Understanding the basics concept of fast flux dns

One of the most active threats we face today on the Internet is cyber-crime. It’s a profitable business where IT capable criminals try to control the computers of the naive. They do this by infecting them with malware. There are various ways of introducing these malicious codes into the target systems, but that part is out of scope for this post.

The goal of fast-flux is decrease the detection chances/rate when doing a malicous action. This can fluctuate from a spam mailing to a denial-of-service attack. The basic concept of the “fast flux” is to have a fully qualified domain name with multiple IP addresses assigned to it. These IP addresses are swapped in and out of flux with extreme frequency, using a combination of round-robin IP addresses and a very short Time-To-Live. The hostname of a certain website may change as often as every three minutes.

single flux diagram

The ip address used here are those of infected machines. So a browser connecting to the same website every 3 minutes would actually be connecting to a different infected computer each time. So the computer of your grandparents may simply be used to provide resources to the latest phishing attack.

It’s a common practice to build in load-distribution schemes which also do a health-check. This is useful so that the nodes (the computer from for example the grandparents) that are offline can be taken out of the flux. Enabling an always maintained content availability. A second layer is often added for security and fail-over: blind proxy redirection. Actually… a lot of techniques used in the world of legitimate webserver operations are used by these criminal computer networks.

The fast-flux it’s controlling element is often refered to as “mothership”. It’s simpilar to the control mechanisms used in the older botnets. But it has more features compared to the more conventional botnets. These mostly provide the basic backend infrastructure for the botnet (dns & http) as it serves the content towards the infected nodes.

Interesting readups:
Know Your Enemy: Fast-Flux Service Networks @ Honeynet.org (main reference)
the future of botnets : fast flux bot nets (tip!)
Darkreading: here & here
Securityfocus article

The storm botnet is using tor

Let’s start out with a small introduction about Tor. A brief quote from the Tor Project:

Tor is a toolset for a wide range of organizations and people that want to improve their safety and security on the Internet. Using Tor can help you anonymize web browsing and publishing, instant messaging, IRC, SSH, and other applications that use the TCP protocol. Tor also provides a platform on which software developers can build new applications with built-in anonymity, safety, and privacy features.

In basics it’s a tool that helps you to stay anonymous when browsing the web using “any” application. The project is supported by volunteers who share resources (hardware & bandwidth) for Tor to use.
how tor works

Storm evolved
The storm botnet has evolved to using tor. The started “promoting” Tor… But instead of linking to the project binary, they link to their own compromised version. Even thought there are voices who are bashing the Tor project for this. But this is totally uncalled for. If we would extend such a way of thinking, then we would have to bash mail servers too. As they provide the means to send spam too. The aim of the project is sincere, but the abuse of the storm project on their back is not.

There are a lot of anonimizers out there, and they have been (ab)used in the past too. I’m thinking about the open web proxies, or wrongly configured proxies. But in this case they aren’t using Tor to hide their traffic. But instead their trying to trick users into download a compromised Tor executable. The Storm bot net uses a system called Fast Flux to hide traffic.

“Storm Worm Evolves To Use Tor” @ Slashdot

Mounting an ISO image on a Solaris with lofiadm

Given an ISO image in /home/images/my.iso, a loopback file device (/dev/lofi/1) is created with the following command:

lofiadm -a /home/images/my.iso /dev/lofi/1

The lofi device creates a block device version of a file. This block device can be mounted to /my/mounted/iso with the following command:

mount -F hsfs -o ro /dev/lofi/1 /my/mounted/iso

These commands can be combined into a single command:

mount -F hsfs -o ro `lofiadm -a /home/images/my.iso` /my/mounted/iso

The impasse of the security landscape and a persons state of mind.

Was reading up on the blog of a friend of mine, and came across an interesting article about (the rumor that are) botnets starting to focus on eBay. There are two linked articles: one about the botnets that are focusing eBay, and one about a case of identity theft.

Bear in mind the horror of going thru such a scenario. I guess when you’re reading this, that you’re an IT-minded person, but there are a lot of people out there… who are not. These people are vulnerable to such attacks, as they do not really care (rather understand) the need of computer security. Here I must admit that I haven’t been the lock down person myself in the past. But if I’m seeing the increase of trojans & botnets, then you have to wonder what’s coming to us.

When friends/family ask me for assistance with their IT worries, then I often check their computer for all sorts of malware. And the results are often discouraging, even when people have up-to-date anti virus software, and patched systems. There has always been one string of hope. I generally “suggested” them to install firefox/thunderbird, and gave them the following the advice:

“When you don’t know who sent you the mail, don’t open anything, and delete it!”

The people who followed up on those suggestions/advice are mostly the ones who have pretty clean systems. Yet the ones who insist on running all sorts of P2P related software (for downloading “god-knows-what”) are mostly infested with malware.

Next up are the corporate networks… I guess I can’t speak for the whole community, but in my career I’ve also had the function of system administrator within a European holding. The IT department was decently sized, yet overloaded with work (or badly prioritized? let’s keep that in the middle). The general rule was to get things done A S A P …

“Time costs money, and money is what the shareholders want…”

The things that are often neglected in those situations are security & documentation. It’s already had trying to persuade a business to invest in IT, let alone justify the costs of securing up the infrastructure. The CFO in question had a “nice” stop-phrase for security related items:

Why do we need to secure this? We are not a bank.

The above statements are not meant to portray a bad image of one of my past employers, but to sketch a situation of the general IT market. A lot of companies want to cut their costs… In addition IT departments from small/middle sized companies can’t always justify their cost. So some things get sacrificed, and those things are mostly the things that provide the fundamentals of the whole IT infrastructure.

Why chop at leafs, when one must dig at root? (Confucius)

Take this mentality in account, when looking at the potential risk described in the first paragraph… and one must not wonder why malware doesn’t cease to exist. A lot of people often blame Microsoft to write bad / unsecure code, but this isn’t the root of our issues. This is only the leaf of the tree. The problem of security lies from within, it lies at our roots, at the water that en lives our tree. The tree being our (global) IT infrastructure, and the water being the (justification of) resources of the IT department.