Cybercriminal Networks are Very Sophisticated
RiskAnalytics recently released the report, Dark Cloud Network Facilitates Crimeware, which describes an extensive fast flux network, known as Zbot, that is every bit as sophisticated as any commercial-grade cloud network. This network has been used to sell stolen credit card information and host malware like ransomware, credential stealers, and other software that facilitates fraud.
According to the report, RiskAnalytics encountered a botnet in July 2014 that stood out in the way it could defeat IP address-blocking mechanisms and yet still remain active. It would take a domain name that was part of the network and refresh its DNS information every 2.5 minutes. This technique is what the ‘fast flux’ term refers to.
For those not familiar with DNS, it’s what allows you to type a human-friendly URL like “youtube.com” and have it translated into a computer-friendly IP address, i.e. four numbers from 0-255 separated by periods like “184.108.40.206”. If the DNS records for a legitimate e-commerce business are down for a significant length of time, problems with DNS entries are the kiss of death, especially if that business uses its URL as a brand.
The report found that Zbot contained the usual malware: ransomware, spambots, distribution mechanisms, information stealers, and click fraud systems.
What’s especially troubling about this set of malware is that it passes along relatively undetected; the typical antivirus app is only 20 percent successful at detecting it. Malware creators frequently tweak the source code, resulting in slightly different executable code when compiled. This undermines antivirus strategies that examine executable code and look for certain patterns.
Also a part of Zbot is a group of sites that sell stolen credit card information, or carder sites. These sites function just like a legitimate e-commerce site, only they require payment in anonymous currency and often use characters from TV shows and cartoons for branding. The domains of these sites have been around for several years, and take advantage of the fast flux technique.
If there is any lesson to be learned from this report it is that you can’t have enough security in an enterprise environment. While users should follow the same warnings about opening attachments in emails or clicking links from an unknown source, organizations also need to have solutions that analyze malicious behavior and respond to it quickly, not just apps that look for executables matching a blacklisted profile. Cybercrime is big business, and as RiskAnalytics points out, it has reached the level where it functions much like publicly traded companies do.
Edited by Peter Bernstein