A malware researcher with the SANS Internet Storm Center has uncovered a new twist on the fast-flux botnet infrastructure model that could make networks of zombie PCs even harder to take down.
For the last several years fast flux has proved to be an efficient technique for botnet herders seeking to insulate their networks of subverted machines from being identified and added to anti-spam or malware black lists, or having their owners or ISPs tipped off to the infections they’re harboring so that the devices can be cleaned.
Using the tactic, botnet masters have hidden the machines they use for spam generation or malware delivery behind layers of other zombified PCs acting as proxies. Common variants on the model have also incorporated P2P networking and IP address load balancing to help attackers move their operations around quickly to try to evade detection and potential compromise of their core farms of infected devices.
The most high-profile example and effective use of the technique thus far has been the Storm Worm and all its progeny, which have blanketed the Internet with a veritable blizzard of spam and subsequent malware attacks for roughly the last two years.
But in a new development in the botnet/flux arena, SANS contributor William Salusky earlier this week highlighted the emergence of a new variation on the fast-flux theme that he has dubbed “hydraflux.”
In a note posted to the ISC site by fellow researcher Mark Hofman, the results of Salusky’s work indicate that some top-level botnet code masters have significantly advanced the sophistication of their efforts once again.
Using the time-honored fast-flux approach, a large number of zombie PCs would be controlled by a single or small set of “flux” or proxy machines, which would in turn be connected to a single “mother ship” command and control center responsible for giving orders to the entire ecosystem of infected devices.
At the end of the day, botnet baddies would be far less concerned about losing control of either their endpoint networks or their proxies than they would fear seeing their mother ships taken offline because that’s what keeps the whole enterprise going. It’s a lot easier to operate without a limb, but you lose the brain and it’s game over.
But hydraflux may have helped solve that challenge for the herders.
“[Traditionally] if you take out the fluxnode you affect a number of clients, but if you manage to take out the mother ship, then the end result is more impressive,” Hofman notes. “You have now taken out a number of fluxnodes as well as the many clients connected to it. Hydraflux changes this.”
In the newer technique, each fluxnode maintains a “one-to-many mother ship relationship” and the individual nodes also communicate with the command center on a nonstandard port, the researchers reported.
“This type of structure now makes it more complicated to take the network down as the fluxnode can still receive instructions from the remaining mother ships,” Hofman writes about his colleague’s research. “[In the observed example] the immediate upstream mother ship was identified [but] there is no easy method to determine if the mother ship tagged is the final destination, or just a hop in a network of mother ships.”
So now, even when someone on the good side IDs a flux point, and its potential mother ship, it’s hard to tell where its orders are coming from, and even when one mother ship can be taken out, there’s likely another waiting to slide into its place.
“It would seem that a potentially large number of mother ships could easily become involved, or for better or worse turn this into an ugly redirector mix of fluxnode endpoints redirecting through fluxnode endpoints intent on annoying even the most aggressive investigator,” Hofman says. “So as you can see, the game has changed again.”
The involved attacks were initially observed in April and May, and the researchers continue to track the use of the hydraflux technique.
Ah, stronger, more ubiquitous botnets … how grand! Ugh.
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWEEK and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.