Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7/17/2007
08:56 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Attackers Hide in Fast Flux

Storm and Warezov/Stration have already adopted an evil load-balancing and evasion technique that's tougher to detect

Cybercriminals are increasingly using an advanced method of hiding and sustaining their malicious Websites and botnet infrastructures -- dubbed "fast-flux" -- that could make them more difficult to detect, researchers say.

Criminal organizations behind two infamous malware families -- Warezov/Stration and Storm -- in the past few months have separately moved their infrastructures to so-called fast-flux service networks, according to the Honeynet Project & Research Alliance, which has released a new report on the emerging networks and techniques.

Fast-flux is basically load-balancing with a twist. It's a round-robin method where infected bot machines (typically home computers) serve as proxies or hosts for malicious Websites. These are constantly rotated, changing their DNS records to prevent their discovery by researchers, ISPs, or law enforcement.

"The purpose of this technique is to render the IP-based block list -- a popular tool for identifying malicious systems -- useless for preventing attacks," says Adam O'Donnell, director of emerging technologies at security vendor Cloudmark.

Researchers and ISPs have been aware of fast-flux for over a year, but there hasn't been an in-depth look at how it works until now. "All of this research on fast-flux is new. No one had any definitive research on it," says Ralph Logan, vice president of the Honeynet Project and principal of The Logan Group. "We saw a rising trend in illegal, malicious criminal activity here."

Fast-flux helps cybercriminals hide their content servers, including everything from fake online pharmacies, phishing sites, money mules, and adult content sites, Logan says. "This is to keep security professionals and ISPs from discovering and mitigating their illegal content."

The bad guys like fast-flux -- not only because it keeps them up and running, but also because it's more efficient than traditional methods of infecting multiple machines, which were easily discovered.

"The ISP would shut down my 100 machines, and then I'd have to infect 100 more to serve my content and relay my spam," Logan says. Fast-flux, however, lets hackers set up proxy servers that contact the "mother ship," which serves as command and control. It uses an extra layer of obfuscation between the victim (client) and the content machine, he says.

A domain has hundreds or thousands of IP addresses, all of which are rotated frequently -- so the proxy machines get rotated regularly, too -- some as often as every three minutes -- to avoid detection. "It's not a bunch of traffic to one node serving illegal code," Logan says.

"I send you a phishing email, you click on www.homepharmacy.com -- but it's really taking you to Grandma's PC on PacBell, which wakes up and says 'it's my turn now.' You'd have 100 different users coming to Grandma's PC for the next few minutes, and then Auntie Flo's PC gets command-and-controlled" next, Logan explains.

The home PC proxies are infected the usual way, through spam email, viruses, or other common methods, Logan says.

The Honeynet Project & Alliance set out a live honeypot to invite infection by a fast-flux service network. "Our honeypot can capture actual traffic between the mother ship and the end node," Logan says. The alliance is still studying the malicious code and behavior of the fast-flux network it has baited, he says.

What can be done about fast flux? ISPs and users should probe suspicious nodes and use intrusion detection systems; block TCP port 80 and UDP port 53; block access to mother ship and other controller machines when detected; "blackhole" DNS and BGP route-injection; and monitor DNS, the report says.

Cloudmark's O'Donnell says fast flux is just the latest method of survival for the bad guys: There are more to come. "Any technique that allows a malicious actor to keep his network online longer -- and reduce the probability of his messages and attacks being blocked -- will be used," he says. "This is just the latest of those techniques."

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Honeynet Project
  • Cloudmark Inc. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    NSA Appoints Rob Joyce as Cyber Director
    Dark Reading Staff 1/15/2021
    Vulnerability Management Has a Data Problem
    Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Write a Caption, Win an Amazon Gift Card! Click Here
    Latest Comment: This is not what I meant by "I would like to share some desk space"
    Current Issue
    2020: The Year in Security
    Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
    Flash Poll
    Assessing Cybersecurity Risk in Today's Enterprises
    Assessing Cybersecurity Risk in Today's Enterprises
    COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2020-27221
    PUBLISHED: 2021-01-21
    In Eclipse OpenJ9 up to version 0.23, there is potential for a stack-based buffer overflow when the virtual machine or JNI natives are converting from UTF-8 characters to platform encoding.
    CVE-2021-1067
    PUBLISHED: 2021-01-20
    NVIDIA SHIELD TV, all versions prior to 8.2.2, contains a vulnerability in the implementation of the RPMB command status, in which an attacker can write to the Write Protect Configuration Block, which may lead to denial of service or escalation of privileges.
    CVE-2021-1068
    PUBLISHED: 2021-01-20
    NVIDIA SHIELD TV, all versions prior to 8.2.2, contains a vulnerability in the NVDEC component, in which an attacker can read from or write to a memory location that is outside the intended boundary of the buffer, which may lead to denial of service or escalation of privileges.
    CVE-2021-1069
    PUBLISHED: 2021-01-20
    NVIDIA SHIELD TV, all versions prior to 8.2.2, contains a vulnerability in the NVHost function, which may lead to abnormal reboot due to a null pointer reference, causing data loss.
    CVE-2020-26252
    PUBLISHED: 2021-01-20
    OpenMage is a community-driven alternative to Magento CE. In OpenMage before versions 19.4.10 and 20.0.6, there is a vulnerability which enables remote code execution. In affected versions an administrator with permission to update product data to be able to store an executable file on the server ...