Corporate Malware : the good, the bad & the ugly

The good : Askimet & Greylisting for the win
Today this blog passed the 1k milestone of blocked spam attempts! The positive news is that Askimet has proven itself THE defense against comment spamming. The negative side is that there have been more than 1000 attempts to fill this website with spam…

For my email traffic I rely on Greylisting, and I must say that this had a HUGE effect on clearing spam from my Inbox. In the past we relied on Spam Assasin to do this for us, but Greylisting has proven itself beyond the (out-of-the-box) Spam Assasin results. Many “gurus” proclaim that you have to setup several tiers of Spam filtering, yet I still prefer the KISS-principle when results only differ by a few percentages.

The bad : But then again Continue reading “Corporate Malware : the good, the bad & the ugly”

Understanding the basics concept of fast flux dns

One of the most active threats we face today on the Internet is cyber-crime. It’s a profitable business where IT capable criminals try to control the computers of the naive. They do this by infecting them with malware. There are various ways of introducing these malicious codes into the target systems, but that part is out of scope for this post.

The goal of fast-flux is decrease the detection chances/rate when doing a malicous action. This can fluctuate from a spam mailing to a denial-of-service attack. The basic concept of the “fast flux” is to have a fully qualified domain name with multiple IP addresses assigned to it. These IP addresses are swapped in and out of flux with extreme frequency, using a combination of round-robin IP addresses and a very short Time-To-Live. The hostname of a certain website may change as often as every three minutes.

single flux diagram

The ip address used here are those of infected machines. So a browser connecting to the same website every 3 minutes would actually be connecting to a different infected computer each time. So the computer of your grandparents may simply be used to provide resources to the latest phishing attack.

It’s a common practice to build in load-distribution schemes which also do a health-check. This is useful so that the nodes (the computer from for example the grandparents) that are offline can be taken out of the flux. Enabling an always maintained content availability. A second layer is often added for security and fail-over: blind proxy redirection. Actually… a lot of techniques used in the world of legitimate webserver operations are used by these criminal computer networks.

The fast-flux it’s controlling element is often refered to as “mothership”. It’s simpilar to the control mechanisms used in the older botnets. But it has more features compared to the more conventional botnets. These mostly provide the basic backend infrastructure for the botnet (dns & http) as it serves the content towards the infected nodes.

Interesting readups:
Know Your Enemy: Fast-Flux Service Networks @ Honeynet.org (main reference)
the future of botnets : fast flux bot nets (tip!)
SpamTrackers.eu
Darkreading: here & here
Securityfocus article