This article was originally published in c't 2007, vol 18, p. 76
Jürgen Schmidt
Modern Hydra
The new tricks of spammers and phishers
In Greek mythology, the heads of the Hydra grew back faster than Heracles and Iolaos could hack them off. A similar thing is happening with current botnets and phishing sites, whose malicious servers seem to appear faster than they can be shut down. A new flexible layer of proxy intermediaries - the so-called Fast-Flux network - makes this possible.
Classic botnets use a comparatively simple principle: The infected PCs - the bots or zombies - connect with a central IRC server. From this chat server, their masters then command them to distribute a new spam email, participate in a DDoS attack or deploy updated malware.
Due to their centralised structure, these botnets are relatively easy to shut down: Only one client's communication needs to be monitored to identify and disconnect the central Command&Control server. The remaining thousands of clients consequently lose their communication partner and the botmaster can no longer issue commands to them. You cut off the head and the botnet is dead. Alternatively, admins can block the server's IP address as close to the source as possible, interrupting communication between client and server in the process.
A similar principle applies to traditional phishing sites: the crafted bank pages Internet fraudsters use to harvest access credentials are stored on one single, usually hijacked, server. When the server is shut down by Internet investigators, there's no more phish in that sea for a while. Any phishing emails containing this address are worthless: a click on the link will only result in an error message.
In the last few years, public authorities and various organisations have focussed on these principles and refined an infrastructure which enables them to kick intruders such as phishing sites off the net within a few hours, or at the most days, after their appearance [1].
However, the opposition hasn't been idle, but has reacted by sharing and decentralising tasks. Currently, botnet operators and phishers are adding an extra layer to their communication network. Instead of directly communicating with the server, the victims only access an intermediary. These are numerous, and several replacements are available in the background should one of them be shut down.
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
