The entire robot network, or “botnet,” consisted of thousands of hacked home computers spread across virtually every time zone in the world, he said. Dunker urged me not to take his word for it, but to check for myself the domain name server (DNS) settings of the Uncle Sam shop every few minutes. DNS acts as a kind of Internet white pages, by translating Web site names to numeric addresses that are easier for computers to navigate. The way this so-called “fast-flux” botnet works is that it automatically updates the DNS records of each site hosted in the Dark Cloud every few minutes, randomly shuffling the Internet address of every site on the network from one compromised machine to another in a bid to frustrate those who might try to take the sites offline.
Source: Carding Sites Turn to the ‘Dark Cloud’ — Krebs on Security
This is a fascinating article by Brian Krebs about how the new hotness is to host your malware site on a constantly rotating network of compromised hosts.
It’s almost like the evil version of BitTorrent, except people don’t know they’re participating.
I also love how the systems are in different countries, so it’s harder to get jurisdiction to clean them all up. And when a few do get taken offline they get replaced with new ones.
You basically have a queue of potential hosts that the malware automatically enrolls new victims in, and when it’s your turn it’s your turn.
Stopping malware sites like these has always been a whack-a-mole proposition, but this takes it to a new extreme.
As a security person I cannot help but be impressed.
