CircleID

Together with Thorsten Holz, I recently published a paper on fast flux botnet behaviors, "As the Net Churns: Fast-Flux Botnet Observations," based on data we gathered in our ATLAS platform. Fast flux service networks utilize botnets to distribute the web servers to the infected PCs. The zombies in the network are advertised in DNS records managed by the botnet and act as web proxies, handling the inbound request from a victim and relaying the data from a central machine, often dubbed the mothership. The botnet will advertise some small fraction of the bot population in this DNS map and use it to lure in new victims. One of the most well known fast flux botnets has been the Storm Worm botnet, which uses the zombies to spam, send out new enticements to infect users, and to host the malicious website which delivers the malcode. Fast flux hosting techniques are used by botnet operators to thwart takedown of their key infrastructure and deny the chance for analysts to inspect the central malicious content server. These sort of hosting schemes are often resold as bulletproof hosting schemes for a variety of illegal activities.

ATLAS is our data repository and we added fast flux botnet tracking to it earlier this year and one of its main focuses is on botnet activity tracking. The system gathers data by actively polling DNS servers with fast flux domain name queries, recording the answers. Briefly, we watch domain names spammed in email messages and used by malcode and screen them for fast flux characteristics: a very short time to live (TTL), a wide dispersal of hosts that constantly change, and other factors that are consistent with past fast flux botnet behaviors. Once they pass the screening process, ATLAS will enter them into a polling loop to gather as many results for the queries over time. ATLAS will stop tracking the domain name only after it fails to resolve or stops changing, suggesting that its been disabled. This list of IP addresses associated with domain names over time are members of the botnet.

For our study we used 6 months of data gathered by ATLAS representing nearly 1000 unique domain names and 15 million unique IP address and domain name pairs. Using this data set we found the following:

• Most fast flux domains are dormant for more than 30 days before their use in a flux operation; domain name tasting, where a domain name is used for the five day 100% refund grace period, does not appear to be a major factor in fast flux domain name use.
• The global TLD distribution (i.e. .com, .cn, etc) of fast flux domain names is now wider than originally reports by Holz and company at NDSS in 2007; this issue now affects significantly more registrars.
• We can identify clusters of IPs and associated hostnames, showing how many botnets use how many names. We find only a handful of distinct botnets using fast flux methods.
• Fast flux service networks support a wide variety of online crime activity, such as phishing, malcode delivery, casino advertisements, illegal or questionable pharmacy sites, and other activities.
• Fast flux is a smaller-scale problem than is widely assumed, and only a few thousand hosts globally are involved at any one time. The dollar value of these crimes, however, is significant.
• Hosts involved in fast flux service networks are extremely promiscuous, sometimes having hundreds or even thousands of domain names associated with them, due to the large number of names used by many active fast flux botnets.
• Active DNS probing, which is commonly used to investigate fast flux botnet activities (and was used in our study), does not appear to be an effective, reliable measure of a botnets size. We found only about 1% visibility into the storm worm botnet, and we have not been able to get size estimates of other botnets for comparison.

We also anticipate that this dormant period between the domain names registration and activation can be used to identify domain names that are similar to other active fast flux names and proactively disable them.

We have taken the analysis we performed in the paper and have expanded it into our ATLAS system. These reports show distinct botnets group by domain names, infected hosts around the world, newly discovered domains and the longest lived domains. Our results are further strengthened with the increased visibility we have obtained in the months since the research was first conducted. We have now begun to work with the registrar community to get fast flux domain names deactivated and continue to reach out to new registrars to combat this problem.

By Jose Nazario, Senior Security Researcher, Arbor Networks. Visit the blog maintained by Jose Nazario here.

Related topics: ICANN, Malware, Security, Spam