Fast Flux, how the attackers evade detection

Cybercriminals are increasingly using an advanced method of hiding and sustaining their malicious Websites and botnet infrastructures -- dubbed "fast-flux" -- that could make them more difficult to detect, researchers say.

Criminal organizations behind two infamous malware families -- Warezov/Stration and Storm -- in the past few months have separately moved their infrastructures to so-called fast-flux service networks, according to the Honeynet Project & Research Alliance, which has released a new report on the emerging networks and techniques.

Fast-flux is basically load-balancing with a twist. It's a round-robin method where infected bot machines (typically home computers) serve as proxies or hosts for malicious Websites. These are constantly rotated, changing their DNS records to prevent their discovery by researchers, ISPs, or law enforcement.

"The purpose of this technique is to render the IP-based block list -- a popular tool for identifying malicious systems -- useless for preventing attacks," says Adam O'Donnell, director of emerging technologies at security vendor Cloudmark.

Researchers and ISPs have been aware of fast-flux for over a year, but there hasn't been an in-depth look at how it works until now. "All of this research on fast-flux is new. No one had any definitive research on it," says Ralph Logan, vice president of the Honeynet Project and principal of The Logan Group. "We saw a rising trend in illegal, malicious criminal activity here."

Fast-flux helps cybercriminals hide their content servers, including everything from fake online pharmacies, phishing sites, money mules, and adult content sites, Logan says. "This is to keep security professionals and ISPs from discovering and mitigating their illegal content."

The bad guys like fast-flux -- not only because it keeps them up and running, but also because it's more efficient than traditional methods of infecting multiple machines, which were easily discovered.

"The ISP would shut down my 100 machines, and then I'd have to infect 100 more to serve my content and relay my spam," Logan says. Fast-flux, however, lets hackers set up proxy servers that contact the "mother ship," which serves as command and control. It uses an extra layer of obfuscation between the victim (client) and the content machine, he says.

A domain has hundreds or thousands of IP addresses, all of which are rotated frequently -- so the proxy machines get rotated regularly, too -- some as often as every three minutes -- to avoid detection. "It's not a bunch of traffic to one node serving illegal code," Logan says.

"I send you a phishing email, you click on www.homepharmacy.com -- but it's really taking you to Grandma's PC on PacBell, which wakes up and says 'it's my turn now.' You'd have 100 different users coming to Grandma's PC for the next few minutes, and then Auntie Flo's PC gets command-and-controlled" next, Logan explains.

The home PC proxies are infected the usual way, through spam email, viruses, or other common methods, Logan says.

The Honeynet Project & Alliance set out a live honeypot to invite infection by a fast-flux service network. "Our honeypot can capture actual traffic between the mother ship and the end node," Logan says. The alliance is still studying the malicious code and behavior of the fast-flux network it has baited, he says.

What can be done about fast flux? ISPs and users should probe suspicious nodes and use intrusion detection systems; block TCP port 80 and UDP port 53; block access to mother ship and other controller machines when detected; "blackhole" DNS and BGP route-injection; and monitor DNS, the report says.

Cloudmark's O'Donnell says fast flux is just the latest method of survival for the bad guys: There are more to come. "Any technique that allows a malicious actor to keep his network online longer -- and reduce the probability of his messages and attacks being blocked -- will be used," he says. "This is just the latest of those techniques."