Friday, January 30, 2009

Understanding Fast-Flux networks

Fast-Flux networks are an advanced methodology in the spread of threats that are currently exploited in an active way to infect computers (among other crimes). The goal is to hide the IP addresses through which rotate in seconds against the same domain, making it impossible to locate in order to block their identification difficult.

Each of these IP addresses that are assigned to domains, are machines that have previously been involved with some malicious code as part of a botnet, and work as a "bridge" between the team and requesting specific action the server hosting the resource. This method of operation of the network is called the Single-Flux.

That is, in a normal process a client makes a request (GET) to the server which then responds by offering the customer the result in single-flux networks, the original request made by the client doesn't bounce against the server but it does against the zombie machine, and this is who performs the query to the server.

There is another method called the Double-Flux which, in addition to providing the features of single-flux, the operating name resolution and registration services for domain names.

Through a simple DNS query against a domain is possible to establish whether this is part of a Fast-Flux network. In the following example showing the different IP addresses that are set to the domain www.lijg.ru.

;; QUESTION SECTION:
;www.lijg.ru. IN A

;; ANSWER SECTION:
www.lijg.ru. 600 IN A 24.107.209.119
www.lijg.ru. 600 IN A 24.219.191.246
www.lijg.ru. 600 IN A 65.65.208.223
www.lijg.ru. 600 IN A 65.102.56.213
www.lijg.ru. 600 IN A 67.141.208.227
www.lijg.ru. 600 IN A 68.124.161.76
www.lijg.ru. 600 IN A 69.14.27.151
www.lijg.ru. 600 IN A 70.251.45.186
www.lijg.ru. 600 IN A 71.12.89.105
www.lijg.ru. 600 IN A 71.235.251.99
www.lijg.ru. 600 IN A 75.11.10.101
www.lijg.ru. 600 IN A 75.75.104.133
www.lijg.ru. 600 IN A 97.104.40.246
www.lijg.ru. 600 IN A 173.16.99.131

;; AUTHORITY SECTION:
lijg.ru. 345600 IN NS ns5.lijg.ru.
lijg.ru. 345600 IN NS ns1.lijg.ru.
lijg.ru. 345600 IN NS ns2.lijg.ru.
lijg.ru. 345600 IN NS ns3.lijg.ru.
lijg.ru. 345600 IN NS ns4.lijg.ru.

On the other hand, say that a picture is worth a thousand words so ... let's see what he says the following, obtained from SecViz created by Jaime Blasco:

The representation of Fast-Flux networks using graphic tools is an excellent alternative since it allows, through a single view, hear from a structural point of view and very attractive as comprising such a network.

In this example, the chart shows a series of Fast-Flux domains (blue) and each of the zombie PCs that comprise it (red). In making the triangulation of each of the domains infected, we noticed that some belong to multiple networks within an FF network structure.

This implies greater advantage to the attacker because it has a far wider range of teams that are used in a distributed manner to spread malware much, much more spread spam, make much of phishing attacks, and many other activities malicious and fraudulent.

# Jorge Mieres

No comments: