This time we'll start a two-parter on fast flux bot nets including the concept of domain generation algorithms. In the first part we'll take up the theory and in the second part we'll explore an actual bot net that we have been fortunate enough to obtain a copy of the command and control site. For an example we'll use Fluxer, a bot net that I reported on a couple of months back. We'll take a look at that again and then next time we'll pull an example fast flux network and analyze it with STIX.
The simplest way to describe a fast flux network is a network of rapidly changing DNS records. This constant changing makes it difficult to track the origin or ownership of the network. There is a benign use, as is often the case, for fast flux. In a very large web farm, for example, it may offer some level of traffic balancing. Of course the bad guys have a much different use: obfuscation.
The way this works is to assign IP addresses on a rapidly rotating or random basis to a single domain name. Since it is common for defenses to act on IPs, the constant changing makes it difficult for the defense tool to know that it is dealing with a single domain. For that reason, among others, blocking a domain may be preferable to trying to block addresses or IP blocks that may be changing randomly.
Single flux networks register and de-register IPs within a single domain name. Double flux systems act within the DNS zone using multiple domains instead of within a single domain. For single flux bot nets blocking a domain name may be sufficient. For double flux networks the defense is a bit more complicated. For a deeper dive I suggest an article by the Honeynet Project called, “How Fast-Flux Networks Work” located at http://www.honeynet.org/node/132.
In double flux networks there is a need to generate new domain names constantly. That brings up the notion of domain generation algorithms (DGA). This actually is a pretty cool concept. If we look at double-flux networks we see a need for a large number of constantly changing domain names. If we have such a collection – and it is big enough to be actually useful for obfuscation – we immediately have the problem of telling the infected machine how to contact the command and control (C & C) server lurking in that domain. If the zombie can't contact the mother ship it can't get its instructions. But remember, the mother ship is constantly changing IPs and constantly changing domain names.
The solution is to tell both the mother ship and the zombie how to create random domain names in the same way. Ideally, if the C&C creates the domain of PIOUHf8sijslf.com, the zombie would create the same one and communication would be facilitated. The trouble with that is that it assumes some level of synchronization. That is no practical – or, at least, the bad guys don't want to bother – so the malware developer creates an algorithm that in turn creates domain names, usually gibberish. If the zombie and the C&C use the same algorithm and the zombie tries long enough to reach the C&C, odds are that the connection will, eventually, be made.
Let's wrap up this posting with a brief recap of the Fluxer bot net that we reported upon some little while ago. I don't know the current status of Fluxer – you may recall that its developer, Tahoma, was trying to sell it for upwards of $1,000. At this writing I don't know if he/she was successful but we did have a brief look at it at the time and we'll recap with a bit more detail now. Fluxer is a good example for us and when we look deeper – into a live fast-flux net – next time, this will give you some good context.
This is a clever bug. Once the target is infected, the first thing it does is try to connect to a C&C. This serves two purposes. First, it establishes that the bot can communicate outside of the zombie and second it can subject itself to the control of the C&C server.
Once connected, the C&C does some tests and determines whether the bot should stay put or be removed. Once the bot is configured by the C&C – or instructed to self-destruct – it begins routine communications with the C&C and does what it's told to do. The overall result is a reverse proxy that allows the C&C to control the bots on the zombies.
The C&C supports – at the time it was offered for sale – these commands sent to the bots: update a config, kill bots, update bots, download, execute. The control panel – the C&C – also can display:
· Bot ID
· IP geolocation information
· Bot's hardware ID
· Bot's operating system version
· Bot version
· Status (online/offline)
At the time the Fluxer was offered for sale its login for the control panel looked like Figure 1.
Figure 1 - Fluxer Control Panel Login as of Early December 2015
Obviously this is a fast-flux bot net. We'll need to find a copy of it and dissect it to know more details, of course. Meanwhile, we are ready for a look at a live fast-flux botnet next time we convene. And, of course, here are your Malware Domain Listings for the past week:
Figure 2 - Malware Domain List - New Additions Over the Week of 21 Jan – 1 Feb
So… until next time….
If you use Flipboard, you can find my pages at http://tinyurl.com/FlipThreats. Here I flip the interesting threat-related stories of the day – nothing particularly technical, but interesting stories none-the-less.