A New Look at Fast Flux Proxy Networks

Botnets that run on proxy service networks are not a new topic. We (and other researchers) have discussed this topic at various talks in years past, and it was also one of the main points in last year’s BotConf 2013 where we discussed the Kelihos network.

Generally, a proxy network bridges the connectivity and shields the identity location of malware CnCs to their nodes. It can take the form of a fast flux service network that redirects CnC connection attempts to a set of proxy nodes that are constantly shifting, or the static type of proxy. In this talk, we will begin by presenting some points on why fast flux is still the most efficient way to distribute the malicious payloads.

We are going to discuss the most recent progress of the analysis of current fast flux proxy networks that we’ve observed since January 2014. By definition, a fast-flux service network is created by setting up a selection of domains whose resolution “fluxes” through the IP addresses of a subset of available proxy nodes (bots). There are a lot of DNS aspects involved, multi-layer networking, and remote control (encrypted) methods that drive a fast flux botnet the way the herder wants it. For mitigation and detection, the methods to utilize are sticky DNS record, TTL monitoring, passive DNS, and domain reputation for detecting an emerging hostile flux (etc). These methods will be introduced in the talk.

This constitutes an extra layer of evasion and protection for the actual malware infection sources where the communication between the infected host always goes through the fast flux proxy network to reach the malware back-end CnCs.

For example, we picked a research study conducted over several months of one such active fast flux proxy network that was used to distribute the “zbot”. This fast flux network consists of several tens of thousands of infected machines and has hosted close to a thousand CnC domains. It has hosted CnCs for various malware families: Zeus variants, Asprox, and most recetly the new Zeus GameOver variant which has also served Cryptolocker payloads. We will go over details of the usage of this proxy network and discuss various cases of CnC domains.

The point of this discussion is not to get into the malware infection details but to share the know-how to detect, monitor and mitigate the trend of growth, management and development of the recent fast flux infrastructure itself. With this shared know-how we hope to enrich the knowledge of researchers who fight malware infections.

Print Friendly
Dhia Mahjoub

Dhia Mahjoub

Senior security researcher at OpenDNS
Dhia Mahjoub
Dhia Mahjoub

Latest posts by Dhia Mahjoub (see all)