Re: Well that's a good solution
It is quite possible to host an unregistered web site or to register it with an alternative registry
I expect to see a rather different approach. Bear with me - this works in several phases...
Firstly, you get hold of a botnet. You install nameservers on the bots, and allow recursive lookups. Initially, you use this for DDoS by way of an DNS amplification attack[1]. This appears to be the purpose of the malware - but is actually a smokescreen. Each botnet member spewing forged UDP DNS requests to a different member means the botnet is pretty much self-sustaining in its attack.
The second step - assuming you haven't over-blown the first step and gotten the botnet shut down - is to use your DNS botnet for a little spoofing. Using malware to change people's nameservers, you get innocent people to use your DNS resolvers - installing a counterfeit root CA will also make things a lot easier, But occasionally, you send spoofed DNS responses, causing some traffic to be redirected to spoofed sites[2]. There's a little profit to be made in this phase, but it is yet again a smokescreen.
Now comes phase three. This is the real purpose of the setup. Your bad guys get themselves infected with the malware that causes the nameserver change. This is the deniability bit - they're innocent victims of known malware, right? Now your operatives search Google for some fairly innocent term - but, they are redirected to a server[3] you control, and are given the comms you want them to get. It looks like traffic-hijacking, but it becomes a covert comms channel.
The only really tricky part is to get the botnet up and running - but we know such things already exist. The malware to cause nameserver changes and root CA acceptance *should* be mickey-mouse; that will mean the real innocents will mostly avoid the infection, and the technical media can scoff at how unsophisticated the attack is. The people whom you want to infect - your covert operatives - will permit the infection, and create the channel. It's deniable, it would be as hard to trace as most botnet activity, and it can pass messages over SSL without looking overly suspicious.
The only way I can imagine to prevent such activity is to work to prevent botnets occurring in the first place. And that requires our glorious overseers to use their knowledge of zero-days to help the general population, rather than just hoarding vulnerabilities to backdoor machines...
Vic.
[1] DNS amplification attacks are already happening. One of my servers was once used for that purpose; it actually DOSed my connection. I had to shut down my external resolver - which had previously been very useful to me. But it had become a hazard to others.
[2] Nameserver changes and site hijacking are already happening.
[3] This server could indeed be distributed amongst the botnet, making tracing it yet harder.
Biting the hand that feeds IT
