Previous month:
July 2015
Next month:
September 2015

August 2015

Dismantling botnets: Dealing with DNS and Whois

Image by Matthew
Botnet chasers are expert folks from the private or public sector who pore over giga- or terabytes of data – network traffic, malware, DNS, and addressing information – to identify and confirm that a domain name, or perhaps hundreds of domain names, is being abused to support a botnet infrastructure.  As is the case for phishing, child abuse, spam and other (criminal) abuses of the DNS, these investigators typically want to “take down” the domain.

The botnet takedown case is interesting for several reasons: (i) botnets often provide the attack infrastructure for other attacks (including phishing, spam, and denials of service), (ii) all of the infected (“botted”) devices that comprise the botnet often must resolve these domains to establish and remain in contact with the botnet command and control systems (“C&C”), and (iii) the C&Cs serve as the only or primary way for botnet operators to distribute executable code to the botted devices.

Dismantling botnets is tricky business and often involves coordinating court orders across several jurisdictions. Affecting changes to the DNS or Whois are common elements in botnet takedowns. Getting the language right across these orders is important to ensure the outcomes you seek.

Get the Language Right

The term “takedown” is overloaded and unspecific. To some, it means “shut down the web site”. To others, it means, “shut down the DNS”. Both are correct. Maybe. In botnet cases, what you may seek isn’t a takedown at all. 

When you are preparing a court order, it’s important to say precisely what action you want a registry operator or registrar to take. Usually, you’ll want the complaint to affect changes to the DNS or Whois:

DNS: Affecting Botnet Name Resolution

You want your complaint to tell the registry to change name resolution for the domain(s) identified in the complaint in one of the following ways:

Terminate name resolution. Use this language when you want domain(s) identified in the complaint to stop resolving the names you enumerate in the court order to the Internet addresses for the C&C hosts. The served party (registrar or registry operator) will delete the domain’s name server records from the registry zone file, or will place a ‘hold” status on the domain, thereby removing it from the zone file and stopping resolution. This action dismantles or disrupts the botnet activity: botted computers cannot resolve the names they’ve been instructed to use to contact their C&C. They will be unable to receive instructions from their mother ship and thus can’t engage in attacks.

Change name resolution. Use language like “change or modify the name server records in the parent zone file of the domain names listed in this order to…” when you want to sinkhole or take control over the botnet for observation and analysis. You must supply the registry(ies) or registrar(s) with name server information (hostnames, IP addresses) that you intend to have employ as the authoritative name servers for the seized domain(s). The registry will replace any existing name server records in its zone file for the domains you list with the information you provide. You must then create resource records in the zone file(s) for the seized domains that direct traffic from botted devices to your sinkhole host so that you can investigate further into the botnet’s operation. And of course, you must stand up a sinkhole host at the address(es) you specify in your zone file.

Continue reading "Dismantling botnets: Dealing with DNS and Whois" »

How Much Are Your Personal Data Worth?

Today's guest column is from Isa Cox. Isa is an Internet security expert and blogger. She writes about online safety and freedom, tech tips for small business and travel. You may also enjoy her article on e-crime facts and figures.

Are you aware of the battles being waged over the fate of your personal data and what companies and or other organizations are trying to do with it? You should be, considering it is your information and sharing it could have consequences that will affect you in both the virtual and physical world. Data mining for various purposes is a major industry, resulting in (alleged) national security, targeted marketing, and market research. While you may or may not agree that these are good things, these operations are effectively going on without your control, and you should have some say about what goes on with what is effectively your identity and your valuable property. Here are some types of people and organizations that are interested in your data, why they are interested, and what you can do to defend yourself.

Social Media

SocialmediaHave you ever noticed how the more you use Facebook or another social media platform, the more the ads that appear onscreen (unless you use an adblocker program) seem to be targeted directly to you? Have you ever then wondered how the social media platforms (and other seemingly unrelated websites, much to everyone’s concern) are able to do this?

You see targeted ads because these sites are mining your posts and other information for data that they then use to target advertising to you, perform market research, or even sell to other companies for their analysis and research in order to better sell things to you, the consumer.

Here’s something that you should know: you do not necessarily own your profiles or your posts, which means that there are others who can use them freely. If you look in your user agreements (which very few people read or agree to), then you might notice different paragraphs regarding their use of your data and the ownership of your profile. While they might vary too much to mention each of them separately, know that you will find things that concern you considering how much you rely on these platforms. Do your research before you sign up or update in the future and be warned.




Image by

While social media companies and platforms are legal businesses performing legal (albeit ethically questionable) actions, hackers and cybercriminals are out there, and their effects are more immediately noticeable and serious. Cybercrime is a business, and business is booming like never before; with identity theft rates going through the roof and relatively few convictions coming from it. Hackers can make enough money off of your data and the data of other people to make a living, and since it is your identity, its worth is almost unquestionable to you.

Hackers will go through quite a lot if they think the data is worth it. Collectives of hackers will attack large businesses and split the profits from the stolen data, and other hackers will lie in wait in public areas looking to intercept financial or other personal data from you over an unsecure public network (a frighteningly easy process for them) if you don’t have any protection. To put it on a more personal perspective, people will often take advantage of people’s trust and use data to steal the identity of close friends or family members, leaving the victim in financial ruin. Your data is so valuable that people will hurt loved ones to get at it.


Image by Don Hankins

While things may be greatly different depending on the country you are living in, you have probably heard report on the news about different government online surveillance programs that are being used on either citizens and/or non-citizens. These programs will also collect data and analyze it on a massive scale in order to detect what it perceives as threats and other reasons that have not been released to the public. This concerns many people, for good reason. You don’t know how safe the government is keeping that data, and you don’t know how much it values it. 

Also of note concerning government entities and the value of your data is that there is now a constant debate going on as to the true ownership of such data, and there are calls for something along the lines of a bill of rights for consumer privacy. Along with this, other laws are being proposed and considered that would give you undeniable legal ownership of your online profiles and data relating to you. This would mean a massive shift in the balance of online power, and you owe it to yourself to either support such measures if you agree with them or follow the story so you know what is going on.


VPNs and Other Defenses

With so many different entities wanting a piece of your data and profiting off of you without either your knowledge or consent, you need a way to defend yourself. The current best way to do this is by using a Virtual Private Network, which is an online service that will connect your computer or other device to an offsite secure server. This is done via an encrypted connection that will protect you on any network you use, making you much safer where cybercriminals are concerned.

If you are more concerned about government censorship and surveillance, then you will be more interested in the ability of the VPN to mask your IP address and look as though you are in another country, giving you a great degree of all-important privacy when you use the internet. Taking all of this into account though, you should know that not all VPNs are alike, and they won’t all protect your data the same. You’ll want to read some reviews and check out which VPNs are best so that you can protect your data from those wanting a piece of it.

As far as social media accounts and other online accounts that might be data mining you are concerned, most defenses won’t work as the data are collected from your account instead of your computer or is not linked to your IP address. You best options come down to not using social media and educating yourself before you do so that you know how to manage your rightful data.

Other tools and defenses you might want to consider are just making sure you are living a private online life, potentially using Tor (although it is rumored that governments pay closer attention to Tor users), and using a proxy, which won’t be as effective as a VPN but is better than nothing. Whatever you decide, know that your data has worth and that it is important to protect it.

So how much are your personal data worth?

You have to decide that for yourself after considering all of the consequences and suitors above. Thank you for reading, and I hope that you have a greater understanding of just how valuable you and your data are to the major players on the internet.