Attackers and the Battle to Evade Reputation Evaluators

December 11, 2012

Botnets are large networks of computers that spread malware across the Internet. In order to do that, botnets need to acquire large volumes of IP addresses for their malicious machines. But IP address space is getting tight these days, something that large organizations of all kinds – large-scale corporations and tentacled botnets alike – are confronting.


At the same time, online reputation systems that track and grade online activity are getting more precise. Botnets tend to use an IP address until it gets blacklisted by reputation groups, then they move on to new addresses. But because unused IPs are vanishing, legitimate and illegitimate groups alike are scrambling to find addresses whose reputations have not yet been sullied. Many botnets are participating in online auctions to rent or buy clean IPs, then destroying their online reputations – and once an IP’s reputation has been tarnished it is very hard to resurrect.

That’s one of the newer tactics that online attackers are using to work their craft, but other groups are simply modifying older techniques. Many are using sophisticated algorithms to create thousands of new, unused domain names every day. According to Gunter Ollmann, VP of research at security firm Damballa, there is one botnet he is familiar with that operates up to 80,000 domains at a time with the expectation that it will lose 5,000 domains each day but create 5,000 new ones that it can then effectively run into the ground.

Still other botnets practice the tried and true art of hacking the massive servers of reputable organizations, then using their reputable IPs to proliferate their malware until the reputations of those IPs are sufficiently downgraded that they are no longer usable or the presence of the hackers is otherwise detected.

In the ever-heightening arms race between hackers and those that wish to stop them or simply steer clear of them, the fight for IP territory is one of the most hotly contested battles currently being waged.