[ISN] Attackers Adjusting Tactics to Evade Reputation Systems

https://threatpost.com/en_us/blogs/attackers-adjusting-tactics-evade-reputation-systems-100711

By Dennis Fisher
ThreatPost
October 7, 2011

BARCELONA -- As in life, reputations on the Internet take time to build 
up. Attackers interested in making a quick buck aren't necessarily the 
most patient lot, so as the various repuation systems on the Web have 
gotten more sophisticated and accurate, the bad guys have had to adjust 
their tactics and find new ways to evade them and plant their 
command-and-control servers.

One of the consequences of the exhaustion of the IPV4 address space is 
that not only are legitimate companies having a hard time finding IP 
blocks to use, so are the attackers. The number of IP addresses required 
for large scale botnets to operate effectively can be considerable, and 
finding large IP blocks to use for them can be difficult. And if they do 
find them, the IP addresses often are blacklisted quickly by reputation 
systems and are then useless for the attackers.

Now, in one effort to get around these systems, some attackers are 
taking advantage of the lack of IPV4 space by either purchasing or 
renting blocks of IP space with good reputations that have been built up 
over the course of several years. A number of legitimate trading and 
auction sites have appeared as the IPV4 space became scarcer, and the 
attackers have gotten involved as well, getting their hands on known 
good IP blocks and using them for C&C or hosting malware.

"The bad guys can buy or rent these as well, getting inside known good 
IP blocks so that the reputation systems don't blacklist them as 
quickly," Gunter Ollmann, VP of research at Damballa, said in a 
presentation at the Virus Bulletin conference here Friday.

[...]


_____________________________________________________________
FINAL CALL to register #HITB2011KUL - Asia's premier
deep-knowledge network security event now in it's 9th year!
http://conference.hitb.org/hitbsecconf2011kul/