Ever-changing Obscuring Methods Making Botnets Hard to Disable

Botnet activities that rely on increased methods of people in obscuring domain addresses by continuously mapping to various bots on the network is becoming harder to stop, suggests a new study by Arbor Networks' Jose Nazario and University of Mannheim's Thorsten Holz. CNETNews published this in news on October 8, 2008.

During the study, the researchers performed a tracking exercise of the Web traffic of 900 fast-flux domain addresses that botnets used during the first half of 2008.

As per the security specialists, fast-flux, i.e. botnet creators' constantly changing methods, poses difficulties for law enforcement agencies to identifying the key server and disabling it. It also provides anonymity to the botnets' operators, as the computers infected for adding to the botnet could be located at any place in the world.

Moreover, the research also discovered that botnets servicing fast-flux methods were mostly operational for only some hours over a couple of months. Although the domains used were registered, still they sometimes remained inactive for a number of months. Online crime and fraud that emanated mostly from these botnets involved malware distribution websites, phishing sites and pharmacy sites.

Furthermore, the study revealed that hosts included in fast-flux botnets are highly indiscriminate, sometimes containing a large number of associated domain names on account of numerous names that many operating fast-flux botnets use.

However, DNS investigation that is frequently used in probing activities of fast-flux servicing botnets does not seem to be a reliable and effective measuring procedure of a bot network's size. The study could only identify 1% of the bots in the Storm botnet, while the researchers could not determine the sizes of other bot networks for making comparisons.

Meanwhile, the problem of fast-flux is of a much smaller order than is generally assumed, and just a few thousand hosts are at play worldwide at any given point of time. However, the monetary worth of these criminal acts is quite significant.

Meanwhile, the security specialists believe that it might be possible to identify the dormant domain names resembling the operational fast-flux names during the period between their registration and operation, as well as to actively disable them.

Related article: Every Hacked ID in UK Worth $22,000

» SPAMfighter News - 16-10-2008

All SPAMfighter products offer a free trial!

SPAMfighter is a free spam filter for Outlook, Outlook Express,Windows Mail, Windows Live Mail and Thunderbird.

Optimize your Slow PC for better performance. Try FREE scan now

Disk space recovery
and disk optimization. Try FULL-DISKfighter free

SPAMfighter Exchange Module is a Spam filter for Exchange server - Free 30 days trial.

Remove Spyware with SPYWAREfighter - Free 30 days trial

Antivirus software for your Windows PC - Free 30 days trial