MalwareIntelligence is a site dedicated to research on all matters relating to anti-malware security, criminology computing and information security in general, always from a perspective closely related to the field of intelligence.

30.1.09

Understanding Fast-Flux networks

Networks Fast-Flux are an advanced methodology in the spread of threats which is currently actively exploited to infect computers, among many other crimes. The aim is to hide malicious activity through IP addresses that are rotated in seconds against the same domain, making it impossible to locate them to prevent identification block.

Each of these IP addresses that are assigned to the domains correspond to machines that have previously been involved with malicious code, as part of a botnet, and work as a bridge between the computer requesting a specific resource and the server hosting the resource. This method of operation of the network is called a Single-Flux (flow only).

That is, in a normal process, a client computer makes a request (GET) to the server responds to the client who then offer the result, in single-flux networks, the original request made by the client does not bounce against the server but does against the zombie machine, and it is this that makes the query to the server.

There is another methodology called Double-Flux (double flow) in which, besides contemplating the characteristics of single-flux, exploits the name resolution and registration services for domain names.


Through a simple DNS query against a domain is possible to establish whether this is part of a Fast-Flux network. In the following example which shows the different IP addresses down to the domain www.lijg.ru.

;; QUESTION SECTION:
; www.lijg.ru. IN A

;; ANSWER SECTION:
www.lijg.ru. 600 IN A 24,107,209,119
www.lijg.ru. 600 IN A 24,219,191,246
www.lijg.ru. 600 IN A 65.65.208.223
www.lijg.ru. 600 IN A 65.102.56.213
www.lijg.ru. 600 IN A 67,141,208,227
www.lijg.ru. 600 IN A 68.124.161.76
www.lijg.ru. 600 IN A 69.14.27.151
www.lijg.ru. 600 IN A 70.251.45.186
www.lijg.ru. 600 IN A 71.12.89.105
www.lijg.ru. 600 IN A 71.235.251.99
www.lijg.ru. 600 IN A 75.11.10.101
www.lijg.ru. 600 IN A 75.75.104.133
www.lijg.ru. 600 IN A 97.104.40.246
www.lijg.ru. 600 IN A 173.16.99.131

;; AUTHORITY SECTION:
lijg.ru. 345,600 IN NS ns5.lijg.ru.
lijg.ru. 345,600 IN NS ns1.lijg.ru.
lijg.ru. 345,600 IN NS ns2.lijg.ru.
lijg.ru. 345,600 IN NS ns3.lijg.ru.
lijg.ru. 345,600 IN NS ns4.lijg.ru.


On the other hand, they say a picture is worth a thousand words so ... see that tells us the following, obtained from SecViz and performed by JaimeBlasco:

The representation of Fast-Flux networks through graphical tools is an excellent alternative since it allows, through a single view, know from the structural point of view and very attractive how that network is composed.

In this example, the Figure shows a series of Fast-Flux domains (blue) and each of the zombie PCs that make it up (red). When done the triangulation of each of the domains infected, we noticed that some belong to multiple networks within a single FF network structure.

This enables greater advantage for the attacker because it has a much broader array of compromised machines that are used in a distributed way to spread more malware to propagate more spam, do as many phishing attacks, and many other activities malicious and fraudulent.

Jorge Mieres

0 comentarios:

Post a Comment