Imagine an army of zombie shape-shifters, complete with zombie DNS resolvers doling out perfect responses to every request… a botnet that changes locations at will. Filters that rely heavily on DNS resolution to snag spam, viruses, keystroke-loggers and phishing attacks would be helpless. Science fiction? Nope. It’s already here. Check this posting on Daily Dave:

The hostname that is hosting the phishing site is served up by five different name servers. Those five name servers are on home computers residing on networks such as Comcast, Charter, etc.

The name servers are using some sort of round-robin DNS to serve up five different IP addresses for the phishing site, and the five IP addresses used are changing every ten to fifteen minutes. The IP’s hosting the phishing site also are home machines on the Comcast, Charter, etc. networks.

All of this seems to be a distributed phishing scam controlled by some sort of bot network. I’ve spoken with a couple of the ISP’s involved and they have seen one other organization - just this weekend - that has been attacked in a similar way.

This type of phishing site organization is virtually impossible to get shut down, other than having the registrar of the domain deactivate the domain. Anyone that has ever worked with a registrar on something like this knows that it’s like speaking to a wall, so if anyone that works at a registrar reads this, know that this type of thing will become more common and you must become easier to work with.

Sans suggests: “Some ISPs can help their customers combat such attacks by implementing a type of domain hijacking, intercepting and redirecting malicious DNS traffic that traverses their network. While this approach does not entirely mitigate the issue, it does mitigate it within the ISP’s network; it is particularly effective if implemented by a large ISP. Considering the limitations of this mechanism, having domain registrars develop processes for addressing this attack scenario would be very helpful.”

Luckily, SMTP-based efforts to implant viruses, keystroke-loggers and phishing links carried by spam are readily thwarted by strategically placing sophisticated traffic shaping email security appliances at network borders.