Botconf Author Listing

Botnets that run on proxy service networks are not a new topic. We (and other researchers) have discussed this topic at various talks in years past, and it was also one of the main points in last year’s BotConf 2013 where we discussed the Kelihos network.

Generally, a proxy network bridges the connectivity and shields the identity location of malware CnCs to their nodes. It can take the form of a fast flux service network that redirects CnC connection attempts to a set of proxy nodes that are constantly shifting, or the static type of proxy. In this talk, we will begin by presenting some points on why fast flux is still the most efficient way to distribute the malicious payloads.

We are going to discuss the most recent progress of the analysis of current fast flux proxy networks that we’ve observed since January 2014. By definition, a fast-flux service network is created by setting up a selection of domains whose resolution “fluxes” through the IP addresses of a subset of available proxy nodes (bots). There are a lot of DNS aspects involved, multi-layer networking, and remote control (encrypted) methods that drive a fast flux botnet the way the herder wants it. For mitigation and detection, the methods to utilize are sticky DNS record, TTL monitoring, passive DNS, and domain reputation for detecting an emerging hostile flux (etc). These methods will be introduced in the talk.

This constitutes an extra layer of evasion and protection for the actual malware infection sources where the communication between the infected host always goes through the fast flux proxy network to reach the malware back-end CnCs.

For example, we picked a research study conducted over several months of one such active fast flux proxy network that was used to distribute the “zbot”. This fast flux network consists of several tens of thousands of infected machines and has hosted close to a thousand CnC domains. It has hosted CnCs for various malware families: Zeus variants, Asprox, and most recetly the new Zeus GameOver variant which has also served Cryptolocker payloads. We will go over details of the usage of this proxy network and discuss various cases of CnC domains.

The point of this discussion is not to get into the malware infection details but to share the know-how to detect, monitor and mitigate the trend of growth, management and development of the recent fast flux infrastructure itself. With this shared know-how we hope to enrich the knowledge of researchers who fight malware infections.

“Facing a come-back Fast Flux (HLUX) botnet like Kelihos (Khelios) which was previously announced to be shutdown by big entities is not an easy task that can be done by a small group of people. A better understanding of the technicality “under the hood” of the threat itself was providing a better method in suppressing, evidence collecting, spear target intelligence and law enforcement coordination strategy within region and countries to control the growth, and in the end the shutdown effort. This is the story of a persistent and a outsmart effort of engineers gathered in MalwareMustDie with partners in fighting the well known botnet.

To make the strategy works as per expected the solid team needed with the vertical and horizontal team management and communication effort, and InfoSec has all of the resources need to make it happen, we share in BotConf the know-how and motivation on how good people/engineers can focus and gather to form big achievement, and management of battling a botnet is can be done in very cost-effective.

The talk will be closed with the offline full-disclosure of important achievements collected during the operation and there will be a hall of fame for the contributors involved.
We will try to cover all aspect within 20 minutes of Short Talk with handing out print-outs of the shared basic details before the talks.”