4 X Security Team

on November 20th, 2007

Cybercriminals are increasingly using an advanced method of hiding and sustaining their malicious Websites and botnet infrastructures — dubbed “fast-flux” — that could make them more difficult to detect, researchers say.

DNS Fast Fluxing is also referred to simply as Fast Fluxing, although some advanced security researchers claim Fast Fluxing of services other than Domain Name Services (DNS) may be possible with future developments in attack-and-command botware and crimeware frameworks; in any case, the International Security Convention Consortium (ISCC) will have to convene to consider an appropriate protocol convention for these issues. In the interest of brevity and throughout this article I will generally only make references to “Fast Fluxing” rather than use the long-hand title of DNS Fast Fluxing, and I humbly deign to apologize in advance for any misunderstandings of confusion.

DNS Fast Fluxers, also known as DFFers (or in some circles, FFers) are classed amongst some of the most dangerous of threats to your online assets. DFFers are notorious for defeating anti-phencing systems using flaws within Domain technology such as DNS Services, and for utilizing these flaws to avoid being detected. This makes the DFFer harder to track down completely, as his peer network command is decentralized through the tunnels provided by the popular Internet naming services.

WHAT IS DNS FAST FLUXING?

Fast flux is an advanced method being used by determined botnet operators to hide and preserve their malicious Websites and botnet infrastructures. The bad guys behind Warezov/Stration and Storm, for instance, have separately moved their infrastructures to fast-flux service networks, according to members of the Honeynet Project & Research Alliance, who monitor fast-flux behavior via their honeypots.

With Fast Flux, infected bot machines serve as proxies or hosts for malicious Websites and get rotated regularly, changing DNS records to evade discovery. IP blacklists are basically useless in finding fast flux-based botnets. The bad guys behind these networks can easily hide their fake online pharmacies, pornography, phishing sites, and other malicious content servers using this “round-robin” process.

• Mark Wade

Mark Wade, 10 year veteran in information security and current manager of Research Content with Computer Associates’ Threat Research Team, and contributer to the Computer Associates Security Advisor Research Blog (CARBS) writes:

“I decided to take a deeper look and see what I could find out about a botnet operation that I stumbled across. This investigation begins from a spammed email message I received, that was selling jewelry.

Since it is common practice we can assume the email was sent or relayed from a compromised computer that may have been part of a botnet. There were two websites in the email message: http://ryih.mhhimto.com and rmfx.mhhimto.com.

Using nslookup, I entered rmfx.mhhimto.com to resolve its IP address. I was not surprised to see eight completely different returned IP addresses returned, all ranging from various IP netblocks. Since I have seen similar types of activity in the past, I ran nslookup again to see if the IP addresses changed. Sure enough, in just under 10 minutes the previously listed IP addresses changed to a completely new set of IP addresses. This seemed to happen about every ten minutes. I quickly identified the ever changing IP addresses as DNS fast fluxing.

Fast fluxing is a method of deception utilized by botnets to conceal the identity of the bot herder or parts of the criminal activity. Fast fluxing works by constantly rotating compromised IP addresses, which are usually acting as a proxy to the end system. This is extremely beneficial to criminals who are involved in phishing scams or using compromised web sites used to deliver malware. “

• The Honeynet Project

The Honeynet Project & Research Alliance defines a fast-flux network as :
“Fast-flux service networks are a network of compromised computer systems with public DNS records that are constantly changing, in some cases every few minutes. These constantly changing architectures make it much more difficult to track down criminal activities and shut down their operations.“

• Adam O’Donnell of Cloudmark

“The purpose of this technique is to render the IP-based block list — a popular tool for identifying malicious systems — useless for preventing attacks,” says Adam O’Donnell, director of emerging technologies at security vendor Cloudmark.

“Fast flux is just the latest method of survival for the bad guys: There are more to come. Any technique that allows a malicious actor to keep his network online longer — and reduce the probability of his messages and attacks being blocked — will be used,” he says. “This is just the latest of those techniques.”

• Ralph Logan, The Logan Group

“All of this research on fast-flux is new. No one had any definitive research on it. [..] We saw a rising trend in illegal, malicious criminal activity here.. [..] Fast-flux helps cybercriminals hide their content servers, including everything from fake online pharmacies, phishing sites, money mules, and adult content sites,” Logan says. “This is to keep security professionals and ISPs from discovering and mitigating their illegal content.”

The bad guys like fast-flux — not only because it keeps them up and running, but also because it’s more efficient than traditional methods of infecting multiple machines, which were easily discovered.

“The ISP would shut down my 100 machines, and then I’d have to infect 100 more to serve my content and relay my spam,” Logan says. Fast-flux, however, lets hackers set up proxy servers that contact the “mother ship,” which serves as command and control. It uses an extra layer of obfuscation between the victim (client) and the content machine, he says.

“Our honeypot can capture actual traffic between the mother ship and the end node,” Logan says. The Alliance is still studying the malicious code and behavior of the fast-flux network it has baited.

A domain has hundreds or thousands of IP addresses, all of which are rotated frequently — so the proxy machines get rotated regularly, too – some as often as every three minutes — to avoid detection. “It’s not a bunch of traffic to one node serving illegal code,” Logan says.

“I send you a phishing email, you click on www.homepharmacy.com — but it’s really taking you to Grandma’s PC on PacBell! .. Which wakes up and says ‘it’s my turn now!‘ threatens Logan. “You’d have 100 different users coming to Grandma’s PC for the next few minutes, and then Auntie Flo’s PC gets command-and-controlled next!” he says, with a menacing tone.

Sources:

http://community.ca.com/blogs/securityadvisor/archive/2007/11/07/web-of-deception.aspx

http://www.darkreading.com/document.asp?doc_id=132720

[Source: xssworm]