Fast-Flux Bot Nets: The Future of Botnets


A worrying news from SecurityFocus came out today:

Network security analyst Lawrence Baldwin has helped take down his share of bot nets, but he worries that those days may largely be over.

Why worry? Well, botnets are used to send spam and launch denial-of-service attacks. If you’re still not concerned, imagine the amount of spam e-mails about penis enlargement, stock investments, and other promotions you get everyday. Add to that an unusual moment wherein you can’t access your Webmail account in Yahoo! MSN or Google, or your favorite Web sites such as MySpace and Facebook (denial-of-service). These are a few of what botnets can do.

Botnets having a bright future can indeed be alarming. To begin with, I encourage you to watch this news video about the arrest of SPAM king, Robert Alan Soloway last May 30, 2007.


According to the report:

An increasingly popular technique, known as fast-flux domain name service (DNS), allows bot nets to use a multitude of servers to hide a key host or to create a highly-available control network. The result: No single point of weakness on which defenders can focus their efforts.

Traditional Botnets vs. Fast-Flux Botnets

Based on the report, traditional botnets have used IRC as a means of monitoring and controlling compromised computers. The video shown below shows compromised computers that are being registered into the server. Pay attention to the green texts scrolling upwards. They indicate zombie computers joining the channel and awaiting instructions.

One weakness of this method is the fact that it has a central server. Shutting down the server would mean stopping the bot master thus, halting the attack. However, as Lawrence Baldwin would point out, “It’s (already) ridiculous trying to get an IRC command-and-control server taken down.”

Fast-flux botnets on the other hand, aren’t entirely different. They’re still botnets. The list below describes how fast-flux botnets operate in a nutshell (based on the report):

  • Fast-flux bot nets use the Internet’s look-up system for domain names against defenders. With a typical domain, the IP address associated with the domain does not change often, if at all. Fast-flux DNS uses a large number of servers and a fast-changing domain record to turn shutdown attempts into a game of whack-a-mole.
  • A related technique, known as rock phishing, uses a large number of proxies to hide the location of a smaller number of critical servers.
  • A recent Storm Worm infection, for example, connected to a bot net that had more than 2,000 redundant hosts spread amongst 384 providers in more than 50 countries.
  • By design, fast-flux bot nets last much longer and, just by their ability to outlive IRC-based bot nets, will likely soon make up the majority of attack networks on the Internet.

How Do We Stop the Fast-Flux Botnets?

Chief engineer for the Okie Island Trading Company, Tom Shaw said that the only way to stop them is to convince the domain registrar to shut down the domain that’s being victimized. However, Adam Waters, chief operating officer for Support Intelligence would argue:

When you call them up, you are asking them to take their customers offline. Any business that you ask to do that, well, they are going to be gun shy.

Fast flux is not about the bad guys hiding where they are. They are in your face and saying, ‘Come take us out.’ And you can’t.

As Internet users, we too have a role to take. We have to stop bot software from spreading, and it begins with the way we use our computers online. You might want to read Best Security Practices for Internet Safety by Harry Waldron. His 12 outlined suggestions can surely help you have a glimpse of online safety.

As Symantec Internet security expert, Vincent Weaffer said in a TV interview, “People need to secure their machines so that they don’t become part of the problem”.

Related Posts

  • No related posts.

This entry was posted on Wednesday, July 11th, 2007 at 0:16 and is filed under Security. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

26 Responses to “Fast-Flux Bot Nets: The Future of Botnets”

  1. lisaq Says:
    July 11th, 2007 at 23:51

    thanks so much for this informative article! i had no idea that these bots were behind the ‘denial of service’ issue…i’ve often wondered about it…

  2. Gabriel Says:
    July 12th, 2007 at 11:19

    You’re welcome Lisa. They’re behind the SPAMS that we get everyday too. By the way, if you’re using instant messengers such as Yahoo! Messenger or Windows Live Messenger, be careful because there’s a W32/Impard-A worm circulating that makes your computer a zombie. Don’t click on the links provided to you in the message boxes.

  3. WebGyver Says:
    July 13th, 2007 at 10:09

    Good stuff as usual, Gabriel!

    So, I guess we shoud take Patch Tuesday seriously, eh? What really stinks is that a) computers and computing could really enhance our all-around lives if b) it weren’t for wackos who have nothing better to do than make our lives miserable.

    Keep it coming, Gabriel. I’m adding you to my BLOGroll!

  4. Gabriel Says:
    July 13th, 2007 at 10:37

    Thanks a lot WebGyver!

    Well, patches do count in the fight against malware. But they won’t be enough to stop these kinds of attacks. Nevertheless, at least there’s prevention.

  5. Stock Market Software Says:
    May 21st, 2008 at 0:14

    The biggest problem with bots is they screw over people who want to do legitimate versions of things like dropping content. I personally never hide that I’m looking for a link to my site, but I also always try to add 1 - Content and 2 - Discussion to a persons website when I post.

  6. HP Says:
    May 28th, 2008 at 13:04

    Really bore with these spamming software, technique….I get tons of spam everyday :(

  7. Bjælkehuse Says:
    May 29th, 2008 at 19:59

    I hate spam, and is sick and tired of mail about dental care, stocktips, and viraga, so everything to prevent it, got my blessing.

    /Zaga Bjælkehuse

  8. extagentabs Says:
    May 30th, 2008 at 18:33

    Based on the report, traditional botnets have used IRC as a means of monitoring and controlling compromised computers

  9. Keith at Quantum Leap Technologies Says:
    June 21st, 2008 at 8:41

    extagentabs wrote “Based on the report, traditional botnets have used IRC as a means of monitoring and controlling compromised computers”

    So are the compromised computers connecting to IRC networks in the background without the users knowing it? I remember seeing older Trojan Horses that would use FTP to do this. This is definitely a twist.

    Great thread!

    Regards,

    Keith

  10. xbox 360 red ring of death Says:
    June 25th, 2008 at 15:48

    Very useful report and info on this. Now that I read it, it really makes me worried about entering chat rooms or instant msg networks like MSN. I don’t use them as much as I used to, but there have been times when some suspected attacks seem to coincide when I do go online just to catch up with friends. It’s a good thing IRC is no longer a big thing for me.

  11. para sayma makinas? Says:
    July 25th, 2008 at 16:04

    MSN Pictures Displayer has been translated into many languages,but you can also create your own translation if this one doesn’t exist yet. MSN Hotmail also boasts great security features,
    especially if you access it from a public terminal, and it can block remote images in emails not from safe senders to protect your privacy. MSN Winks Installer is a program that helps you
    preview, install additional msn winks to your Windows Live Messenger (formerly MSN Messenger). The information on this site represents the work of a large and vibrant MSN research community, who the authors would like to thank.

  12. guinness merchandise Says:
    August 12th, 2008 at 20:43

    Spam is so prevalent now that more needs to be done to catch the people who are infecting us with this disease.

    Tough international laws are needed due to the global-ness of the internet

  13. mens big and tall store Says:
    September 5th, 2008 at 21:05

    Grrr… The people who do this type of thing are sub-human. I agree there should be tougher punishments for spammers.

  14. Sriki Says:
    September 6th, 2008 at 3:22

    I think efficient spam filters must be used to filter out the spam.It’s very hard to catch and punish the culprits.Usage of CAPTCHA is one of the best ways of combating spam.

  15. siarhei Says:
    September 23rd, 2008 at 20:15

    captcha is the best way but the last reports say that captcha can be recognized (even google’s one can be breaked).. the best way is to combine different captchas such as maths operations and words inserting.

  16. Cheap Gun Safe Says:
    October 3rd, 2008 at 11:09

    There is a way to beat captcha, but most people just sit there and type them in as their programs do the rest of the automation for them. Bot nets are crazy and i didn’t know about them before, but it is an ingenious idea.

  17. reviews and tips Says:
    October 4th, 2008 at 5:54

    Fast flux botnets are used to hide phishing and malware delivery sites behind an ever-changing network of compromised hosts acting as proxies. They make harder to find the smoking gun because there is no clear backtrace to their source.
    In now days, those stuff changes very quick so the best recomendation is to get your antivirus-antispyware solution up to date, a strong and propertly configured firewall and avoid suspicious sites.

  18. how to get rid of moles Says:
    October 10th, 2008 at 9:55

    Please forgive me for my innoncence but is there a sort of “monetary” benefits or advantages for people like these who make botnets? Can they make money out of it? Of course, nobody would dare make something so stupid and time-consuming such as these unless they earn illegally from it. I mean, is it really worth it?

  19. Xbox360 Red Ring of Death Fix Says:
    December 29th, 2008 at 0:13

    I hate spam, I got at least 10 a day! Imagine if I were to go on holidays for 2 weeks, my inbox is full is spam and some even managed to slip through the spam filter, I really hope all spam filters will improve more.

  20. Enchanters Says:
    January 30th, 2009 at 1:33

    The thing I don’t get is why spam exists. For the most the emails you receive are junk. I have never purchased anything from these types of emails. I can’t see these emails tempting anyone else to buy but I guess I could be wrong.

  21. voyant Says:
    March 1st, 2009 at 23:19

    I am passionate about your articles, I really love this poste.thank yet.

  22. Payday Loans Says:
    March 14th, 2009 at 4:08

    I did not know something like that could happend. Specially how they can go into your email and personal information be stolen.

  23. Collection Agency Chicago Says:
    March 31st, 2009 at 2:24

    wow, i am afraid of these fast flux botnets, i hope that something can be done to stop them, they musn’t be allowed to ruin our internet. i don’t mind getting a few emails now and then, but i don’t want what you say could happen to happen.

  24. Jielea Says:
    April 29th, 2009 at 12:05

    I agree we should say no! no! to Fast-Flux Botnets. I hope many people can learn about this information.

  25. Alternative Energy Source Says:
    June 20th, 2009 at 21:00

    Doesn’t seem to be an answer to stop this. I get about 20-30 spam messages a day and always wondered how they get my email address

  26. xbox live code generator Says:
    September 9th, 2009 at 11:43

    i access it from a public terminal, and it can block remote images in emails not from safe senders to protect your privacy. MSN Winks Installer is a program that helps you.