Re: [nznog] Cloaked SPAM hosting service
On 25 Oct 2003 12:00:07 +1300 (NZDT) Simon Byrnand
Correct me if I'm wrong but isn't this idea just a reverse proxy farm?
From what investigators have seen there is more to this exploit than just a reverse-proxy. I'm reluctant to say too much, even here, since investigations are continuing. The previous well-reported exploit which was known as "Super-Zonda" simply packaged reverse-proxying with a set of custom DNS tricks designed so that only the designated proxies could get the IP address of the real source of the website.
Two strains of virus - "Fizzer" and "Sobig" each deliver a payload that compromises the infected computer, and in many cases the compromise can survive normal "cleansing" operations. This leaves a suite of abusive tools on the victim's computer that can, without the owner's knowledge or permission, be used by the attacker. Fizzer is known to install a spam sender and Denial-of-Service module, both of which "phone home" and listen for remote instructions. This means they can lie dormant for days, even weeks, without being activated. When they are activated to spam, they will usually only send out a small quantity of messages at one time, and then become silent again; the whole point is that as there are so many of them available to the spammer, there is no need for any one infected machine to send any great quantity. This, in turn, means that it is unlikely to trigger any traffic-based alarms, and any spam reports which reach abuse desks - if they even get that far - will often be treated as either misdirected or ill-informed, because "if it really was a spam source there would inevitably be many more complaints" That is exactly what the malware-writer intended ISPs to think, so don't be caught by it! Some Abuse desks may even go as far as looking for any open ports, and finding none, will take the view that the machines are secure. Not so! As all the trojans "phone home" for their instructions, there will not be any need for open ports, and none to find. The trojan may open some ports when ordered to, but generally will appear to be completely locked down (well, as much as any Windows machine can be!). There is one thing I want to stress here, as many of you will have no doubt read about the various DDoS attacks on various targets - Cisco, and some of the anti-spam resources being the ones that got publicity. If you get (a small number of) reports of spamming from a customer IP and you are tempted to disbelieve or ignore those reports, please don't. Regardless of your views on spam, those reports may be the only warning you will get that you have a malware-attacked box on your netblock, and that box is then fully equipped and ready to take part in a Distributed Denial of Service (DDoS) attack on a target at a moment's notice. | Sounds like the author of the article doesn't understand round robin | dns, expressing surprise that every time they checked the site the ip | address was different...(well duh :) Er, no. That's not the primary point of this exploit, even though Round Robin DNS is certainly used in it. Remember - we are talking about large quantities of boxes here, and a different zombie can be activated in seconds. The compromised machines are able to act as DNS servers as well as web servers - and they do. The key is that the DNS servers are in the .biz TLD and that registry offers its customers the ability to update their DNS in real time, rather than having to wait for a timed update as with the .com/.net environment. Thus as machines are booted, come online, and "phone home", some of them are put in the queue for their IPs to be sent to the root .biz servers. Anyone monitoring the zonefiles for the latest .biz domain that these spammers are using (they change domains regularly, of course ...) will see the IPs of both the nameservers and A records change on a regular basis, and the location of those IPs will tend to follow the sunrise - so at one time of day there will be some in Europe, a few hours later they will mostly be on the US East Coast, later the US West Coast, and some hours after that NZ, then Australia, then Japan, and so on.
In other words said spammers host the actual site on a real server somewhere, use round robin dns with hundreds (?) of dns entries pointing to different hijacked computers, that then forward the requests to the real servers as a reverse proxy.
If they did that, the operation could be closed down by terminating (or bogussing) all the DNS servers that hold the round-robin DNS list. As ordinary user machines (mainly broadband) are being used as these servers, they can change almost as often as the A records do, and so any that are disabled are immediately replaceable. While admittedly tempting, it is hardly practical to bogus out the entire .biz root! The contact details for the domains used in this exploit vary from "suspicious" to "proven fake" but you could say the same about rather a lot of domains at the moment. The ICANN promises of a clean-up have not materialised, and given ICANN's (lack of) authority in general, some would say that any clean-up can only be cosmetic until there is general international agreement to enforce new rules. What may be of interest is that quite a few of these domains we've looked into turned out to have been registered with "DomainDiscover" in San Diego, USA (http://www.domaindiscover.com/). Even if DomainDiscover closed down all those domains immediately, the spammers would just move across to another Registrar and carry on. The only effective way to stop THIS particular exploit would need the root .biz registry to be persuaded to withdraw the real-time DNS updating feature in .biz. You may well conjecture on the likelihood of that ever happening! The zombies installed by the SoBig series of viruses also install an FTP server (TFTP) on first infection, which is used to fetch the rest of the SoBig payload some days later, and that means that absolutely anything can be subsequently downloaded to those machines - so unless you actually remove the infection and compromise, a machine that scans as completely clean today may be a Webserver serving up kiddie-porn by this time tomorrow. Yes, Tikiri, this one *is* more alarming. -- Richard Cox Mandarin
Thanks Richard Just thinking out loud here but could the dial home function be the weak link here ?
From what I've seen on this the dial home is implemented either by DNS or by IP. What if home was blackholed whether IP or DNS. Even if they have built in a series of homes into the trojans and an auto update valid list of homes function, reverse engineering the code and blackholing all known homes should at least put a big dent in the spam service. The only choice left for the spammers would be to change their software to use the concept of headless peer to peer networks to keep an updated list of home(s). Even in this case network level blocks on the peer to peer traffic should effectively dissable it.
----- Original Message -----
From: "Richard Cox"
Correct me if I'm wrong but isn't this idea just a reverse proxy farm?
From what investigators have seen there is more to this exploit than just a reverse-proxy. I'm reluctant to say too much, even here, since investigations are continuing. The previous well-reported exploit which was known as "Super-Zonda" simply packaged reverse-proxying with a set of custom DNS tricks designed so that only the designated proxies could get the IP address of the real source of the website.
Two strains of virus - "Fizzer" and "Sobig" each deliver a payload that compromises the infected computer, and in many cases the compromise can survive normal "cleansing" operations. This leaves a suite of abusive tools on the victim's computer that can, without the owner's knowledge or permission, be used by the attacker. Fizzer is known to install a spam sender and Denial-of-Service module, both of which "phone home" and listen for remote instructions. This means they can lie dormant for days, even weeks, without being activated. When they are activated to spam, they will usually only send out a small quantity of messages at one time, and then become silent again; the whole point is that as there are so many of them available to the spammer, there is no need for any one infected machine to send any great quantity. This, in turn, means that it is unlikely to trigger any traffic-based alarms, and any spam reports which reach abuse desks - if they even get that far - will often be treated as either misdirected or ill-informed, because "if it really was a spam source there would inevitably be many more complaints" That is exactly what the malware-writer intended ISPs to think, so don't be caught by it! Some Abuse desks may even go as far as looking for any open ports, and finding none, will take the view that the machines are secure. Not so! As all the trojans "phone home" for their instructions, there will not be any need for open ports, and none to find. The trojan may open some ports when ordered to, but generally will appear to be completely locked down (well, as much as any Windows machine can be!). There is one thing I want to stress here, as many of you will have no doubt read about the various DDoS attacks on various targets - Cisco, and some of the anti-spam resources being the ones that got publicity. If you get (a small number of) reports of spamming from a customer IP and you are tempted to disbelieve or ignore those reports, please don't. Regardless of your views on spam, those reports may be the only warning you will get that you have a malware-attacked box on your netblock, and that box is then fully equipped and ready to take part in a Distributed Denial of Service (DDoS) attack on a target at a moment's notice. | Sounds like the author of the article doesn't understand round robin | dns, expressing surprise that every time they checked the site the ip | address was different...(well duh :) Er, no. That's not the primary point of this exploit, even though Round Robin DNS is certainly used in it. Remember - we are talking about large quantities of boxes here, and a different zombie can be activated in seconds. The compromised machines are able to act as DNS servers as well as web servers - and they do. The key is that the DNS servers are in the .biz TLD and that registry offers its customers the ability to update their DNS in real time, rather than having to wait for a timed update as with the .com/.net environment. Thus as machines are booted, come online, and "phone home", some of them are put in the queue for their IPs to be sent to the root .biz servers. Anyone monitoring the zonefiles for the latest .biz domain that these spammers are using (they change domains regularly, of course ...) will see the IPs of both the nameservers and A records change on a regular basis, and the location of those IPs will tend to follow the sunrise - so at one time of day there will be some in Europe, a few hours later they will mostly be on the US East Coast, later the US West Coast, and some hours after that NZ, then Australia, then Japan, and so on.
In other words said spammers host the actual site on a real server somewhere, use round robin dns with hundreds (?) of dns entries pointing to different hijacked computers, that then forward the requests to the real servers as a reverse proxy.
If they did that, the operation could be closed down by terminating (or bogussing) all the DNS servers that hold the round-robin DNS list. As ordinary user machines (mainly broadband) are being used as these servers, they can change almost as often as the A records do, and so any that are disabled are immediately replaceable. While admittedly tempting, it is hardly practical to bogus out the entire .biz root! The contact details for the domains used in this exploit vary from "suspicious" to "proven fake" but you could say the same about rather a lot of domains at the moment. The ICANN promises of a clean-up have not materialised, and given ICANN's (lack of) authority in general, some would say that any clean-up can only be cosmetic until there is general international agreement to enforce new rules. What may be of interest is that quite a few of these domains we've looked into turned out to have been registered with "DomainDiscover" in San Diego, USA (http://www.domaindiscover.com/). Even if DomainDiscover closed down all those domains immediately, the spammers would just move across to another Registrar and carry on. The only effective way to stop THIS particular exploit would need the root .biz registry to be persuaded to withdraw the real-time DNS updating feature in .biz. You may well conjecture on the likelihood of that ever happening! The zombies installed by the SoBig series of viruses also install an FTP server (TFTP) on first infection, which is used to fetch the rest of the SoBig payload some days later, and that means that absolutely anything can be subsequently downloaded to those machines - so unless you actually remove the infection and compromise, a machine that scans as completely clean today may be a Webserver serving up kiddie-porn by this time tomorrow. Yes, Tikiri, this one *is* more alarming. -- Richard Cox Mandarin _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog
participants (2)
-
Richard Cox
-
Tikiri Wicks