Although the major DNS blacklists offer their services free to most users, they certainly pay a price for providing them. As each DNS blacklist grows in popularity and effectiveness, it presents a significant problem to the revenue stream of botnet operators, wholesale spammers, and their clients alike. Thus, most DNS blacklists find themselves mired in a battle with these unsavory entities that goes far beyond simply dealing with spam.
“Oh, it’s definitely a war,” says a source at sorbs.net. “And it’s escalating. We’re actively trying to identify and stop spammers and botnets -- and they’re actively trying to avoid us or destroy us.” He cites a few examples. “Since we scan for open proxies caused by malware, some of the malware programmers have started to obfuscate our scanners by returning invalid data, which causes our scanners to retry the scan. At the scanning rates we have to run, this reduces the effectiveness of the process, so we have to recode our scanners to avoid that problem.”
This war is not without spies and double-agents. The same source recalls one event where an anonymous e-mailer sent word to sorbs.net that a certain piece of Windows malware would automatically uninstall itself if a specific 24-byte sequence was sent to one of the TCP ports it listened to. With that information, the sorbs.net scans were modified to include this sequence, and thousands of infected hosts were found and cleaned.
As DNS blacklists use a variety of methods to compile their databases, botnet controllers and spammers can identify and evade them. Some malware is coded to refuse connections from known DNS blacklist netblocks to avoid the scans. Other techniques involve blacklists of the blacklists, as lists of servers likely to be used as DNS blacklist spam collectors are used to avoid that trap.
Beyond the cat-and-mouse game, spammers and botnet operators also employ DDoS attacks against the larger DNS blacklists, a problem that has plagued spamhaus.org in the recent past, forcing it to take active and continuous anti-DDoS measures to maintain its service.
And so it goes: parry and thrust, duck and weave, as each side tries to outwit the other. If -- and it’s a big if -- the efficacy of botnets decreases as a result of stricter security in Windows XP SP2 and the promises of Vista, then we might see a shift in the status quo. Until then, the fight is on.