home Cyber Security Shifting and rotating IP addresses helps cyber criminals

Shifting and rotating IP addresses helps cyber criminals


Krebbs quotes a RiskAnalytics official estimates there are over 2,000 infected endpoints, mostly in Europe, behind the botnet. It feels, he said, “like a black market version of Amazon Web Services.” That official says the malware that runs the botnet assigns infected hosts different roles — for example, more powerful systems might be used as DNS servers, while infected systems behind home routers may be infected with a “reverse proxy,” which lets the attackers control the system remotely.

Separately, Cybereason issued a report last week saying attackers are increasingly turning to domain generation algorithms (DGAs) generate large numbers of random Internet addresses to like to command and control servers. Gameover Zeus, for example, generated 1,000 domains every day, or 365,000 in one year, says the report. Attempting to block all these domains is hard for firewalls, network-filtering products and other security tools.

DGAs “are a near perfect communication method,” says the company. “They’re easy to implement, difficult to block, almost impossible to predict in advance, and can be quickly modified if the previously used algorithm becomes known.”

DataProtectionCreators use a number of techniques, the company says: One generates domains by randomly selecting seven letters, suffixing them with either the .ru or the .com top-level domains and prefixing them with the word “five” followed by a number (for example, five14.aheegdg,com). Another generated domains by randomly choosing two English words from a hard-coded list in the malware and linking them together under the .net top-level domain (for example, theirjuly.net).

The Dridex banking malware that leverages macros in Microsoft Office to infect systems links English words and parts of words chosen in random from a small list, suffixed by the .mn (Mongolia) and .me (Montenegro) top-level domains. The words are often broken, shifted and padded with random characters, significantly increasing the number of possible combinations and making detection much harder (for example, ALLOWCLIENTAXPALAGENT.ME). The well-known Angler exploit kit also uses a DGA.


James Barnley

I’m the editor of the DomainingAfrica. I write about internet and social media, focusing mainly on Domains. As a subscriber to my newsletter, you’ll get a lot of information on Domain Issues, ICANN, new gtld’s, Mobile technology and social media.

Leave a Reply

Your email address will not be published. Required fields are marked *