Chinese RSA attack domains designed to taunt US government

ChangeIP.com's Norris said: "99% of the time, when these guys logged in to one of their accounts to change the IP address for a domain, they were coming from a Chinese address."
ChangeIP.com's Norris said: "99% of the time, when these guys logged in to one of their accounts to change the IP address for a domain, they were coming from a Chinese address."

Former Washington Post security researcher Brian Krebs says that, whilst reviewing a document from the US Computer Emergency Readiness Team (US-CERT), he came across a set of domains that were used in the intrusion at RSA.

"Some of the domain names on that list suggest that the attackers had (or wanted to appear to have) contempt for the United States. Among the domains used in the attack (extra spacing is intentional in the links below, which should be considered hostile):

www usgoodluck.com

obama servehttp.com

prc dynamiclink.ddns.us

"Note that the last domain listed includes the abbreviation PRC, which could be a clever feint, or it could be Chinese attackers rubbing our noses in it, as if to say, 'Yes, it was the People’s Republic of China that attacked you: What are you going to do about it?' ", says Krebs in his security blog.

According to the security researcher, most of the domains trace back to so-called dynamic DNS providers – services that allow users to have websites hosted on servers that frequently change their internet addresses.

Unfortunately, says Krebs, these dynamic DNS providers are extremely popular in the attacker community, because they allow bad guys to keep their malware and scam sites up even when researchers manage to track the attacking IP address and take action.

In such cases, he explained, dynamic DNS allows the owner of the attacking domain to simply re-route the attack site to another internet address that s/he controls.

Krebs quotes Sam Norris, founder of ChangeIP.com, the dynamic DNS provider responsible for many of the root domains on US-CERT's list, as saying he blocked the IP addresses involved with the RSA attacks as soon as US-CERT alerted him.

Norris said the account holder wanted to know the reason his domain was killed.

"This guy has been emailing me, asking me for the account back, saying things like 'Hey, I had important stuff on that domain, and I need to get it back' ", said Norris.

"The bad guys are definitely interested in getting it back, which means we probably cut off their communications or made it so that they couldn't clean up their trail afterward”, he added.

Norris also makes the revealing comment that "99% of the time, when these guys logged in to one of their accounts to change the IP address for a domain, they were coming from a Chinese address."

What’s Hot on Infosecurity Magazine?