Gearing up for hacking takedowns

Wrestling malicious phishing and bot sites into submission requires a group effort

Tracking hackers and their malware is a difficult job. It’s difficult to prove who is doing the hacking, and even more difficult to prosecute. But whether it is under the CAN-SPAM Act (albeit a horrible anti-spam law), U.S. Title 18, or myriad other state and federal laws, more hackers are going to prison. Gone are the days when they are treated like petty offenders and given a slap on the wrist. Finally!

Unfortunately, it's still a challenge to shut down the Web sites that participate in phishing and bot attacks. Phishing attacks lure victims to look-alike Web sites to gain user confidential information; bots dial home to mothership Web sites to get code updates and instructions.

In both cases, the participating Web sites are either legitimately created by the hacker or are installed on computers of other compromised victims. Many of the Web sites exist only for one or two days, others for only a few hours. Dynamic DNS servers point to most of them. As the mothership Web server changes computers, the related DNS host address is updated.

Firms with dynamic DNS services are coming under increased scrutiny because their services are so popular with hackers and malware. The legitimate dynamic DNS companies, which actually care about phishing prevention, are trying to do something about dynamic DNS misuse, but it's a slow process. Although separating the legitimate use from the malicious use isn’t that difficult -- malicious use can be identified because it drives hundreds to thousands of new connections to the new Web site within a very short period of time -- vendors must still spend a significant portion of their own time tracking down and eliminating the rogue users.

During the past year, dynamic DNS vendors have started banding together in various informal groups, trying to identify and eliminate the biggest offenders so hackers can’t just move on to another unsuspecting vendor. It’s a smart move on behalf of the vendors. The misuse of dynamic DNS is so great that more companies are blacklisting whole blocks of dynamic DNS addresses, malicious or not.

Even Microsoft is gaining momentum in the hunt to close down rogue hacker sites. The recent Internet Explorer zero-day attack could have gotten big. However, Microsoft asked for and acted upon every single malware Web site sighting; a technical and legal eagle team researched every report, verified the Web site’s intentions, and got it taken down if confirmed malicious. Microsoft has realized that even though it has no legal obligation to take down malicious Web sites, doing so is in its -- and its customers -- best interest.

More than 100 malicious mothership Web sites were reported to Microsoft during that attack. Most were confirmed malicious, and those Web site host companies were notified by Microsoft’s legal team and made to comply.

It’s hard to measure success against what could have been. Although the recent attack could have gotten huge, it remained mostly newsworthy only for its potential, as did the WMF exploit before it. A few days after the more recent exploit was released, Microsoft told me that only 19 confirmed PCs were infected out of hundreds of thousands of monitored PCs. Never thought I would say it, but, Go lawyers!

Elsewhere, CastleCops and Sunbelt Software have created the Phishing Incident Reporting and Termination (PIRT) Squad. It is solely dedicated to taking down phishing Web sites as quickly as possible, and relies on a network of volunteers to submit new phishing scams to the PIRT Squad's “Fried Phish” tool.

After verification by a PIRT handler, reports are generated and e-mails sent to the appropriate parties. The report of the confirmed site contains technical information (dig output, Whois, HTTP GET, etc.) and is sent to various anti-phishing companies, researchers, and ISPs. The main objective is to get the phishing Web site taken down quickly, protecting consumers.

CastleCops founders Paul and Robin Laudanski's past careers as rescue rangers and firefighters must have prepared them for a life of do-gooding. Paul says they have received more than 2,000 submissions and have had success rates more than 50 percent in bringing down the malicious sites. Also, CastleCops is a cool place to hang out if you’re interested in computer security. It has more than 200 forums, and staff writers are working on a book about rootkits.

So in the paraphrased words of AC/DC, To all who fight the good fight, we salute you!