botnet

  • Final DNS.BE took the fastflux botnets out immediately

    In January we tried to get enough attention from dns.be and FCCU to get a .be fastflux botnet out of order. It took some time and convincing but with the help from Arbor Networks and some important commercial arguments (the effects it would have on the whole .be domain) dns.be and FCCU and Arbor Network have set up procedures and other contacts to be able to react swiftly if this would happen again.

    It happened again yesterday.When I saw it this morning I started mailing around in the hope that it wouldn't take days or weeks to get these new sites blocked.

    Today, one day later the sites are taken offline by a blocking at the root level of the domainextension. This is an example how securityresearchers, cyberpolice, justice and serviceproviders (dns.be) can work together swiftly and legally and sabotage the networking and cirminal activities of these botnets - even if one knows that it will be very hard to prosecute them. But if we can kill their networks and sites immediately that is already a good thing to start with.

    This is the list from arbor networks (by the way these guys will be at infosecurity.be the 25th and 26th and they are also giving a presentation there, something not to miss if you are in network security and anticybercrime)

    By the way we are interested in any Belgian Data or information ...... 

    This is the list to block, as usual more information will follow- block them

    ifiii.be
    ifiil.be
    ifill.be
    iflil.be
    ikiii.be
    iklil.be
    ipiii.be
    ipiil.be
    ipill.be
    iplil.be
    itiil.be
    lkiil.be
    lpiil.be
    modestd02.be
    restoredir01.be
    restoredir03.be

    They are in the phishtank.com for Yesterday

    ifiii.be

    ipill.be

    itiil.be

    iklil.be

    ipiii.be

    ifiil.be

    lfiil.be

    Some of these are used several times

    We can confirm that it is for the moment not yet possible for these botnets to get around these blocking of their sites at the root level. Maybe they would  have to become bot-internets with their own dns infrastructure to be able to do this.

    I hope that now everyone knows that the bad guys are trying it again, just to test if they could pull this off again and will keep a close eye at the listings that the honeypots from Arbor Networks are making available.

    Other domeinextensions that according to Arbor Networks are being used are .tv, .cn (massively), .com, .net, .ch, .lv, ....