain names,
• a fast-flux botnet network in double-flux mode,
• specialized software that is responsible for sending out phishing e-mails, where each recipient is assigned an index. This is used as a parameter in the URL, and again within the mirror site as long as the victim gets connected.

I won’t bore you with the final synoptic for the network traffic. Simply seeing the next URLs collected in the phishing e-mails collection gives you an idea of the complexity of the attack.

The host domain name varies, as do the domain name servers. The control and monitoring workstation manages the structure of the network in real time. Let’s not forget that this is primarily a network of compromised machines (a botnet). The index is there to ensure proper redirection according to victims, banks, machines to be activated, and the group of fraudsters profiting from the attack.

I hope this dissection interested you. It demonstrates that attacks are more and more sophisticated. To be sure, groups like the ones using RockPhish with so much energy to improve their network resilience and stealth are doing so because it is very profitable for them.

For several years, we have been talking about the sophistication of attacks. The main goals are discretion, camouflage and profitability. Some of the common techniques and tools are named Fast-Flux, RockPhish or MPack. As I recently worked on some spam campaigns and dubious websites, I will use them as examples and explain some of these new cybercriminal methods in a set of two blog contributions.

Before complicating the scheme, let me start with a very simple example:

Here, a spammer owns a lot of domain names. He constantly buys new ones using stolen credit card numbers and uses them accordingly with the service interruptions that can occur very quickly or slowly, depending upon the vigilance and honesty of the access providers.

One machine contains his site. It may be dedicated to selling medicine or counterfeit luxury products. In order to trick anti-spam software, e-mails are personalized with background noise and random text. For more diversification, and due to the many domain names he has, his software changes the URL of his site for the various messages it sends.

When a victim tries to follow the link provided for them, a process makes a request to the local name server for the IP address of the machine corresponding to the URL they were sent:

If the information exists at this level (a cache mechanism), it is forwarded directly to the requester. Otherwise, and if the link is still valid, the desired IP address is returned only after checking root and/or primary servers. Dozens of different domain names could point to a single machine.

Here is an example of a result that could be obtained using this method:

With phishing, the methods are becoming more complex. This curve issued from APGW statistics does not highlight the number of victims, which has increased a lot this year.

It shows that, since mid-2006, the total number of incidents (with and without a victim) has remained stable. What’s interesting are the peaks in November 2006 and particularly in April 2007. The question is: how can we have three times more phishing sites than identified attacks? The answer is called RockPhish.

To understand it better, we will expand upon the previous example and look at the intermediate single-flux and double-flux methods.

In single-flux, the criminal has just one domain. Thanks to an unscrupulous access provider, he manages his own domain name server. The criminal also has a network of compromised machines available to him, which he uses as a platform to relay between the victims and his site. The use of very short DNS expiry dates linked to a round-robin technique involving many zombie machine IP addresses allows it to continually change a fictitious physical address used to reach the mirror site.

The latter is therefore even better protected.

When the victim tries to reach the mirror site, a request is sent to the name server with authority over the zone.

The lifespan of the address being no more than a few minutes, there is generally no cached solution. The criminal’s name server is therefore checked. The IP address of one of the bots is sent back to the victim. During the several minutes of the transaction, it will relay the traffic and then disappear, making it more difficult to locate and therefore neutralize key sites.

Here is an example of an online casino site using single-flux technique:

My Windows dig (Domain Information Groper) version shows some distinctive network features: the expiration dates here are very short, and the IP addresses are very varied. This is the mark of a camouflage using the single-flux technique.

Next post will allow us to see how work a double-flux and, after that a RockPhish network.