MySpace Worm Uses Fast-Flux to Dodge Detection

A worm that has turned 100,000 MySpace users' sites into zombies exemplifies a fluid new botnet architecture that evades security experts.

A complex attack that in June was discovered to be turning users sites into bots to serve phishing scams and viruses is just one example of fast-flux: a new way of hiding phishing and malware delivery sites behind ever-shifting networks of proxy servers that are next to impossible to track down, security experts have said.

In late June, some MySpace user pages were seeded with malware designed to exploit one of three recently patched security holes in Windows and Internet Explorer. The exploit started with a Flash movie installed on multiple compromised MySpace pages that led users to a spoofed MySpace log-in page. That log-in page hosted a number of exploits that downloaded malware and tried to snatch visitors MySpace credentials.

Once the botnet commanders secured a MySpace users credentials, they then updated the users site to host malware. ScanSafe estimates that almost 100,000 MySpace accounts were compromised.

This MySpace botnet in particular reflects a leap in the evolution of bot architecture.

Old-school bot networks were set up with compromised machines at the beck and call of a command-and-control computer—one able to send commands to the botnets individual, compromised, zombified systems.

Those traditional botnets, still around and still constituting what experts call a malware pandemic, have traditionally used IRC (Internet Relay Chat) to communicate. Once security experts and law enforcement tracked them down, they could shut them down in a relatively straightforward manner.

Fast-flux networks, on the other hand, come with a new layer of abstraction. Now, machines are getting compromised and used merely as frontline proxies, with the botnet commanders safely tucked away behind a veil of constantly shifting IP addresses.

In fast-flux, the IP address that security experts can track down in investigation belongs only to a PC thats been compromised. That PC is merely acting as a proxy, with stolen data located elsewhere. The proxy contains no logs, no data and no files that can give away the crimes for which it is actually being used.

The really sneaky part comes in fast-flux botnets use of domain names. Borrowing the same techniques used by legitimate companies for load-balancing and resiliency, fast-flux botnets are using IP addresses that change dynamically.

This makes it practically impossible to find and shut down the botnets, according to Dan Nadir, vice president of product strategy at ScanSafe, in San Mateo, Calif.

"Bad guys will register and the IP addresses that are being used as you resolve actually change dynamically," he said. "You could do a lookup 1,000 times for the record for, and it could resolve to 1,000 different PCs. You dont have a one-to-one relationship. … As you start to tear down the network to find, you work to take it down, and it doesnt matter, that address is resolving to another PC, and it goes on and on."

The pilfered data now sits hidden behind a proxy server. The fast-flux botnet may have hundreds of frontline servers, geographically dispersed worldwide.

/zimages/1/28571.gifClick here to read about how MySpace handles its infrastructure challenges.

From what security experts can detect, command and control has shifted from IRC to what appears to be pure HTTP with fast-flux. If a victim clicks on a spam message or phony MySpace message, the link points to a domain owned by the malware author. When a victim clicks on the link, at that moment in time his or her PC is directed to connect to the malware authors domain. That will give the target system the IP address of a frontline proxy server, which in turn connects to yet another compromised PC that sits behind it.

The process, like all serious, profit-motivated contemporary malware, is silent. All a victim would see, in the MySpace worm case, is MySpace—or, at least, a spoofed version of MySpace.

The shift from IRC isnt necessarily relevant, Nadir said, although IRC does make the process of blocking a botnet command-and-control center "a bit easier."

The real benefit to botnet operators, however, is multiple layers and resilience, he said—the shields they have against being blocked.

"In old networks you could say I have this IP [address], shut it down. … If you could get to the main address, thats resolvable, you could block the connection. Now you cant do that. As many times as you try to shut down the address, it will resolve to another," Nadir said. "[Meanwhile], name servers are always giving you another IP address. Even name servers are changing. … I see a link that looks like MySpace. I click on it. My machine says I need to resolve DNS [Domain Name System] works like a tree: It goes to the domain that says it owns [a given URL]. … Even those change [in fast-flux]. Youve got the name servers … that change and you get the names theyre giving you changing."

The MySpace attack is continuing. ScanSafe, for one, is still seeing cases, he said.

How to block such a fluid attack is still in question, Nadir said. What ScanSafe does, for example, is to look for signatures of actual malicious code, as well as building reputations of IPs, geographies, URLs and domain names.

The MySpace fast-flux is terra incognita, however—a land with no static IP addresses, no fixed geographies, URLs that continually change and domain names that slip away before they can be pinned down.

One way ScanSafe has found to block fast-flux and to at least detect suspicious behavior, however, is to look for DNS and port 80 traffic inbound to the end user name space, given that those just arent neighborhoods where DNS requests usually go.

"When you see DNS requests going into some Comcast or DNS account, its suspicious," Nadir said. "Name servers and DNS servers dont usually live out there in user land."

The question for users, of course, is how to tell if their systems have been zombified. Desktop software tools vendors vary in their responsiveness, but sooner or later they cough up signatures to detect whatever thumbprint they discover these fast-flux botnets to be leaving.

Others who sit behind a service such as ScanSafes have the added protection of having their outbound traffic monitored as well. In such a case, command-and-control exchanges issuing over HTTP are an immediate indication that a machine has been compromised, Nadir said.

At any rate, its not as if the June MySpace fast-flux attack came as a shocker. MySpace has been a handy place to spread malware for some time. Back in 2005 a MySpace user created a worm—detected by Panda Software under the name of MySpace.A—that allowed him or her to stuff 1 million entries into the users contact list.

That was just a nuisance, though, compared with the first serious MySpace infection, which occurred at the end of 2006. At that time, a worm spread via user profiles, infecting anybody who visited a certain user profile.

Around the same time, a MySpace advertising banner exploited a Windows Metafile vulnerability to infect over 1 million users with spyware. Within days of that incident, a worm was discovered at MySpace that inserted JavaScript into user profiles. When users tried to visit some of those profiles, they were redirected to a Web page that blamed the U.S. government for the 9/11 attacks.

Yet more serious MySpace-targeted malware came in December 2006 when ID thieves manipulated a feature in QuickTime to launch phishing attacks on the social networking portal.

That fast-spreading worm exploited the JavaScript support in QuickTime and targeted a MySpace vulnerability to lure users to phishing sites. The double-barreled attack replaced legitimate links on users MySpace profiles with links to malicious sites cleverly masked to look legitimate.

According to Colin Whittaker of Googles Anti-Phishing Team, what the search giant tracked as an explosive five-fold increase in overall phishing page views beginning in mid-March was mostly due to phishing targeted at MySpace. Indeed, 95 percent of new phishing traffic targeted MySpace.

Its not that MySpace accounts have monetary value in themselves, Whittaker said. Rather, they can be used as zombies to spread bulletin board spam for advertising revenue, or phishers may attempt to steal financial account information while logged into stolen accounts.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.