From “Fastflux” to “Hydraflux”: A Brief History Of The Botnet
Email This Post
July 21st, 2008
I’m not sure if you’ve been reading the news over at the [tag]Internet Storm Center[/tag] recently but … they have a an interesting write up on what William Salusky dubs the “Hydraflux” that is worth reading.
The popular technique for writing botnets over the last while is called ‘[tag]Fast Flux[/tag]‘ where an group of infected PC’s act as a proxy layer between the web server hosting the malware and the PC’s that are going to be infected.
This proxy layer is called the ‘[tag]Fluxnodes[/tag]‘.
You will have seen this in the recent ‘Storm Worm’ spam runs where the e-mail to you consists of a brief subject line and a link to an IP address. When you click on the link in the e-mail your computer connects to the proxy software running on an already infected PC and it then goes out and get’s the content, including the malware that will end up infecting your PC, from the real source.
This makes it harder to track down the real source of the infection as you now have to try and contact the IT people of the computer in the middle (the proxy) and get them to check their log files to find out where the malware content is really coming from.
They may be too busy to respond or they may not even have the logs required to track the source down and meanwhile the ‘Storm Worm’ or some variation continues to send out millions of e-mail messages getting more PC’s infected and adding more pawns to that proxy layer insulating the “bot herder” (gotta love the names we give certain people) from the security professionals that are trying to stop the infection.
As hard as it is to coordinate with the IT departments of the infected proxy layer it does happen often enough that the real source of the malware files is found and is shut down. This does not make the “bot herders” happy as now they have to start building up their bot nets all over again or redirect their proxy pawns to a second source of infected files. This takes time and while this transition is going on the bot network is down and not doing the bidding of the herder thus the evolution of ‘Fast Flux’ to ‘Hydra Flux’.
[tag]Hydra Flux[/tag] is the same basic idea as Fast Flux but with the addition of many heads – like the Lernaean Hydra or many headed serpent in Greek mythology – and just like the ancient snake with many heads you can cut off one of the heads of the modern ‘Hydra Flux’ without killing the beast. The Proxy layer talks to many sources of infection, the mother ships of the Internet Storm Article, so that if one gets found out and stopped the proxy layer has a backup. This is a very resilient hosting structure and could be called a great example of ‘[tag]cloud computing[/tag]‘.
So what can we do to stop the infections?
- Ensure that we don’t settle for setting up our corporate firewall’s to the point that they work for both us and the malware writers. Too many firewall’s are setup to stop the traffic coming from the Internet to the LAN but allow anything and everything from the LAN to flow to the Internet.
- If you have a corporate mail server then the mail server should be the only system that has SMTP access to the Internet and you can block all other connections from the LAN to any Internet host on port 25.
- If the firewall has [tag]Universal Plug and Play[/tag] (UPnP) disable it if at all possible because of the security holes it introduces into your network. Enable the Intrusion Detection (IDS) of your firewall if it has that capability and use it on the inside of your network.
- If you don’t have a firewall that can do IDS get one that can or add a transparent gateway device like the [tag]Barracuda Web Filter[/tag] that looks for infected traffic originating on the inside of your network and can both block it and report to you that you have an infection problem so you can take care of it. The Barracuda Web Filter also has the log files that would allow you to track down the real source of the malware helping cut off one of the many heads of the Hydra Flux botnet.
Interested in learning more?
Here are some links for you:
Hydra Flux
Fast Flux
UPnP
- Back in February, we published a paper on fast-flux service networks at NDSS’08. The basic idea behind fast-flux networks is a fast change in the mapping between a domain name and the corresponding IP addresses. …
Botnet Videos:
Botnets PART 1 :Building A Botnet (1/2)
See actual malicious code and understand how it works. Corey Nachreiner explains botnet architecture for beginners, then builds a bot client.
Botnets PART 1 : Building A Botnet (2/2)
See actual malicious code and understand how it works. Corey Nachreiner explains botnet architecture for beginners, then builds a bot client.
Botnets PART 2 : Botnet Attacks (1/2)
Learn how a bot herder uses his bot army for attacks such as Distributed Denial of Service, getting command line control of victims, installing spyware, and more. Hosted by Corey Nachreiner, CISSP.
Botnets PART 2 : Botnet Attacks (2/2)
Learn how a bot herder uses his bot army for attacks such as Distributed Denial of Service, getting command line control of victims, installing spyware, and more. Hosted by Corey Nachreiner, CISSP.
Some Other Interesting Articles on Botnets:
Interesting Pattern in Storm Worm Traffic – Björn Weiland recently sent me a few graphs with interesting observations he made when tracking the Storm Worm botnet as part of his thesis on detection of advanced botnets. The first graph visualizes the network communication of a …
Botnets and Spreading Computer Viruses – How He Did It – Los Angeles, CA – We discovered a 2 year old press release about a “Botherder” who was dealt a record prison sentence, nearly five years, for selling and spreading malicious computer code. Even though the information is 24 months old it …
Distributed SSH Brute Forcing w/ Botnets – It’s not clear who’s behind the assault, which appears to originate from a botnet network of compromised Linux boxes. Aziz explained that the assault is different from other brute force hacking attacks he’s seen before. …
First Prosecution Of Its Kind Involving “Botnets” – … consultant plead guilty to Federal wiretapping and identity theft. In the first prosecution of its kind in the United States, a man who is well known by members of the “botnet underground” pleaded guilty to federal charges [...]
Botnets winning pam wars, says report – The world’s anti-spam systems are fighting a furious but hopeless battle against botnet spam, a new threat analysis from Commtouch has claimed.
The July Security Rountable is available: Battling Botnets with … – Complete details are available here: http://www.securityroundtable.com/2008/07/security-roundtable-for-july-2008-battling-botnets-with-botnets/. The discussion ran a bit longer than we alloted, yet even on our review listen proved worth …
Botnets as a Business – The Storm worm is being used to sell pharmaceuticals such as Viagra.
Entry Filed under: Barracuda Networks, Botnets
Leave a Comment
Some HTML allowed:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>
Trackback this post | Subscribe to the comments via RSS Feed