Mac Security

Botnets and Fast Flux

Ever get the call from an ISP that a host on a network you own (no, not p0wn) is hosting a phishing scam site and you need to fix it? Happens all the time for one reason or another. But if the sites that contain malware and phishing information are quickly repaired (and at this point they are due to some really nice advanced systems for handling this kind of thing that are being employed by universities, ISPs and corporations), why bother? Well, this is where Fast flux comes into play. Fast flux is a DNS technique used to hide compromised hosts behind a rapidly changing (thus the word fast in the name) network of other hosts that help to obfuscate everything about the network itself. Basically, think about it this way, you have a command and control core that moves around, you keep your TTL values very low and everyone proxies their information to a host that updates an A record somewhere (a location BTW that is also obfuscated by the same technique) so other hosts know where to point traffic to.

Seems like a lot of coding… Given the potential value of private information that is harnessed through these types of attacks there is a lot of money to fund this kind of development. But never fear, for each method of hiding hosts, there’s someone working on a way to defeat it. In regards to Fast flux it isn’t an antivirus company (who would honestly rather sell you software to fix it rather than fix the root cause), it’s John Bamanek, from the University of Illinois, who’s trying to get his update to the DNS protocol ratified by the IETF.