06/03/2009

another fastflux .be botnet bites the dust

after having contacted the FCCU (cybercrime police in Belgium) when I saw the first of probably a series of new .be domains that were being used in a fastflux botnet monitored by Arbor Networks (thanks for the access by the way :)) the Belgian police and judiciary and dns operator of the .be domainname took immediately action.

They have put them in quarantaine and these are out of order. No DNS resolution.

THis is in fact not a definitive solution because the ballgame will change once these botnetmasters start setting up their own dns infrastructure or mechanism. Some say this is impossible or hard to do but that has been said about many things that have become normal in cybercrime. And there is more money, resources and knowledge in cybercrime than we can imagine. THe only thing that is for the moment going for us is that the cybergangs don't work together and at the other side that the white economy is far more important and promising than the black online economy so that owners of infrastructure can be put under enormous pressure to cut their ties to the cybergangs or be cut off the web and lose everything. The community did it already a few times last year and they probably will have to do it a few times more.

Meanwhile while waiting for the promised CERT in Belgium, this little guy tries to do some things to keep the .be domain safe. Any information is always welcome. As is access to databases or network monitors in which there is Belgian information. As you see we try to do useful things with it.

This is the THIRD .be botnet or phishing operation that has been killed effectively in a matter of hours after detection since the beginning of 2009. I thank the FCCU and Arbor Networks for the trust. I personally think this is worth it.

Volunteers for the belsec operation are always welcome. Some writing or just updating or indexing or researchers. I only have so many hours a day.

This one popped up today in the botnetlistings but too late it is already quarantined by DNS.be

bo73

 

Permalink | |  Print |  Facebook | | | | Pin it! |

06/02/2009

new fastflux .be campaign starting with also fastflux registration

on the website http://insecure.skynetblogs.be you will find 4 new .be websites that were being found by Arbor Networks

What is surprising this time - and which makes the take-down and discovery process more difficult - is that each domainname seem to have been registered by someone else through a different channel.

Except that they are all more or less using the same basic infrastructure but it will take some work to find a valuable strategy to filter registrations based upon the kind of infrastructure one wants to use (this means that ICANN will have to certify good secure installations and typical malware installations). Just as bringing down some local hosters last years made a huge difference on the malware presence, certifying the domainserver and domainregistration handlers can bring up another barrier against the cybercrime.

 

Permalink | |  Print |  Facebook | | | | Pin it! |

04/21/2009

DNS.Be still monitoring the tests of fast flux botnet

In the beginning of this year DNS.Be together with the FCCU (federal computer crime unit) and Arbor Networks have set up a permanent procedure to take down immediately .be domainnames that were being used in a fast flux botnet.

This is not a luxury once your domainname has been tested because when after a few months of silence some new .be domainnames popped up in the listings of the fastflux botnet (as it is close to the .eu domainextension) they took immediately the necessary actions to take down the .be domainnames.

This cat and mouse game will go on as long as they keep on trying untill they are fed up and just use those domainnames that don't have such a monitoring and immediate take down service set up.

Does your domainextension managment has that ? No ? Maybe you are the next one ...

the domainextensions that are being used are .cn, .com, .net, .ru, .tk, and some .tv, .mobi, .jp

What do you need to do ? Be sure that after malicious use of sold domainnames they could be taken down immediately by the domainextension servers based upon the conditions of sale. Secondly have a form that the cyberpolice or cert can send you to ask that domainextension management to take down that site because of malicious activity. Have the technical means to do that in a very short time-frame.

Permalink | |  Print |  Facebook | | | | Pin it! |