RE: Wired mag article on spammers playing traceroute games with trojaned boxes
-> ->I found one of these today, as a matter of fact. The spam was ->advertising an anti-spam package, of course. -> ->The domain name is vano-soft.biz, and looking up the address, I get -> ->Name: vano-soft.biz ->Addresses: 12.252.185.129, 131.220.108.232, 165.166.182.168, ->193.165.6.97 -> 12.229.122.9 -> ->A few minutes later, or from a different nameserver, I get -> ->Name: vano-soft.biz ->Addresses: 131.220.108.232, 165.166.182.168, 193.165.6.97, ->12.229.122.9 -> 12.252.185.129 -> ->This is a real Hydra. If everyone on the list looked up ->vano-soft.biz ->and removed the trojaned boxes, would we be able to kill it? -> ->--Chris I got : Canonical name: vano-soft.biz Addresses: 165.166.182.168 193.92.62.42 200.80.137.157 12.229.122.9 12.252.185.129 I think even if we get all the ones for this domain name today, assuming we can muster even man hours to get it today, another 5000 will be added tomarrow. And looking at my list We have US(a very small ISP and a large ISP) RIPE, and LACNIC. I wonder if the better question should be: Can Broadband ISP's require a Linksys, dlink or other broadband router without too many problems? That is what it will take to slow this down, and then only if ALL of ISP's do it. This not only affects this instance but global security as a whole. Just a few days ago, Cisco was taken offline by a large # of Zombies, I am willing to say that those are potentially some of the same compromised systems. Thoughts? Jim
At 12:01 PM 10/9/2003, McBurnett, Jim wrote:
-> ->I found one of these today, as a matter of fact. The spam was ->advertising an anti-spam package, of course. -> ->The domain name is vano-soft.biz, and looking up the address, I get -> ->Name: vano-soft.biz ->Addresses: 12.252.185.129, 131.220.108.232, 165.166.182.168, ->193.165.6.97 -> 12.229.122.9 -> ->A few minutes later, or from a different nameserver, I get -> ->Name: vano-soft.biz ->Addresses: 131.220.108.232, 165.166.182.168, 193.165.6.97, ->12.229.122.9 -> 12.252.185.129 -> ->This is a real Hydra. If everyone on the list looked up ->vano-soft.biz ->and removed the trojaned boxes, would we be able to kill it? -> ->--Chris
I got : Canonical name: vano-soft.biz Addresses: 165.166.182.168 193.92.62.42 200.80.137.157 12.229.122.9 12.252.185.129
I think even if we get all the ones for this domain name today, assuming we can muster even man hours to get it today, another 5000 will be added tomarrow. And looking at my list We have US(a very small ISP and a large ISP) RIPE, and LACNIC.
I wonder if the better question should be:
Can Broadband ISP's require a Linksys, dlink or other broadband router without too many problems?
That is what it will take to slow this down, and then only if ALL of ISP's do it.
This not only affects this instance but global security as a whole. Just a few days ago, Cisco was taken offline by a large # of Zombies, I am willing to say that those are potentially some of the same compromised systems.
Thoughts?
Personally, I think preventing residential broadband customers from hosting servers would limit a lot of that. I'm not saying that IS the solution. Whether or not that's the right thing to do in all circumstances for each ISP is a long standing debate that surfaces here from time to time. Same as allowing people to host mail servers on cable modems or even allowing them to access mail servers other than the ISP's. Vinny Abello Network Engineer Server Management vinny@tellurian.com (973)300-9211 x 125 (973)940-6125 (Direct) PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com (888)TELLURIAN There are 10 kinds of people in the world. Those who understand binary and those that don't.
Thursday, October 9, 2003, 9:19:37 AM, you wrote: VA> Personally, I think preventing residential broadband customers from hosting VA> servers would limit a lot of that. I'm not saying that IS the solution. VA> Whether or not that's the right thing to do in all circumstances for each VA> ISP is a long standing debate that surfaces here from time to time. Same as VA> allowing people to host mail servers on cable modems or even allowing them VA> to access mail servers other than the ISP's. It's not like those customers are aware they are hosting servers, they most likely were exploited and are now unaware they are hosting websites. Regards, Joe Boyce --- InterStar, Inc. - Shasta.com Internet Phone: +1 (530) 224-6866 x105 Email: jboyce@shasta.com
At 12:31 PM 10/9/2003, Joe Boyce wrote:
Thursday, October 9, 2003, 9:19:37 AM, you wrote:
VA> Personally, I think preventing residential broadband customers from hosting VA> servers would limit a lot of that. I'm not saying that IS the solution. VA> Whether or not that's the right thing to do in all circumstances for each VA> ISP is a long standing debate that surfaces here from time to time. Same as VA> allowing people to host mail servers on cable modems or even allowing them VA> to access mail servers other than the ISP's.
It's not like those customers are aware they are hosting servers, they most likely were exploited and are now unaware they are hosting websites.
Yes, that was kind of my point, although as a co-worker pointed out, many spamvertised sites run on alternate ports so I guess that wouldn't really matter all that much anyway. So it wouldn't help if an unknowing host was hosting a web site on port 37241 which was sent as a link in spam... http traffic can of course (as I'm surprised nobody's pointed out yet) run on a myriad of TCP ports just like practically any service. Maybe going back to securing broadband networks would help somewhat as well... Of course everything boils down to the end user which is what I've always believed in, but end users will not likely change in the way they run their computers. Network operators often times have to take some of these issues up by enforcing a policy for the good of the customer. I'm still not saying that is RIGHT to do in all circumstances, but it's an option that logically would reduce some (not all by any means) of the problems out there with people having owned machines. Vinny Abello Network Engineer Server Management vinny@tellurian.com (973)300-9211 x 125 (973)940-6125 (Direct) PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com (888)TELLURIAN There are 10 kinds of people in the world. Those who understand binary and those that don't.
On Thu, 9 Oct 2003, Joe Boyce wrote:
VA> Personally, I think preventing residential broadband customers from hosting VA> servers would limit a lot of that. I'm not saying that IS the solution.
It's not like those customers are aware they are hosting servers, they most likely were exploited and are now unaware they are hosting websites.
That's obviously the case. No spammer has "thousands" of legitimately purchased DSL/Cable connections. The article pretty clearly says they're exploiting insecure windows (isn't that redundant?) boxes. Trouble is, how do you stop this? Just blocking common ports like 80 by default (unless the customer plans to actually run a web server and asks for the filter to be removed) won't work. The spammers can just as easily spam with urls containing ports (http://blah.biz:8290/) if they find 80 is filtered or find that filtering has become common. So other than waiting some infinitely long time for a secure out of the box version of windows (and for everyone to upgrade), how do you stop this? Widespread deployment of reflexive access lists? Force all broadband customers to use NAT and let them forward ports or entire IPs to their private IP servers if they have any? Wait for the legal system to catch and prosecute a few people who do this and deter others from trying it? Convince registrars to kill domains that are clearly being used by thieves? ---------------------------------------------------------------------- Jon Lewis *jlewis@lewis.org*| I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
Quoting jlewis@lewis.org (jlewis@lewis.org):
[snip]
it? Convince registrars to kill domains that are clearly being used by thieves?
From a post on NANE, here's what the registar for vano-soft.biz had to say on Oct 1:
In order to terminate service of this domain name we will need a strong sampling of complaints. Please fax a complaint to 858.560.9417 and include your complaint, name, email address and any supporting evidence you have. It is not our intent to keep a domain active that promoted criminal activity but we do take the suspension of a domain name very seriously. Thank you in advance for you cooperation and I can assure you that your faxed complaint will be taken seriously.
Anyone with half a clue can see that vano-soft.biz is using a network of zombies. Obviously domaindiscover.com/buydomains.com has no clue. I started the day with a few hundred bounces from vano-soft's spam runs due to forged sender addresses in one of my domains. I spent the rest of the day googleing for case law that might be applied to the network operators providing connectivity to the trojaned boxes being used for illegal activities, identity theft. Didn't accomplish much except wasting the day. John Capo
I can kinda agree with this idea for the most part. In past ISP environments I've worked in and had input in decisions we did redirect SMTP traffic back to our mail servers or blocked out-right access to mail servers outside our control but there were always some special cases. Just as stopping residential broadband customers from hosting servers. I know in my personal situation I do have servers hosted on my residential ADSL connection, but this is known by the provider and I'm also paying for a static subnet that they're hosted on. I think for the general dynamically addressed broadband connections this might be a wise idea, but for those that are paying for static IPs or even static subnets those blocks should be left alone. Granted this would probably include most cable modem and a fair amount of DSL customers. Regards, Jeremy T. Bouse On Thu, Oct 09, 2003 at 12:19:37PM -0400, Vinny Abello wrote:
Personally, I think preventing residential broadband customers from hosting servers would limit a lot of that. I'm not saying that IS the solution. Whether or not that's the right thing to do in all circumstances for each ISP is a long standing debate that surfaces here from time to time. Same as allowing people to host mail servers on cable modems or even allowing them to access mail servers other than the ISP's.
On 9 Oct 2003, at 12:19, Vinny Abello wrote:
Personally, I think preventing residential broadband customers from hosting servers would limit a lot of that. I'm not saying that IS the solution. Whether or not that's the right thing to do in all circumstances for each ISP is a long standing debate that surfaces here from time to time. Same as allowing people to host mail servers on cable modems or even allowing them to access mail servers other than the ISP's.
"Hosting a server" looks very similar to "using an ftp client in active mode", "playing games over the network" or "using a SIP phone" to the network. Enumerating all permissible "servers" and denying all prohibited ones arguably requires an unreasonable shift of intelligence into the network. Allowing inbound connections by default and blocking specific types of traffic reactively has been demonstrated not to be an adequate solution, I think. A more aggressive policy of blocking all inbound connections (and analogues using connectionless protocols) essentially denies direct access between edge devices, which implies quite an architectural shift. I think it's more complicated than "prevent residential users from hosting servers". Joe
At 12:53 PM 10/9/2003, you wrote:
On 9 Oct 2003, at 12:19, Vinny Abello wrote:
Personally, I think preventing residential broadband customers from hosting servers would limit a lot of that. I'm not saying that IS the solution. Whether or not that's the right thing to do in all circumstances for each ISP is a long standing debate that surfaces here from time to time. Same as allowing people to host mail servers on cable modems or even allowing them to access mail servers other than the ISP's.
"Hosting a server" looks very similar to "using an ftp client in active mode", "playing games over the network" or "using a SIP phone" to the network. Enumerating all permissible "servers" and denying all prohibited ones arguably requires an unreasonable shift of intelligence into the network. Allowing inbound connections by default and blocking specific types of traffic reactively has been demonstrated not to be an adequate solution, I think.
A more aggressive policy of blocking all inbound connections (and analogues using connectionless protocols) essentially denies direct access between edge devices, which implies quite an architectural shift.
I think it's more complicated than "prevent residential users from hosting servers".
Absolutely, and I was just referring to certain things, not all inbound access. I mentioned before that it doesn't really make much sense with web hosting because the port can easily be changed so it's not very effective at all. Blocking people from hosting mail servers that receive mail and can't send mail directly could be enforced much more easily than the web example so my original thought doesn't really apply all that much to web stuff, but then again I stated I didn't say that IS the solution to anything. Just a thought that's been kicked around forever that we've all heard. :) Vinny Abello Network Engineer Server Management vinny@tellurian.com (973)300-9211 x 125 (973)940-6125 (Direct) PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A Tellurian Networks - The Ultimate Internet Connection http://www.tellurian.com (888)TELLURIAN There are 10 kinds of people in the world. Those who understand binary and those that don't.
Vinny Abello wrote:
Personally, I think preventing residential broadband customers from hosting servers would limit a lot of that. I'm not saying that IS the solution. Whether or not that's the right thing to do in all circumstances for each ISP is a long standing debate that surfaces here from time to time. Same as allowing people to host mail servers on cable modems or even allowing them to access mail servers other than the ISP's.
The issue comes in defining a server. You can block <1024 access, but spammers don't have to reference port 80 in their emails. You can mandate NAT, but this breaks commonly used systems (especially for broadband) like DirectPlay. One of the selling points for broadband is gaming. Yet some gaming systems were designed to make connections both ways and dynamic port forwarding doesn't work in all senarios. -Jack
On Thu, 9 Oct 2003 12:01:35 -0400 "McBurnett, Jim" <jmcburnett@msmgmt.com> wrote: | I think even if we get all the ones for this domain name today, | assuming we can muster even man hours to get it today, another | 5000 will be added tomorrow. And looking at my list We have US | (a very small ISP and a large ISP) RIPE, and LACNIC. This malware is not new, but is only just becoming widely visible. It succeeds solely because of the "Dynamic-DYS" (real-time updating) functionality built into the dot-biz registry. Certainly it can be killed, but the techniques to achieve that are better discussed OFF this list - for both AUP and other valid reasons. As soon as this exploit is killed, no doubt another, similar, exploit would follow. We therefore need a more generic solution to the issue. | This not only affects this instance but global security as a whole. | Just a few days ago, Cisco was taken offline by a large # of Zombies, | I am willing to say that those are potentially some of the same | compromised systems. Empirical evidence would seem to support your view. Even where they are not the same zombies, networks that allow this type of zombie to remain in place are just as likely to allow DDoS zombies to continue undisturbed. The problem is that many ISPs filter all issues of this nature through their abuse teams, rather than sending them directly to their security specialists. Most abuse teams have neither the time nor experience to investigate, and this particular trojan has been written to make it too easy for abuse teams to dismiss reports of its activity, and then to justify taking no action - that is exactly what the writers of the malware intended to happen. A step change in attitude from providers who offer 24/7-on connectivity is what is needed now, and agreement to separate all network security issues from their abuse desk procedures should be number one priority. -- Richard Cox
On Thu, 09 Oct 2003 12:01:35 EDT, "McBurnett, Jim" <jmcburnett@msmgmt.com> said:
Can Broadband ISP's require a Linksys, dlink or other broadband router without too many problems?
So now instead of a misconfigured PC, you're going to have a misconfigured router front-ending a misconfigured PC? Or are you planning to require that the ISP provide/maintain/configure the router?
At 03:42 PM 09/10/2003, Valdis.Kletnieks@vt.edu wrote:
On Thu, 09 Oct 2003 12:01:35 EDT, "McBurnett, Jim" <jmcburnett@msmgmt.com> said:
Can Broadband ISP's require a Linksys, dlink or other broadband router without too many problems?
So now instead of a misconfigured PC, you're going to have a misconfigured router front-ending a misconfigured PC?
PCs of the MS variety by default are "misconfigured" and dangerous out of the box. (i.e. they dont have their patches installed and have questionable defaults). Routers of the soho variety generally are not. No its NOT perfect, but I would gladly take b) over a) any day of the week. ---Mike
participants (12)
-
Fred Baker
-
Jack Bates
-
Jeremy T. Bouse
-
jlewis@lewis.org
-
Joe Abley
-
Joe Boyce
-
John Capo
-
McBurnett, Jim
-
Mike Tancsa
-
Richard D G Cox
-
Valdis.Kletnieks@vt.edu
-
Vinny Abello