Gigantic digital parasites, fast flux and blacklisting by the Sinowal botnet

In earlier blog posts we discussed sinkholing operation and how the criminals could prevent sinkholing. As discussed, they can easily deploy blacklists of known IPs (or NS) that belong to security companies. In fact malware is already using such blacklists for different purposes. Thanks to AV Tracker malware also can hide from analysis systems (act like a wolf in sheep’s clothing).

A couple of days ago the Sinowal people started blacklisting BFK edv-consulting GmbH’s sinkholes (this is an excerpt of the current Sinowal configuration):

41,173.212.213.0/24,Blacklisted subnet
41,24.176.33.0/24,Blacklisted subnet
41,124.185.37.0/24,Blacklisted subnet
41,58.172.169.0/24,Blacklisted subnet
41,95.223.83.0/24,Blacklisted subnet
41,71.67.115.0/24,Blacklisted subnet
41,77.61.125.0/24,Blacklisted subnet
41,64.191.19.0/24,Blacklisted subnet
41,108.61.35.0/24,Blacklisted subnet
41,66.197.200.0/24,Blacklisted subnet
41,64.27.3..0/24,Blacklisted subnet

Game Over for researchers?

This is a typical cat and mouse game: As soon as the researcher gets a new IP address, the criminals are blacklisting it. Automation on both sides can raise the level of efforts for the other side. Automation like automatically setting up VPSes as proxies to forward the request to the real sinkhole. This would be more convenient because changing the IP would mean typically to completely set up a new server for sinkholing (and no one has time to every day set up a new sinkhole server).

Fast flux could also be the answer. Of course this requires more infrastructure. Dr. Web, for example, uses fast flux to hide their sinkhole. They actually use the fast flux functionality of Sinowal itself (ironic, isn’t it?).

Security by obscurity is not an option

We think that security by obscurity is not an option. That’s why we always list our full company info in the who-is of any sinkholed domain – contrary to other companies (including anti-virus companies). That’s also why we don’t mind that Virus Tracker and Antivirus Tracker are open to both sides of the industry.

If we can for example list other sinkholers, if we can list anti-virus systems, so can the criminals. The difference is just that we are doing it “openly”.