Avalanche is a large nasty botnet, which was just disabled by a large coordinated action by industry and law enforcement in multiple countries. It was a lot of work, involving among other things disabling or sinkholing 800,000 domain names used to control it. More info here: https://www.europol.europa.eu/newsroom/news/%E2%80%98avalanche%E2%80%99-netw... http://blog.shadowserver.org/2016/12/01/avalanche/ As both items point out, if your users are infected with Avalance, they're still infected, but now if you disinfect them, they won't get reinfected. At least not with that particular flavor of malware. R's, John
From my understanding Avalanche wasn't a single botnet but was high availability infrastructure used by multiple different families/operators.
-AK On Dec 1, 2016 10:37 AM, "John Levine" <johnl@iecc.com> wrote:
Avalanche is a large nasty botnet, which was just disabled by a large coordinated action by industry and law enforcement in multiple countries. It was a lot of work, involving among other things disabling or sinkholing 800,000 domain names used to control it.
More info here:
https://www.europol.europa.eu/newsroom/news/%E2%80% 98avalanche%E2%80%99-network-dismantled-in-international-cyber-operation
http://blog.shadowserver.org/2016/12/01/avalanche/
As both items point out, if your users are infected with Avalance, they're still infected, but now if you disinfect them, they won't get reinfected. At least not with that particular flavor of malware.
R's, John
In message <20161201173426.2861.qmail@ary.lan>, "John Levine" <johnl@iecc.com> wrote:
More info here:
https://www.europol.europa.eu/newsroom/news/%E2%80%98avalanche%E2%80%99-netw...
I'm always happy when even a small handful of miscreants are captured and taken off the Internet, but... The press release itself says that this botnet had been running since 2009. So, you know, are we supposed to break out the champaign and start celebrating because it "only" took LE *seven years* to take down this one botnet and capture a grand total of five cybercriminals? Like I say, I'm happy that this one botnet was killed, but to my way of thinking, the fact that it took seven years to do so is a testament *not* to the spectacular 21st century capabilities of modern law enforcement, but rather to the ever widening gap between the time scales of law enforcment processes, typically measured in months or years, and the time scales of malicious packets flying around the Internet, usually measured in miliseconds. The Internet, viewed as an organism, quite clearly has, at present, numerous autoimmune diseases. It is attacking itself. And its immune system, such as it is, clearly ain't working. There's going to come a day of reckoning when it will no longer be possible to paper over this sad and self-evident fact. (And no, I'm *not* talking about the fabled "Digital Pearl Harbor". I'm talking instead about the Internet equivalent of the meteor that wiped out the dinosaurs.) Regards, rfg P.S. WTF is "double fast flux[tm]"? Is that anything like "double secret probation" from Animal House? P.P.S. I love this part of the press release, because it is so telling: "The successful takedown of this server infrastructure was supported by ... Registrar of Last Resort, ICANN..." Hahahahaha! Yea. Translation, for those of you who do not speak diplomacy-speak: "It isn't hardly just you unofficial anti-spammers and anti-cybercrime volunteers and private security companies that can't manage to get many domain registrars and somtimes even domain registries to lift a finger to help. Even some of us international law enforcement guys, who have badges and everything, were also told to go pound sand by several of the world's worst and most unhelpful registrars and registries. In fact, they were soooooooo colossally unhelpful that in the end, we finally had to go and plead our case all the way up to ICANN, just in order to get anything done."
P.S. WTF is "double fast flux[tm]”?
Double fast-flux is when not only the TTL is set very low on the A record(s), bit also on the NS: https://en.wikipedia.org/wiki/Fast_flux - ferg
On Dec 1, 2016, at 12:38 PM, Ronald F. Guilmette <rfg@tristatelogic.com> wrote:
In message <20161201173426.2861.qmail@ary.lan>, "John Levine" <johnl@iecc.com> wrote:
More info here:
https://www.europol.europa.eu/newsroom/news/%E2%80%98avalanche%E2%80%99-netw...
I'm always happy when even a small handful of miscreants are captured and taken off the Internet, but...
The press release itself says that this botnet had been running since 2009. So, you know, are we supposed to break out the champaign and start celebrating because it "only" took LE *seven years* to take down this one botnet and capture a grand total of five cybercriminals?
Like I say, I'm happy that this one botnet was killed, but to my way of thinking, the fact that it took seven years to do so is a testament *not* to the spectacular 21st century capabilities of modern law enforcement, but rather to the ever widening gap between the time scales of law enforcment processes, typically measured in months or years, and the time scales of malicious packets flying around the Internet, usually measured in miliseconds.
The Internet, viewed as an organism, quite clearly has, at present, numerous autoimmune diseases. It is attacking itself. And its immune system, such as it is, clearly ain't working. There's going to come a day of reckoning when it will no longer be possible to paper over this sad and self-evident fact. (And no, I'm *not* talking about the fabled "Digital Pearl Harbor". I'm talking instead about the Internet equivalent of the meteor that wiped out the dinosaurs.)
Regards, rfg
P.S. WTF is "double fast flux[tm]"? Is that anything like "double secret probation" from Animal House?
P.P.S. I love this part of the press release, because it is so telling:
"The successful takedown of this server infrastructure was supported by ... Registrar of Last Resort, ICANN..."
Hahahahaha! Yea. Translation, for those of you who do not speak diplomacy-speak: "It isn't hardly just you unofficial anti-spammers and anti-cybercrime volunteers and private security companies that can't manage to get many domain registrars and somtimes even domain registries to lift a finger to help. Even some of us international law enforcement guys, who have badges and everything, were also told to go pound sand by several of the world's worst and most unhelpful registrars and registries. In fact, they were soooooooo colossally unhelpful that in the end, we finally had to go and plead our case all the way up to ICANN, just in order to get anything done."
— Paul Ferguson ICEBRG.io Seattle, Washington, USA
Ronald F. Guilmette <rfg@tristatelogic.com> wrote:
P.P.S. I love this part of the press release, because it is so telling:
"The successful takedown of this server infrastructure was supported by ... Registrar of Last Resort, ICANN..."
Note that these are the names of two different organizations - the part before the comma is not a description of the role played by ICANN. http://tldcon.ru/docs/02-Addis.pdf http://www.rolr.org/goals.en.html Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/ - I xn--zr8h punycode Humber, Thames: Northwest 4 or 5, veering northeast 3 or 4. Moderate, becoming slight later in Thames. Showers. Good.
On Thu, Dec 01, 2016 at 05:34:26PM -0000, John Levine wrote:
[...] 800,000 domain names used to control it.
1. Which is why abusers are registrars' best customers and why (some) registrars work so very hard to support and shield them. 2. As an aside, I've been doing a little research project for a few years, focused on domains. I've become convinced that *at least* 99% of domains belong to abusers: spammers, phishers, typosquatters, malware distributors, domaineers, combinations of these, etc. In the last year, I've begun thinking that 99% is a serious underestimate. (And it most certainly is in some of the new gTLDs.) ---rsk
99% ? That's a pretty high figure there. -- Onward!, Jason Hellenthal, Systems & Network Admin, Mobile: 0x9CA0BD58, JJH48-ARIN On Dec 1, 2016, at 14:56, Rich Kulawiec <rsk@gsp.org> wrote:
On Thu, Dec 01, 2016 at 05:34:26PM -0000, John Levine wrote: [...] 800,000 domain names used to control it.
1. Which is why abusers are registrars' best customers and why (some) registrars work so very hard to support and shield them. 2. As an aside, I've been doing a little research project for a few years, focused on domains. I've become convinced that *at least* 99% of domains belong to abusers: spammers, phishers, typosquatters, malware distributors, domaineers, combinations of these, etc. In the last year, I've begun thinking that 99% is a serious underestimate. (And it most certainly is in some of the new gTLDs.) ---rsk
straight from the horse's mouth -- they said "99.99% of the 900,000 domains" have been sinkholed. ____________ Justin Paine Head of Trust & Safety Cloudflare Inc. PGP: BBAA 6BCE 3305 7FD6 6452 7115 57B6 0114 DE0B 314D On Thu, Dec 1, 2016 at 1:02 PM, J. Hellenthal <jhellenthal@dataix.net> wrote:
99% ? That's a pretty high figure there.
-- Onward!, Jason Hellenthal, Systems & Network Admin, Mobile: 0x9CA0BD58, JJH48-ARIN
On Dec 1, 2016, at 14:56, Rich Kulawiec <rsk@gsp.org> wrote:
On Thu, Dec 01, 2016 at 05:34:26PM -0000, John Levine wrote: [...] 800,000 domain names used to control it.
1. Which is why abusers are registrars' best customers and why (some) registrars work so very hard to support and shield them.
2. As an aside, I've been doing a little research project for a few years, focused on domains. I've become convinced that *at least* 99% of domains belong to abusers: spammers, phishers, typosquatters, malware distributors, domaineers, combinations of these, etc.
In the last year, I've begun thinking that 99% is a serious underestimate. (And it most certainly is in some of the new gTLDs.)
---rsk
I'm just assuming this because it doesn't say anywhere, but given the context it seems likely to me that almost none of the 900000 domains were actually registered. It sounds more likely that they figured out how the domain generation algorithm works and instructed the registries to block out all the possible domains it could generate (preventing them from being registered in the future).. along with also going after the registrars to disable a much smaller number of domains that were actually currently registered. Could be the 0.01% were the ones that were actually registered. Rob On 2016-12-01 21:06, Justin Paine via NANOG wrote:
straight from the horse's mouth -- they said "99.99% of the 900,000 domains" have been sinkholed.
____________ Justin Paine Head of Trust & Safety Cloudflare Inc. PGP: BBAA 6BCE 3305 7FD6 6452 7115 57B6 0114 DE0B 314D
On Thu, Dec 1, 2016 at 1:02 PM, J. Hellenthal <jhellenthal@dataix.net> wrote:
99% ? That's a pretty high figure there.
-- Onward!, Jason Hellenthal, Systems & Network Admin, Mobile: 0x9CA0BD58, JJH48-ARIN
On Dec 1, 2016, at 14:56, Rich Kulawiec <rsk@gsp.org> wrote:
On Thu, Dec 01, 2016 at 05:34:26PM -0000, John Levine wrote: [...] 800,000 domain names used to control it.
1. Which is why abusers are registrars' best customers and why (some) registrars work so very hard to support and shield them.
2. As an aside, I've been doing a little research project for a few years, focused on domains. I've become convinced that *at least* 99% of domains belong to abusers: spammers, phishers, typosquatters, malware distributors, domaineers, combinations of these, etc.
In the last year, I've begun thinking that 99% is a serious underestimate. (And it most certainly is in some of the new gTLDs.)
---rsk
On Thu, Dec 01, 2016 at 03:02:30PM -0600, J. Hellenthal wrote:
99% ? That's a pretty high figure there.
Yeah. I thought so too. For the first ten years. Now I think it's not nearly high enough. Let me give you three examples -- the three that happen to be occupying my attention at the moment. I've got more if you've got the time. A *lot* more. 1) http://www.firemountain.net/~rsk/loan.txt 2) http://www.firemountain.net/~rsk/space.txt 3) http://www.firemountain.net/~rsk/online.txt 1553, 3794, and 602 domains respectively. For brevity, I'll spare you (4) which is a list of 97,657 domains (all in .info) using variations of the same words, all registered by the same "company". Note that my collection methods are lossy, so all of these are drastically UNDERinclusive. ---rsk
According to a 2015 paper, 85% of new gTLDs domains was some form of parking, defensive redirect, unused, etc: <http://conferences2.sigcomm.org/imc/2015/papers/p381.pdf> Hugo On 15:02 01/12, J. Hellenthal wrote:
99% ? That's a pretty high figure there.
-- Onward!, Jason Hellenthal, Systems & Network Admin, Mobile: 0x9CA0BD58, JJH48-ARIN
On Dec 1, 2016, at 14:56, Rich Kulawiec <rsk@gsp.org> wrote:
On Thu, Dec 01, 2016 at 05:34:26PM -0000, John Levine wrote: [...] 800,000 domain names used to control it.
1. Which is why abusers are registrars' best customers and why (some) registrars work so very hard to support and shield them.
2. As an aside, I've been doing a little research project for a few years, focused on domains. I've become convinced that *at least* 99% of domains belong to abusers: spammers, phishers, typosquatters, malware distributors, domaineers, combinations of these, etc.
In the last year, I've begun thinking that 99% is a serious underestimate. (And it most certainly is in some of the new gTLDs.)
---rsk
If I could have it my way, I would say no gTLD’s should be allowed to transmit any email messages whatsoever. And force them to either use something like sendgrid.com or to purchase a primary .com, .org, .net .co.uk whatever etc.. But thats just me. It’s not a nice world but it is just the world we live in today.
On Dec 2, 2016, at 05:28, Hugo Salgado-Hernández <hsalgado@nic.cl> wrote:
According to a 2015 paper, 85% of new gTLDs domains was some form of parking, defensive redirect, unused, etc: <http://conferences2.sigcomm.org/imc/2015/papers/p381.pdf>
Hugo
On 15:02 01/12, J. Hellenthal wrote:
99% ? That's a pretty high figure there.
-- Onward!, Jason Hellenthal, Systems & Network Admin, Mobile: 0x9CA0BD58, JJH48-ARIN
On Dec 1, 2016, at 14:56, Rich Kulawiec <rsk@gsp.org> wrote:
On Thu, Dec 01, 2016 at 05:34:26PM -0000, John Levine wrote: [...] 800,000 domain names used to control it.
1. Which is why abusers are registrars' best customers and why (some) registrars work so very hard to support and shield them.
2. As an aside, I've been doing a little research project for a few years, focused on domains. I've become convinced that *at least* 99% of domains belong to abusers: spammers, phishers, typosquatters, malware distributors, domaineers, combinations of these, etc.
In the last year, I've begun thinking that 99% is a serious underestimate. (And it most certainly is in some of the new gTLDs.)
---rsk
-- Jason Hellenthal JJH48-ARIN
In message <20161201205647.GA8911@gsp.org>, Rich Kulawiec <rsk@gsp.org> wrote:
2. As an aside, I've been doing a little research project for a few years, focused on domains. I've become convinced that *at least* 99% of domains belong to abusers: spammers, phishers, typosquatters, malware distributors, domaineers, combinations of these, etc.
As you probably know Rich, that's not exactly a novel observation. Vixie was already saying it a full six years ago, and things have only gotten worse since then. http://www.circleid.com/posts/20100728_taking_back_the_dns/ Regards, rfg
[ Reposted with proper Subject line. My apologies. Insufficient coffee. ] On Thu, Dec 01, 2016 at 03:01:50PM -0800, Ronald F. Guilmette wrote:
As you probably know Rich, that's not exactly a novel observation. Vixie was already saying it a full six years ago, and things have only gotten worse since then.
Yep. I remember reading that. The only change I would make is that Paul wrote: Most new domain names are malicious. and I think a more accurate/updated/refined statement in 2016 would be: Almost all new domain names are malicious. We are busy trying to support a domain name system that is two to three orders of magnitude larger (as measured by domains) than it should be or needs to be. And nearly all of what we're supporting is malicious. ---rsk
participants (11)
-
anthony kasza
-
Hugo Salgado-Hernández
-
J. Hellenthal
-
Jason Hellenthal
-
John Levine
-
Justin Paine
-
Paul Ferguson
-
Rich Kulawiec
-
Robert McKay
-
Ronald F. Guilmette
-
Tony Finch