Email This Post
From “Fastflux” to “Hydraflux”: A Brief History Of The Botnet
I’m not sure if you’ve been reading the news over at the [tag]Internet Storm Center[/tag] recently but … they have a an interesting write up on what William Salusky dubs the “Hydraflux” that is worth reading.
The popular technique for writing botnets over the last while is called ‘[tag]Fast Flux[/tag]‘ where an group of infected PC’s act as a proxy layer between the web server hosting the malware and the PC’s that are going to be infected.
This proxy layer is called the ‘[tag]Fluxnodes[/tag]‘.
You will have seen this in the recent ‘Storm Worm’ spam runs where the e-mail to you consists of a brief subject line and a link to an IP address. When you click on the link in the e-mail your computer connects to the proxy software running on an already infected PC and it then goes out and get’s the content, including the malware that will end up infecting your PC, from the real source.
This makes it harder to track down the real source of the infection as you now have to try and contact the IT people of the computer in the middle (the proxy) and get them to check their log files to find out where the malware content is really coming from.
They may be too busy to respond or they may not even have the logs required to track the source down and meanwhile the ‘Storm Worm’ or some variation continues to send out millions of e-mail messages getting more PC’s infected and adding more pawns to that proxy layer insulating the “bot herder” (gotta love the names we give certain people) from the security professionals that are trying to stop the infection.
As hard as it is to coordinate with the IT departments of the infected proxy layer it does happen often enough that the real source of the malware files is found and is shut down. This does not make the “bot herders” happy as now they have to start building up their bot nets all over again or redirect their proxy pawns to a second source of infected files. This takes time and while this transition is going on the bot network is down and not doing the bidding of the herder thus the evolution of ‘Fast Flux’ to ‘Hydra Flux’.
[tag]Hydra Flux[/tag] is the same basic idea as Fast Flux but with the addition of many heads – like the Lernaean Hydra or many headed serpent in Greek mythology – and just like the ancient snake with many heads you can cut off one of the heads of the modern ‘Hydra Flux’ without killing the beast. The Proxy layer talks to many sources of infection, the mother ships of the Internet Storm Article, so that if one gets found out and stopped the proxy layer has a backup. This is a very resilient hosting structure and could be called a great example of ‘[tag]cloud computing[/tag]‘.
So what can we do to stop the infections?
- Ensure that we don’t settle for setting up our corporate firewall’s to the point that they work for both us and the malware writers. Too many firewall’s are setup to stop the traffic coming from the Internet to the LAN but allow anything and everything from the LAN to flow to the Internet.
- If you have a corporate mail server then the mail server should be the only system that has SMTP access to the Internet and you can block all other connections from the LAN to any Internet host on port 25.
- If the firewall has [tag]Universal Plug and Play[/tag] (UPnP) disable it if at all possible because of the security holes it introduces into your network. Enable the Intrusion Detection (IDS) of your firewall if it has that capability and use it on the inside of your network.
- If you don’t have a firewall that can do IDS get one that can or add a transparent gateway device like the [tag]Barracuda Web Filter[/tag] that looks for infected traffic originating on the inside of your network and can both block it and report to you that you have an infection problem so you can take care of it. The Barracuda Web Filter also has the log files that would allow you to track down the real source of the malware helping cut off one of the many heads of the Hydra Flux botnet.
Interested in learning more?
Here are some links for you:
Hydra Flux
Fast Flux
UPnP
- Back in February, we published a paper on fast-flux service networks at NDSS’08. The basic idea behind fast-flux networks is a fast change in the mapping between a domain name and the corresponding IP addresses. …
Botnet Videos:
Botnets PART 1 :Building A Botnet (1/2)
See actual malicious code and understand how it works. Corey Nachreiner explains botnet architecture for beginners, then builds a bot client.
Botnets PART 1 : Building A Botnet (2/2)
See actual malicious code and understand how it works. Corey Nachreiner explains botnet architecture for beginners, then builds a bot client.
Botnets PART 2 : Botnet Attacks (1/2)
Learn how a bot herder uses his bot army for attacks such as Distributed Denial of Service, getting command line control of victims, installing spyware, and more. Hosted by Corey Nachreiner, CISSP.
Botnets PART 2 : Botnet Attacks (2/2)
Learn how a bot herder uses his bot army for attacks such as Distributed Denial of Service, getting command line control of victims, installing spyware, and more. Hosted by Corey Nachreiner, CISSP.
Some Other Interesting Articles on Botnets:
Interesting Pattern in Storm Worm Traffic – Bj
Entry Filed under: Barracuda Networks,Botnets
Leave a Comment
Some HTML allowed:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>
Trackback this post | Subscribe to the comments via RSS Feed