Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7/17/2007
08:56 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Attackers Hide in Fast Flux

Storm and Warezov/Stration have already adopted an evil load-balancing and evasion technique that's tougher to detect

Cybercriminals are increasingly using an advanced method of hiding and sustaining their malicious Websites and botnet infrastructures -- dubbed "fast-flux" -- that could make them more difficult to detect, researchers say.

Criminal organizations behind two infamous malware families -- Warezov/Stration and Storm -- in the past few months have separately moved their infrastructures to so-called fast-flux service networks, according to the Honeynet Project & Research Alliance, which has released a new report on the emerging networks and techniques.

Fast-flux is basically load-balancing with a twist. It's a round-robin method where infected bot machines (typically home computers) serve as proxies or hosts for malicious Websites. These are constantly rotated, changing their DNS records to prevent their discovery by researchers, ISPs, or law enforcement.

"The purpose of this technique is to render the IP-based block list -- a popular tool for identifying malicious systems -- useless for preventing attacks," says Adam O'Donnell, director of emerging technologies at security vendor Cloudmark.

Researchers and ISPs have been aware of fast-flux for over a year, but there hasn't been an in-depth look at how it works until now. "All of this research on fast-flux is new. No one had any definitive research on it," says Ralph Logan, vice president of the Honeynet Project and principal of The Logan Group. "We saw a rising trend in illegal, malicious criminal activity here."

Fast-flux helps cybercriminals hide their content servers, including everything from fake online pharmacies, phishing sites, money mules, and adult content sites, Logan says. "This is to keep security professionals and ISPs from discovering and mitigating their illegal content."

The bad guys like fast-flux -- not only because it keeps them up and running, but also because it's more efficient than traditional methods of infecting multiple machines, which were easily discovered.

"The ISP would shut down my 100 machines, and then I'd have to infect 100 more to serve my content and relay my spam," Logan says. Fast-flux, however, lets hackers set up proxy servers that contact the "mother ship," which serves as command and control. It uses an extra layer of obfuscation between the victim (client) and the content machine, he says.

A domain has hundreds or thousands of IP addresses, all of which are rotated frequently -- so the proxy machines get rotated regularly, too -- some as often as every three minutes -- to avoid detection. "It's not a bunch of traffic to one node serving illegal code," Logan says.

"I send you a phishing email, you click on www.homepharmacy.com -- but it's really taking you to Grandma's PC on PacBell, which wakes up and says 'it's my turn now.' You'd have 100 different users coming to Grandma's PC for the next few minutes, and then Auntie Flo's PC gets command-and-controlled" next, Logan explains.

The home PC proxies are infected the usual way, through spam email, viruses, or other common methods, Logan says.

The Honeynet Project & Alliance set out a live honeypot to invite infection by a fast-flux service network. "Our honeypot can capture actual traffic between the mother ship and the end node," Logan says. The alliance is still studying the malicious code and behavior of the fast-flux network it has baited, he says.

What can be done about fast flux? ISPs and users should probe suspicious nodes and use intrusion detection systems; block TCP port 80 and UDP port 53; block access to mother ship and other controller machines when detected; "blackhole" DNS and BGP route-injection; and monitor DNS, the report says.

Cloudmark's O'Donnell says fast flux is just the latest method of survival for the bad guys: There are more to come. "Any technique that allows a malicious actor to keep his network online longer -- and reduce the probability of his messages and attacks being blocked -- will be used," he says. "This is just the latest of those techniques."

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Honeynet Project
  • Cloudmark Inc. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Navigating Security in the Cloud
    Diya Jolly, Chief Product Officer, Okta,  12/4/2019
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Current Issue
    Navigating the Deluge of Security Data
    In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
    Flash Poll
    Rethinking Enterprise Data Defense
    Rethinking Enterprise Data Defense
    Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2019-16772
    PUBLISHED: 2019-12-07
    The serialize-to-js NPM package before version 3.0.1 is vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.to...
    CVE-2019-9464
    PUBLISHED: 2019-12-06
    In various functions of RecentLocationApps.java, DevicePolicyManagerService.java, and RecognitionService.java, there is an incorrect warning indicating an app accessed the user's location. This could dissolve the trust in the platform's permission system, with no additional execution privileges need...
    CVE-2019-2220
    PUBLISHED: 2019-12-06
    In checkOperation of AppOpsService.java, there is a possible bypass of user interaction requirements due to mishandling application suspend. This could lead to local information disclosure no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVers...
    CVE-2019-2221
    PUBLISHED: 2019-12-06
    In hasActivityInVisibleTask of WindowProcessController.java there?s a possible bypass of user interaction requirements due to incorrect handling of top activities in INITIALIZING state. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction ...
    CVE-2019-2222
    PUBLISHED: 2019-12-06
    n ihevcd_parse_slice_data of ihevcd_parse_slice.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.0 Android...