I read about a new type of malware family that uses bulletproof hosting. What is bulletproof hosting and how are...
attackers using it? What are the proper defenses against this type of malware?
Bulletproof hosting has long been the holy grail of cybercriminals. The difficultly of providing bulletproof hosting is one of the main reasons that botnets were developed: So that cybercriminals could still run their operations even if one of their command and control nodes gets taken down at a "bulletproof host."
Bulletproof hosting is a service offered by hosting providers that generally ignores abuse complaints or tolerates potentially criminal activities. It is also known as "bulk-friendly hosting" -- for sending bulk email/spam.
While bulletproof hosting can be defended by freedom of speech, some repressive governments might try to force a bulletproof host to take down material that is critical of or offensive to the government. However, in some cases, laws in some countries allow for greater freedom of speech; bulletproof hosts rely on those laws to protect the speech and their business. With the development of cloud hosting and rapid provisioning of servers provided by cloud providers, cybercriminals can easily create their own bulletproof hosting running on a standard cloud service provider, or they can even compromise an account on a legitimate cloud provider.
Cybercriminals today are interested in using bulletproof hosting to send spam and phishing attacks, to serve as drop sites for stolen data, or to hide their source connection. One of the most famous bulletproof hosting sites is the Russian Business Network covered extensively by Brian Krebs.
A new variety of malware -- the FlashPack exploit -- emerged that uses bulletproof hosting sites for malware distribution; it appears to be using the sites as a framework for loading different types of exploits.
While enterprises may not be able to stop the source of the malware, they can leverage the same defenses used to protect against general malware to protect against malware using bulletproof hosting. These defenses include using a network-based antimalware appliance or host-based antimalware tools, keeping systems update with patches, etc.
In addition, it is advisable to use a Web proxy to only allow approved connections and to block newly registered domains (as this is a potential indicator of an attacker using bulletproof hosting). However, enterprises might want to monitor prior to outright blocking in order to limit the chance of legitimate connections from being blocked. Also, organizations should use a threat intelligence feed to determine which hosts to block.
Additionally, DNS monitoring techniques used by cloud security providers could be used to block malicious hosts. Since the malware uses DNS to look up IP addresses to connect to websites hosted at bulletproof hosts, monitoring for suspicious DNS lookups could help identify systems connecting to a malicious website. The name lookup in DNS could be modified by the DNS server to redirect a potentially infected endpoint to a safe website, notifying the endpoint it was trying to connect to a malicious site.
Ask the Expert!
Want to ask Nick Lewis a question about enterprise threats? Submit your question now via email! (All questions are anonymous.)
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Nick Lewis
Cloud penetration testing presents new challenges for information security teams. Here's how a playbook from the Cloud Security Alliance can help ... Continue Reading
Many cloud providers are tight-lipped about internal security control details. Learn how to evaluate cloud security providers with certifications and... Continue Reading
Enterprises new to the cloud can write new security policies from scratch, but others with broad cloud usage may need an update. Consider these ... Continue Reading