Fast-Flux Bot Nets: The Future of Botnets


A worrying news from SecurityFocus came out today:

Network security analyst Lawrence Baldwin has helped take down his share of bot nets, but he worries that those days may largely be over.

Why worry? Well, botnets are used to send spam and launch denial-of-service attacks. If you’re still not concerned, imagine the amount of spam e-mails about penis enlargement, stock investments, and other promotions you get everyday. Add to that an unusual moment wherein you can’t access your Webmail account in Yahoo! MSN or Google, or your favorite Web sites such as MySpace and Facebook (denial-of-service). These are a few of what botnets can do.

Botnets having a bright future can indeed be alarming. To begin with, I encourage you to watch this news video about the arrest of SPAM king, Robert Alan Soloway last May 30, 2007.


According to the report:

An increasingly popular technique, known as fast-flux domain name service (DNS), allows bot nets to use a multitude of servers to hide a key host or to create a highly-available control network. The result: No single point of weakness on which defenders can focus their efforts.

Traditional Botnets vs. Fast-Flux Botnets

Based on the report, traditional botnets have used IRC as a means of monitoring and controlling compromised computers. The video shown below shows compromised computers that are being registered into the server. Pay attention to the green texts scrolling upwards. They indicate zombie computers joining the channel and awaiting instructions.

One weakness of this method is the fact that it has a central server. Shutting down the server would mean stopping the bot master thus, halting the attack. However, as Lawrence Baldwin would point out, “It’s (already) ridiculous trying to get an IRC command-and-control server taken down.”

Fast-flux botnets on the other hand, aren’t entirely different. They’re still botnets. The list below describes how fast-flux botnets operate in a nutshell (based on the report):

  • Fast-flux bot nets use the Internet’s look-up system for domain names against defenders. With a typical domain, the IP address associated with the domain does not change often, if at all. Fast-flux DNS uses a large number of servers and a fast-changing domain record to turn shutdown attempts into a game of whack-a-mole.
  • A related technique, known as rock phishing, uses a large number of proxies to hide the location of a smaller number of critical servers.
  • A recent Storm Worm infection, for example, connected to a bot net that had more than 2,000 redundant hosts spread amongst 384 providers in more than 50 countries.
  • By design, fast-flux bot nets last much longer and, just by their ability to outlive IRC-based bot nets, will likely soon make up the majority of attack networks on the Internet.

How Do We Stop the Fast-Flux Botnets?

Chief engineer for the Okie Island Trading Company, Tom Shaw said that the only way to stop them is to convince the domain registrar to shut down the domain that’s being victimized. However, Adam Waters, chief operating officer for Support Intelligence would argue:

When you call them up, you are asking them to take their customers offline. Any business that you ask to do that, well, they are going to be gun shy.

Fast flux is not about the bad guys hiding where they are. They are in your face and saying, ‘Come take us out.’ And you can’t.

As Internet users, we too have a role to take. We have to stop bot software from spreading, and it begins with the way we use our computers online. You might want to read Best Security Practices for Internet Safety by Harry Waldron. His 12 outlined suggestions can surely help you have a glimpse of online safety.

As Symantec Internet security expert, Vincent Weaffer said in a TV interview, “People need to secure their machines so that they don’t become part of the problem”.

Related Posts

12 Responses to “Fast-Flux Bot Nets: The Future of Botnets”

  1. lisaq Says:

    thanks so much for this informative article! i had no idea that these bots were behind the ‘denial of service’ issue…i’ve often wondered about it…

  2. Gabriel Says:

    You’re welcome Lisa. They’re behind the SPAMS that we get everyday too. By the way, if you’re using instant messengers such as Yahoo! Messenger or Windows Live Messenger, be careful because there’s a W32/Impard-A worm circulating that makes your computer a zombie. Don’t click on the links provided to you in the message boxes.

  3. WebGyver Says:

    Good stuff as usual, Gabriel!

    So, I guess we shoud take Patch Tuesday seriously, eh? What really stinks is that a) computers and computing could really enhance our all-around lives if b) it weren’t for wackos who have nothing better to do than make our lives miserable.

    Keep it coming, Gabriel. I’m adding you to my BLOGroll!

  4. Gabriel Says:

    Thanks a lot WebGyver!

    Well, patches do count in the fight against malware. But they won’t be enough to stop these kinds of attacks. Nevertheless, at least there’s prevention.

  5. Stock Market Software Says:

    The biggest problem with bots is they screw over people who want to do legitimate versions of things like dropping content. I personally never hide that I’m looking for a link to my site, but I also always try to add 1 - Content and 2 - Discussion to a persons website when I post.

  6. HP Says:

    Really bore with these spamming software, technique….I get tons of spam everyday :(

  7. Bjælkehuse Says:

    I hate spam, and is sick and tired of mail about dental care, stocktips, and viraga, so everything to prevent it, got my blessing.

    /Zaga Bjælkehuse

  8. extagentabs Says:

    Based on the report, traditional botnets have used IRC as a means of monitoring and controlling compromised computers

  9. Keith at Quantum Leap Technologies Says:

    extagentabs wrote “Based on the report, traditional botnets have used IRC as a means of monitoring and controlling compromised computers”

    So are the compromised computers connecting to IRC networks in the background without the users knowing it? I remember seeing older Trojan Horses that would use FTP to do this. This is definitely a twist.

    Great thread!

    Regards,

    Keith

  10. xbox 360 red ring of death Says:

    Very useful report and info on this. Now that I read it, it really makes me worried about entering chat rooms or instant msg networks like MSN. I don’t use them as much as I used to, but there have been times when some suspected attacks seem to coincide when I do go online just to catch up with friends. It’s a good thing IRC is no longer a big thing for me.

  11. para sayma makinas? Says:

    MSN Pictures Displayer has been translated into many languages,but you can also create your own translation if this one doesn’t exist yet. MSN Hotmail also boasts great security features,
    especially if you access it from a public terminal, and it can block remote images in emails not from safe senders to protect your privacy. MSN Winks Installer is a program that helps you
    preview, install additional msn winks to your Windows Live Messenger (formerly MSN Messenger). The information on this site represents the work of a large and vibrant MSN research community, who the authors would like to thank.

  12. guinness merchandise Says:

    Spam is so prevalent now that more needs to be done to catch the people who are infecting us with this disease.

    Tough international laws are needed due to the global-ness of the internet

Leave a Reply