from Understanding Java Code and Malware | Malwarebytes Unpacked
Sinkholes and watering holes are two expressions not automatically associated with computer security, yet they are in use to describe two tactics that are used in this field.
Both are set up in order to disrupt the “normal” flow of things. This post aims to introduce both these expressions and explain the differences, so you won’t get them confused.
Sinkhole
A DNS sinkhole in cyberspace is a means of taking away traffic from the intended target. It is often used as a defense mechanism against botnets. The DNS of the Command and Control (C&C) server(s) is interrupted and the traffic can either be dropped or rerouted for analysis. One objective of analysis is to get an overview of the drones in the botnet that are under control of the C&C.
The WIndows hosts file that blocks traffic to known malicious domains can be considered a miniature sinkhole as it can be used to ‘drop’ the traffic to all the domains listed in the hosts file, by rerouting it to 127.0.0.1 (localhost). In computer networking, localhost is a hostname that resolves to ‘this computer’ so the traffic never leaves the computer.
On a larger scale, network administrators can use DNS sinkholing to prevent access of malicious URLs at an enterprise level by deploying an internal DNS sinkhole server. The request can trigger a custom page telling the user that the requested domain is blacklisted. However, this will not work against threats that use their own DNS resolver.
A very special way of sinkholing against botnets is done by Kaspersky in the first Hlux/Kelihos takedown. After reverse engineering the workings of the botnet, they managed to introduce a sinkhole and make all the drones talk to that machine instead of the other controllers.
Watering holes
Watering holes are used as an aimed attack strategy. The attacker infects a website where he knows his intended victim(s) visits regularly. Depending on the nature of the infection, he can single out his intended target(s) or just infect anyone that visits the site unprotected. The watering hole strategy is a mix of social engineering, hacking, and drive-by infections which require a high level of knowledge and a well-thought out strategy.
This is normally used against high-profile targets and organizations of great importance as a way to get a foothold inside such an organization by infecting one or more of their systems.
The attacker needs the following knowledge to perform the watering hole technique successfully:
- A website that is visited on a regular basis by the target
- A vulnerability on the targets system that can be exploited
- A way to infect the site with their exploit of choice
Telling them apart
An easy way to remember what’s what is to keep in mind their real life equivalents. A sinkhole absorbs anything that comes near and a watering hole is a pub, a place that attracts people and where they are more likely to show their weaknesses.
Links
Understanding DNS Sinkholes – A weapon against malware
Building a sinkhole that never clogs
Pieter Arntz
RELATED ARTICLES
April 30, 2012 - Malwarebytes Anti-Malware is under constant attack. 24 hours per day, 7 days per week, 365 days per year. If you read my recent blog post about the development of Malwarebytes Chameleon, you know that we at Malwarebytes have big red ‘X’s on our chests; the bad guys are always out to get us. Malwarebytes Anti-Malware...
April 24, 2012 - The fight against malware is a cat-and-mouse game. It is constant and constantly escalating. They make a move, you counter it, they counter your counter, lather, rinse, repeat. What’s more: malware almost always has the advantage. Our software Malwarebytes Anti-Malware earned a reputation for having a high success rate in combating new in-the-wild malware infections:...
May 7, 2012 - From the outside looking in, it may appear that the press regularly reports stories when a company’s website, database or intellectual property has been hacked, stolen or compromised. The more eye-opening fact of the matter is that the scale and scope of the cybercrime problem is much, much larger and the actual incidences of these...
May 14, 2012 - The recent attack on the Serious Organized Crime Agency (SOCA), most likely in response to the 36 data selling sites shut down a few weeks ago, lead to the admission by high ranking SOCA officials that the Ministry of Defense networks need to “beef up their security.” In response to this we would like to...
June 1, 2012 - The last time I checked with Google News this morning there were over 19,100,000 results for “flame malware”. You may have heard many stories this week about this complex trojan. Here are links to three of my current personal favorite articles on “Flame”. Powerful ‘Flame’ cyberweapon tied to popular Angry Birds game – (Fox News)...
