Friday, February 22, 2008

Malware Infected Hosts as Stepping Stones

The following service that's offering socks hosts on demand, is pretty much like the Botnet on Demand one, with the only difference in its marketing pitch, namely, these are malware infected hosts as well, however, access is offered through them, but not to them. The degree of maliciousness of these hosts can only be measured once the exact IPs are known, and by degree of maliciousness I'm refering to their state of openess, namely, can malware, spam and phishing be also relayed through them, or we can eventually look up the historical IP reputation to figure out whether such activities have been going on in the past as well. Moreover, such commercial propositions are directly related with proxy threats, ones outlined in a KYE paper entitled "Proxy Threats - Port v666" discussing various detection and mitigation approaches :

"In typical proxybot infections we investigate proxy servers are installed on compromised machines on random high ports (above 1024) and the miscreants track their active proxies by making them "call home" and advertise their availability, IP address, and port(s) their proxies are listening on. These aggregated proxy lists are then used in-house, leased, or sold to other criminals. Proxies are used for a variety of purposes by a wide variety of people (some who don't realize they are using compromised machines), but spam (either SMTP-based or WEB-based) is definitely the top application. The proxy user will configure their application to point at lists of IP:Port combinations of proxybots which have called home. This results in a TCP connection from the "outside" to a proxybot on the "inside" and a subsequent TCP (or UDP) connection to the target destination (typically a mail server on the outside)."

The commercial aspect's always there to say, and vertically integrate since besides selling the product in the form of the tool for, they could eventually start coming up with various related, and of course malicious services in the form of spamming, phishing etc. It's perhaps more interesting to discuss the big picture. Once a great deal of these malware infected hosts is accumulated in such a way, there's no accountability, and these act as stepping stones for any kind of cybercrime activities, as well as the foundation for other services such as the managed fast-flux provider I once exposed.

Stepping stones as a concept in cyberspace, can be used for various purposes such as, engineering cyber warfare tensions, virtual deception, hedging of risk of getting caught, or actually risk forwarding to the infected party/country of question, PSYOPs, the scenario building approach can turn out to be very creative. One of the main threats possed by the use of infected hosts as stepping stones that I've been covering in previous posts related to China's active cyber espionage and cyber warfare doctrine, is that of on purposely creating a twisted reality. China's for instance the country with the second largest Internet population, and will soon surpass the U.S, logically, it would also surpass the U.S in terms of malware infects hosts, and with today's reality of malware, spam and phishing coming from such, China will also undoubtedly top the number one position on malicious activities.

However, with lack of accountability and so many infected hosts, is China the puppet master the mainstream media wants you to believe in so repeatedly, or is the country's infrastructure a puppet itself? One thing's for sure - asymmetric and cost-effective methods for obtaining foreign intelligence and research data is on the top of the agenda on every government with an offensive cyber warfare doctrine in place.

No comments:

Post a Comment