incrediBILL - 6:19 pm on May 5, 2008 (gmt 0)

The recent rash of botnet [webmasterworld.com] issues has uncovered that the source of power for the latest and most widespread strain of malware is the free DNS servers being used to locate their command centers.

Why this is a problem is because these dynamic DNS services allow anyone to freely create a dynamic domain name such as "any-subdomain.example.com" which can be quickly and easily redirected to any new server when the previous botnet command and control center (C&C) is identified and blocked.

Botnets tend to have lots of infected machines that are idle, just waiting to be put into service, therefore closing one command center only shuts down the bot for a few minutes, perhaps even seconds, until the IP address is changed for "any-subdomain.example.com" to point to the next infected server now being used as the botnet C&C.

Best yet, the latest botnet strains have algorithms that allow them to detect new random subdomain names created so when "botnetsubdomain1.example.com" is removed from the free DNS service a new "botnetsubdomain2.example.com" is created, which the botnet can detect, and continues to run.

The names being used are completely randomized so it's not as simple as looking for something like "botnetsubdomain*.example.com" and blocking all variations as it's fairly undetectable.

Therefore, it seems a simple solution to eliminating this threat posed by free dynamic DNS services is to filter out the free variations of the dynamic domain names so that "any-subdomain.example.com" isn't accessible by anyone from a broadband service which would render the entire current variation of the Kraken botnet completely harmless.

So the question then is should broadband services, or all internet services for that matter, block these free dynamic DNS services in order to protect the safety of the internet as a whole and stop hundreds of thousands of machines from communication with their command center in one simple step?

I'd say YES, just like like ISPs currently use RBS to block spammers and known hosts of malware, that it's a reasonable step to providing internet-wide security against this latest and the most difficult to stop (to date) brand of botnet before more copycats emerge and the situation is completely out of control.