Gearing up for hacking takedowns

Tracking hackers and their malware is a difficult job. It’s difficult to prove who is doing the hacking, and even more difficult to prosecute. But whether it is under the CAN-SPAM Act (albeit a horrible anti-spam law), U.S. Title 18, or myriad other state and federal laws, more hackers are going to prison. Gone are the days when they are treated like petty offenders and given a slap on the wrist. Finally!

Unfortunately, it's still a challenge to shut down the Web sites that participate in phishing and bot attacks. Phishing attacks lure victims to look-alike Web sites to gain user confidential information; bots dial home to mothership Web sites to get code updates and instructions.

In both cases, the participating Web sites are either legitimately created by the hacker or are installed on computers of other compromised victims. Many of the Web sites exist only for one or two days, others for only a few hours. Dynamic DNS servers point to most of them. As the mothership Web server changes computers, the related DNS host address is updated.

Firms with dynamic DNS services are coming under increased scrutiny because their services are so popular with hackers and malware. The legitimate dynamic DNS companies, which actually care about phishing prevention, are trying to do something about dynamic DNS misuse, but it's a slow process. Although separating the legitimate use from the malicious use isn’t that difficult -- malicious use can be identified because it drives hundreds to thousands of new connections to the new Web site within a very short period of time -- vendors must still spend a significant portion of their own time tracking down and eliminating the rogue users.

During the past year, dynamic DNS vendors have started banding together in various informal groups, trying to identify and eliminate the biggest offenders so hackers can’t just move on to another unsuspecting vendor. It’s a smart move on behalf of the vendors. The misuse of dynamic DNS is so great that more companies are blacklisting whole blocks of dynamic DNS addresses, malicious or not.

Even Microsoft is gaining momentum in the hunt to close down rogue hacker sites. The recent Internet Explorer zero-day attack could have gotten big. However, Microsoft asked for and acted upon every single malware Web site sighting; a technical and legal eagle team researched every report, verified the Web site’s intentions, and got it taken down if confirmed malicious. Microsoft has realized that even though it has no legal obligation to take down malicious Web sites, doing so is in its -- and its customers -- best interest.

More than 100 malicious mothership Web sites were reported to Microsoft during that attack. Most were confirmed malicious, and those Web site host companies were notified by Microsoft’s legal team and made to comply.

It’s hard to measure success against what could have been. Although the recent attack could have gotten huge, it remained mostly newsworthy only for its potential, as did the WMF exploit before it. A few days after the more recent exploit was released, Microsoft told me that only 19 confirmed PCs were infected out of hundreds of thousands of monitored PCs. Never thought I would say it, but, Go lawyers!