APPENDIX A: Fast-Flux Proxy Samples

There have been noticeable advancements the flux agent presented in this document over the past year, including the migration away from arbitrary TCP connections to obtain clear text instructions, using an HTTP library to obtain downloaded instructions, settings and binary updates, and finally the most recent variants that receive control settings via encoded update files. The following examples demonstrates a short historical timeline of just one fast-flux service network malware variant responsible for all double-flux service networks referenced in this research. It is worth noting that we have observed evidence supporting five distinct fast-flux service nets in operation on the Internet but have not acquired malware samples for all variants to support in depth study.

Sample: 5cbef2780c8b59977ae598775bad8ecb-weby.exe
File type(s): MS-DOS executable (EXE), OS/2 or MS Windows
Size: 51200 Bytes
Access: 2007-04-02 22:34:03.000000000 -0400
Modify: 2007-04-02 22:30:36.000000000 -0400
Change: 2007-04-02 22:34:03.000000000 -0400

MD5: 5cbef2780c8b59977ae598775bad8ecb
SHA1: 0925a54ba0366a6406d3222e65b03df0ea8cbc11

Source(s) of sample: (Timestamps are YYYY-MM-DD hh:mm:ss EDT -0400)
[2007-04-02 22:32:27] 5cbef2780c8b59977ae598775bad8ecb - http://xxx.myexes.hk/exes/weby.exe

Sample: 70978572bc5c4fecb9d759611b27a762-weby.exe
File type(s): MS-DOS executable (EXE), OS/2 or MS Windows
Size: 50176 Bytes
Access: 2007-03-15 02:09:03.000000000 -0400
Modify: 2007-03-09 10:51:26.000000000 -0500
Change: 2007-03-15 02:09:03.000000000 -0400

MD5: 70978572bc5c4fecb9d759611b27a762
SHA1: f8a4d881257dc2f2b2c17ee43f60144e6615994d

Source(s) of sample: (Timestamps are YYYY-MM-DD hh:mm:ss EDT -0400)
[2007-03-15 02:06:43] 70978572bc5c4fecb9d759611b27a762 â“http://xxx.myexes.hk/exes/webdlx/weby.exe

Sample: 5870fd7119a91323dbdf04ebd07d0ac7-plugin_ddos.dll
File type(s): MS-DOS executable (EXE), OS/2 or MS Windows
Size: 9728 Bytes
Access: 2007-04-02 15:39:05.000000000 -0400
Modify: 2007-03-09 23:48:17.000000000 -0500
Change: 2007-04-02 15:39:06.000000000 -0400

MD5: 5870fd7119a91323dbdf04ebd07d0ac7
SHA1: 4c4d1b3e2030e9a8f3b5c8f152ef9ac7590a96ca

Source(s) of sample: (Timestamps are YYYY-MM-DD hh:mm:ss EDT -0400)
[2007-04-02 15:36:55] 5870fd7119a91323dbdf04ebd07d0ac7 ⓠhttp://65.111.176.xxx/weby/plugin_ddos.dll

Previous incarnation:

Sample: e903534fab14ee7e00c279d64f578cbb-webyx.exe
File type(s): MS-DOS executable (EXE)
Size: 29557 Bytes
Access: 2007-02-06 15:26:03.000000000 -0500
Modify: 2007-02-02 08:47:24.000000000 -0500
Change: 2007-02-06 15:26:03.000000000 -0500

MD5: e903534fab14ee7e00c279d64f578cbb
SHA1: cf8279c35ec7d8914f3a4ccaaa71e14e7a925b93

Source(s) of sample: (Timestamps are YYYY-MM-DD hh:mm:ss EST -0500)
[2007-02-06 15:20:55] e903534fab14ee7e00c279d64f578cbb - http://xxx.myfiles.hk/exes/webyx.exe

Even older sample:

Sample: 88b58b62ae43f0fa42e852874aefbd01-weby.exe
File type(s): MS-DOS executable (EXE)
Size: 29425 Bytes
Access: 2007-01-20 16:29:06.000000000 -0500
Modify: 2007-01-20 05:39:22.000000000 -0500
Change: 2007-01-20 16:29:06.000000000 -0500

MD5: 88b58b62ae43f0fa42e852874aefbd01
SHA1: 6a22e1a06ced848da220301ab85be7a33867bfb5

Source(s) of sample: (Timestamps are YYYY-MM-DD hh:mm:ss EST -0500)
[2007-01-20 16:26:12] 88b58b62ae43f0fa42e852874aefbd01 - http://xxx.myexes.hk/exes/weby.exe

A prehistoric sample of flux-agent code (according to Internet time). We first observed
nodes infected with this malware in the middle of 2006, but only acquired a malware sample
for analysis in November 2006:

Sample: d134894005c299c1c01e63d9012a12c6-CD373B130D74F24CA5F8F1ADECA0F6856BC6072A-dnssvc.exe
File type(s): MS-DOS executable (EXE), OS/2 or MS Windows
Size: 11264 Bytes
Access: 2006-11-14 06:39:03.000000000 -0500
Modify: 2006-11-14 06:29:14.000000000 -0500
Change: 2006-11-14 06:39:03.000000000 -0500

MD5: d134894005c299c1c01e63d9012a12c6
SHA1: cd373b130d74f24ca5f8f1adeca0f6856bc6072a
Source(s) of sample: (Timestamps are YYYY-MM-DD hh:mm:ss EST -0500)
[2006-11-14 06:29:44] d134894005c299c1c01e63d9012a12c6 - CD373B130D74F24CA5F8F1ADE