« previous 1 2 3 next »

Fast-Flux

A flexible Fast-Flux Network acts as an intermediary and shields the central mothership running the Command&Control server.

If, for example, an infected zombie PC wants to establish a connection to its master in a multilayer network, it contacts a computer such as mymaster.bot.net. Even for this name, the Domain Name Service returns five different IP addresses to choose from. This technique is called Round-Robin DNS and has been used for load balancing for years, for example on web servers. Every client randomly picks one of the returned addresses and the request load is spread (more or less evenly) between them.

In the botnet setup with Fast-Flux, however, these IP addresses don't belong to the actual Command&Control servers but to infected intermediary systems with dial-up connections which simply forward requests. The intermediary communicates with the mothership in the background and will forward the instructions it receives to the clients.

To further complicate matters for investigators and cushion the zombie proxies' downtimes and changing IP addresses, the DNS entries have a life span (time to live, TTL) of only a few minutes and are constantly changing. A typical intermediary layer consists of hundreds, sometimes even thousands of intermediaries. It would be pointless to try and shut them all down individually.

The Honeynet Project calls this infrastructure a Fast-Flux Service Network. Earlier this year, they monitored the domain name of a botnet C&C server which resolved to more than 3000 different IP addresses within eight days [2]. Honeynet specialises in deploying specially prepared, vulnerable systems - so-called honeypots - and analysing the malware injected into them.

Naturally, a Fast-Flux network requires control over a domain, that is, a functioning DNS server which the Domain Name System dealing with name resolution identifies as responsible for the domain "bot.net". But where there is demand, there will also be suppliers. For quite some time Hosters have been offering so-called "bullet-proof" servers in countries like China, South Korea and Brazil, where email complaints about misuse go straight into the digital bin. Nowadays you can even buy a "Bullet Proof Domain" on the internet. It costs only 100 US dollars to anonymously register a .com or .net domain, which, according to the provider's unceremonious reassurance, will "never be shut down by email complaints".

100 US dollars will buy you a bullet-proof domain here.

After registering such a domain all address queries ending in "bot.net" are directed to the server controlled by the botmaster. It operates in a similar way to dynamic DNS services like DynDNS. A proxy zombie logs in with its IP address whenever it is online, and the server picks a number of addresses from the pool for every DNS query.

Two stages

To achieve even more "reliability", botnet architects have started to include even the Domain Name System in the game. The Honeynet Project differentiates between Single-Flux and Double-Flux networks. In Double-Flux networks, the authoritative name servers for bot.net which respond to queries for mymaster.bot.net are themselves variable, infected zombie systems. They, too, receive their information from the background mothership. Often, this is the same system running the actual Command&Control server.

The botnet DNS servers' IP addresses will change more slowly than with host names - new name server entries only appear after hours not minutes. This is because these entries need to be changed in the top level DNS server. How this is done in practice remains somewhat unclear. What is definitely required is a highly co-operative registrar who not only allows customers to automate name server alterations via emails or forms but also doesn't mind if this happens every hour.

To simplify botnet communication forwarding and complicate tracing and filtering, these Fast-Flux botnets are controlled almost exclusively via ordinary HTTP requests instead of the traditional Internet Relay Chat. The classic IRC ports from 6667 are now barred in most corporate networks. More and more firewalls are able to detect and block IRC traffic regardless of which port is used. Surfing - at least when it's job-related - however, is permitted in most cases, and the botnet builders exploit this.

This means that the bot client regularly sends HTTP GET requests which look like the requests for normal web pages. The Fast-Flux web proxy passes these on to a web application on the mothership which will wrap its commands in an HTTP response.

The Honeynet Project reports that the widespread Warezov/Stration malware families as well as the so-called StormWorm, among others, have at least partially been converted to Fast-Flux [2]. Both of them are responsible for botnets which are mainly used for delivering spam. In Kaspersky's virus statistics for July, Warezov/Stration ranked in the top three of the most widespread types of malware.

« previous 1 2 3 next »