MalwareIntelligence is a site dedicated to research on all matters relating to anti-malware security, criminology computing and information security in general, always from a perspective closely related to the field of intelligence.


Understanding Fast-Flux networks

Networks Fast-Flux are an advanced methodology in the spread of threats which is currently actively exploited to infect computers, among many other crimes. The aim is to hide malicious activity through IP addresses that are rotated in seconds against the same domain, making it impossible to locate them to prevent identification block.

Each of these IP addresses that are assigned to the domains correspond to machines that have previously been involved with malicious code, as part of a botnet, and work as a bridge between the computer requesting a specific resource and the server hosting the resource. This method of operation of the network is called a Single-Flux (flow only).

That is, in a normal process, a client computer makes a request (GET) to the server responds to the client who then offer the result, in single-flux networks, the original request made by the client does not bounce against the server but does against the zombie machine, and it is this that makes the query to the server.

There is another methodology called Double-Flux (double flow) in which, besides contemplating the characteristics of single-flux, exploits the name resolution and registration services for domain names.

Through a simple DNS query against a domain is possible to establish whether this is part of a Fast-Flux network. In the following example which shows the different IP addresses down to the domain

; IN A

;; ANSWER SECTION: 600 IN A 24,107,209,119 600 IN A 24,219,191,246 600 IN A 600 IN A 600 IN A 67,141,208,227 600 IN A 600 IN A 600 IN A 600 IN A 600 IN A 600 IN A 600 IN A 600 IN A 600 IN A

;; AUTHORITY SECTION: 345,600 IN NS 345,600 IN NS 345,600 IN NS 345,600 IN NS 345,600 IN NS

On the other hand, they say a picture is worth a thousand words so ... see that tells us the following, obtained from SecViz and performed by JaimeBlasco:

The representation of Fast-Flux networks through graphical tools is an excellent alternative since it allows, through a single view, know from the structural point of view and very attractive how that network is composed.

In this example, the Figure shows a series of Fast-Flux domains (blue) and each of the zombie PCs that make it up (red). When done the triangulation of each of the domains infected, we noticed that some belong to multiple networks within a single FF network structure.

This enables greater advantage for the attacker because it has a much broader array of compromised machines that are used in a distributed way to spread more malware to propagate more spam, do as many phishing attacks, and many other activities malicious and fraudulent.

Jorge Mieres

0 comentarios:

Post a Comment