GFIRST 2010: social malware, insider threat, fast flux botnets ....

I will not be able to cover some of the really interesting presentations in this public forum due to the sensitivity of the topics, but here are a couple of tidbits for general consumption. "Emerging Threats in 2010" by Dave Marcus, Director of Security Research and Communications, McAfee Labs was one of my favorite presentations of the conference.

Read More

Operation Aurora - Searching for Stars, Finding Comets

When the ‘Operation Aurora, AKA trojan.hydraq’ controversy surfaced, we investigated the role, if any, of fast-flux botnets in the reputed exfiltration attacks from Chinese-supported actors against 33 US technology companies. Our preliminary results using FastFluxMonitor found no direct indication of fast-flux activity associated with the reported domain names. But just as astronomers may detect comets when observing stars, we did find associations between nameservers with fast-flux history and some of the domains and IPs involved in the attacks. In the FastFluxMonitor table below, we see that three of the reported domains used in these attacks share the same nameserver,, which is registered to Chinese network operator, CHINANET, ASN 4134, the leading ASN worldwide in terms of Conficker activity. domains-table-feb-11

Building on this finding, we then used FastFluxMonitor to discover more than 600 bots associated with fast-flux behavior registered to this ASN. In the FastFluxMonitor table below, we see that a few of the nameservers associated with a known-spamming IP from this ASN,, are classified as fast-flux. While the IP in question is not classified as fast-flux, its association with nameservers that are fast-flux is reason for suspicion.


With guilt-by-association, domain names or IPs associated with these nameservers are suspicious, irrespective of whether the individual IPs or domains are classified as fast-flux. Cyber-defenders can apply this intelligence as a proactive measure to filter access to or from these domains, IPs, and nameservers. As exfiltration attacks are often complex attacks preceded by social engineering probes such as spear-phishing, proactive measures such as real-time filtering are essential. Perimeter and vulnerability-based defenses are necessary, but insufficient, measures against social engineering attacks.

News Scan – Cyber Security

  • “… unless Google had told us about the attack on it and other companies, we probably never would have seen it. When you think about that, it’s really scary.” – “In Digital Combat, U.S. Finds No Easy Deterrent”, NY Times, Jan 26, 2010
  • ‘Had this attack employed more sophisticated hosting or resolution techniques like fast flux, even the IP addresses would have been useless..” – “Finding Aurora (googlehack)”, NetWitness Blog, Jan 15, 2010

Reflections on CATCH

I attended the Cybersecurity Applications and Technology Conference for Homeland Security conference on March 3-4, 2009 in Washington, DC. I had to leave on Sunday to escape the snowstorm but it was well worth the effort. The keynote speech American Crisis in Innovation by Pascal Levensohn was the most thought provoking presentation. (See related BusinessWeek blog.) Pascal articulated the broken ecosystem of innovation in USA, and argued forcefully about the need for promoting effective innovation partnerships between government and university research organizations, corporations, and entrepreneurs. Pascal quoted several statistics from Judy Estrin's book Closing the Innovation Gap. Estrin has empirically proven that America has relied too much on incremental innovation in recent years at the expense of the open-ended scientific research that eventually leads to truly breakthrough innovation. How true! NRL funded the development of GPS in 1970s when no one could foresee the applications it spawned today. How many American organizations are investing today in the GPSs of the future? More importantly, how many decision makers are heeding Levensohn's alarm? 

Another interesting session was the panel discussion on the second day. I was particularly impressed with the comments of DHS Cybersecurity Chief Rod Beckstrom, who called for the adoption of Web 2.0 platforms within the government and the development of a generalized model for sensorizing the Internet. I was sad to read that Rod Beckstrom resigned today. It's great loss for DHS.

Our presentation on Real-time Detection of Fast Flux Service Networks was received well. The presentation generated lots of questions, and considerable interest in our Fast Flux Monitor demo at the expo. Tina Williams of Unisys asked one of the more interesting questions: From the tens of thousands of IPs in your DB, what user segments (ISP, edu, enterprise...) have this problem? Is the solution policy or technology? There is no question that ISPs and universities in USA are most seriously inflicted with the fast flux problem. The enterprise has a botnet problem with its mobile workforce. The government has started doing a better job in protecting its machines being recruited into zombies. The solution is both technology and policy. You can't be aware of the problem without the technology. However, you still need to train your personnel for effective remedies.

One final note. Congratulations to Dr. Doug Maughan, who runs the cybersecurity R&D at DHS using a collaborative model. As Milcord, we have participated in this program for the last three years. Open collaboration did improve our botnet defense solution with the suggestions of our colleagues in this program. Collaborative research programs in information technology are rare within the government. I wish more Program Managers adopted such a philosophy.

Milcord presents FastFlux Botnet Intelligence service at CATCH Conference

Milcord, LLC. - WALTHAM, MA – Milcord LLC presented findings from and announced the launch of a Cyber Security Intelligence Web service that detects and monitors Fast Flux botnets at the CATCH (Cybersecurity Applications and Technology Conference for Homeland Security) Conference in Washington D.C. The Web service was developed under a Phase II STTR (Small Business Innovation Research – Technology Transfer) project funded by DHS Cyber S&T.  Milcord also received support from Sandia National Labs. The FastFlux Monitor service is a tool for cyber defenders in government and enterprises that detects and tracks the behavior of key components (domain names, IP addresses, domain name servers, ISPs) in fast flux botnets.  The service is available for evaluation and subscription. About Milcord: Since 2003 Milcord has been delivering knowledge management technologies and solutions for a range of applications including cyber defense, human and social modeling, geospatial intelligence, and information management. Milcord’s federal customers include Air Force Research Labs, Office of Naval Research, Army Research Labs, Army Geospatial Center, Office of Secretary of Defense, Department of Energy, and NASA.  For more information see

DHS Conference on Cyber Security (CATCH)

How can an organization defend against cybercrime enabled by botnets operating as fast flux service networks? Milcord will present its solution for "Real-time Detection of Fast Flux Service Networks" and botnets at the Cybersecurity Applications and Technology Conference for Homeland Security conference scheduled March 3-4, 2009 in Washington, DC. Very soon afterwards we'll be announcing the beta release of our new product Fast Flux Monitor that was the foundation for our research investigation.  To find out more about our research, visit the [[Botnet Defense]] project page.

Here's the abstract:

Here we present the first empirical study of
detecting and classifying fast flux service networks
(FFSNs) in real time. FFSNs exploit a network of
compromised machines (zombies) for illegal activities
such as spam, phishing and malware delivery using
DNS record manipulation techniques. Previous studies
have focused on actively monitoring these activities
over a large window (days, months) to detect such
FFSNs and measure their footprint. In this paper, we
present a Fast Flux Monitor (FFM) that can detect and
classify a FFSN in the order of minutes using both
active and passive DNS monitoring, which
complements long term surveillance of FFSNs.

Milcord at 2007 Monterey Homeland Security Conference

Milcord exhibited its [[Botnet Defense|botnet defense]] technology in a poster session and presented a paper in the Infrastructure Protection session at the Naval Postgraduate School. The conference is a showcase for innovative research being performed at U.S. Academic and other research institutions, including National Laboratories and Federally Funded Research and Development Centers. [[Botnet Defense|more...]]

Milcord in C4ISR - The Journal of Network-Centric Warfare

Ross Stapleton-Gray discusses "How to Reclaim Computer Networks from Botnets" with particular insight into the cyber attack on Estonia.

Alper Caglayan is the principal investigator at Milcord LLC of Waltham, Mass., which, with the University of Wisconsin and its Wisconsin Advanced Internet Laboratory, was one of the HS-ARPA’s STTR awardees. Milcord’s approach is aimed at reducing the overall bot “ecosystem,” which would reduce their availability for use in attacks such as that conducted against the Estonian Internet sites.

“Our product probably would help Estonia indirectly,” Caglayan said. “If ISPs and corporate networks were using our product to detect and mitigate infected computers, the attacks on Estonia’s government resources would be much less effective. Our goal in this project is not so much to stop systems from being infected, but to detect the infection as soon as possible, then to mitigate the infection.”

Read more about our [[Botnet Defense]] project.