How botnets use 'bullet-proof' domains

Botnets are proving to more resilient and harder to shut down.

That's largely due to an increased use of methods people use to obscure the domain by constantly mapping to different bots within the network, according to a recently released study (PDF).

The study's authors, Jose Nazario of Arbor Networks and Thorsten Holz of the University of Mannheim, tracked the traffic of 900 fast-flux domain names used by botnets within the first six months of 2008. "Fast-flux" is a term to describe how the botnets use constant changes in the mapping of the hard-coded domain name to different bots within the network. This makes it difficult for law enforcement to identify the main server and shut it down. It also adds a layer of anonymity to those operating the botnet, since the infected computers used can be located worldwide.

The study found that fast-flux botnets were often active for a few hours to a few months. The domains that were used were registered, but sometimes laid dormant for several months. Online fraud and crime most associated with these botnets included phishing sites, pharmacy sites, and malware distribution sites.

The authors also found some botnets to be "promiscuous," harboring hundreds of domain names associated with them.

The information in the report has been shared previously with industry groups such as Forum for Incident Response and Security Teams and Internet Corporation for Assigned Names and Numbers (ICANN). This is the study's first public availability, and it was released to coincide with Malware 2008, which is being held Tuesday and Wednesday in Alexandria, Va.

[CmdrRickHunter]

Botnets are an organic force. You can't use the rock moving tools to move insects off your crops; you can't use static tools to attack organic botnets. In fact, the harder we push, the smarter bot nets become. See Storm's attacks on hosts who were known botnet fighers, DDOSing their servers and uplinks. Even worse, these are organic systems which have truly briliant minds behind them.

[Lerianis]

Yeah, and the thing I don't understand is why these 'brilliant minds' are not putting their intelligence to good use, that would get them more money than a botnet ever would.... oh, I know: because the criminals who are ALREADY in the businesses these people want to break into would try to say that their new inventions are covered by their patents and litigate them into submission.

[n3td3v]

anti-virus security professionals by day, bot net criminals by night.

[spicyloogie]

Yup, its going to be hell of a fight. Bots are now willing victims that uses those "designer o.s." like windows black edition that they give away with lots of free stuff in it. That black 8th edition doesnt even try to hide whats in it. You can planely see in the registry whats really up.