REAL WORLD FAST-FLUX EXAMPLES

Having explained the underlying principles, we will now look at a fast-flux service network from the point of view of a criminal and review the basic steps required to setup a fast-flux service network. First, our criminal(s) registers a domain for their attack. An example would be a bogus domain name that appears similar to a bank, or a site promoting pharmaceutical drugs. In our case, we will use example.com’. Based on our research, the domain extensions .info and .hk are some of the most commonly abused Top Level Domains (TLD’s). This is may be due to the fact that resellers for these domain registrars are more lax in their controls than other TLDs. Often these false domains are registered by fraudulent means, such as using stolen credit cards and bogus or otherwise invalid registrant account detail. The criminal(s) will often already have control of a network of compromised systems to act as their redirectors, or they can temporarily rent a botnet. In addition, registrations for the domains are often the cheapest. The criminal(s) then publish Name Server (NS) records that either point to bullet-proof hosting, or at any of the proxy/redirects flux-agent nodes under their control. Examples of bullet-proof hosting providers could include DNS services operated from Russia, China, or many other countries around the world. If the criminals do not have access to this type of hardened service, they will host the DNS services on their own compromised systems, and often the mothership node that is hosting the master web sites can also be found serving DNS services. We will now review two actual deployments.

Single-Flux: A Money Mule
First we will review the DNS records for a single-flux service network. This is a real world example demonstrating a money mule recruitment scam. A money mule is someone that acts as an intermediary in transferring or withdrawing money often involved in fraud. For example, a criminal will steal money out of someone’s bank account, transfer it to the money mule’s bank account, then have the money mule withdraw the funds and send them to a location for pickup, perhaps in a different country. What is unique about some current money mule scams is that the money mule may think they are working for a legitimate company, not realizing they are acting on the behalf of criminals in money laundering schemes. Often the money mule is actually just another victim in a chain of other victims.

Below are the single-flux DNS records typical of such an infrastructure. The tables show DNS snapshots of the domain name divewithsharks.hk taken approximately every 30 minutes, with the five A records returned round-robin showing clear infiltration into home/business dialup and broadband networks. Notice that the NS records do not change, but some of the A records do. This is the money mule web site.

 ;; WHEN: Sat Feb 3 20:08:08 2007
divewithsharks.hk. 1800 IN A 70.68.187.xxx [xxx.vf.shawcable.net]
divewithsharks.hk. 1800 IN A 76.209.81.xxx [SBIS-AS - AT&T Internet Services]
divewithsharks.hk. 1800 IN A 85.207.74.xxx [adsl-ustixxx-74-207-85.bluetone.cz]
divewithsharks.hk. 1800 IN A 90.144.43.xxx [d90-144-43-xxx.cust.tele2.fr]
divewithsharks.hk. 1800 IN A 142.165.41.xxx [142-165-41-xxx.msjw.hsdb.sasknet.sk.ca]

divewithsharks.hk. 1800 IN NS ns1.world-wr.com.
divewithsharks.hk. 1800 IN NS ns2.world-wr.com.

ns1.world-wr.com.  87169 IN A 66.232.119.212 [HVC-AS - HIVELOCITY VENTURES CORP]
ns2.world-wr.com.  87177 IN A 209.88.199.xxx [vpdn-dsl209-88-199-xxx.alami.net]

Single-flux nets appear to apply some form of logic in deciding which of their available IP addresses will be advertised in the next set of responses. This may be based on ongoing connection quality monitoring (and perhaps a load-balancing algorithm). New flux-agent IP addresses are inserted into the fast-flux service network to replace nodes with poor performance, being subject to mitigation or otherwise offline nodes. Now let’s take a look at the DNS records of the same domain name 30 minutes later and see what has changed:

 ;; WHEN: Sat Feb 3 20:40:04 2007 (~30 minutes/1800 seconds later)
divewithsharks.hk. 1800 IN A 24.85.102.xxx [xxx.vs.shawcable.net] NEW
divewithsharks.hk. 1800 IN A 69.47.177.xxx [d47-69-xxx-177.try.wideopenwest.com] NEW
divewithsharks.hk. 1800 IN A 70.68.187.xxx [xxx.vf.shawcable.net]
divewithsharks.hk. 1800 IN A 90.144.43.xxx [d90-144-43-xxx.cust.tele2.fr]
divewithsharks.hk. 1800 IN A 142.165.41.xxx [142-165-41-xxx.msjw.hsdb.sasknet.sk.ca]

divewithsharks.hk. 1800 IN NS ns1.world-wr.com.
divewithsharks.hk. 1800 IN NS ns2.world-wr.com.

ns1.world-wr.com.  85248 IN A 66.232.119.xxx [HVC-AS - HIVELOCITY VENTURES CORP]
ns2.world-wr.com.  82991 IN A 209.88.199.xxx [vpdn-dsl209-88-199-xxx.alami.net]

As we see, highlighted in bold two of the advertised IP addresses have changed. Again, these two IP addresses belong to dial-up or broadband networks. Another 30 minutes later, a lookup of the domain returns the following information:

 ;; WHEN: Sat Feb 3 21:10:07 2007 (~30 minutes/1800 seconds later)
divewithsharks.hk. 1238 IN A 68.150.25.xxx [xxx.ed.shawcable.net] NEW
divewithsharks.hk. 1238 IN A 76.209.81.xxx [SBIS-AS - AT&T Internet Services] This one came back!
divewithsharks.hk. 1238 IN A 172.189.83.xxx [xxx.ipt.aol.com] NEW
divewithsharks.hk. 1238 IN A 200.115.195.xxx [pcxxx.telecentro.com.ar] NEW
divewithsharks.hk. 1238 IN A 213.85.179.xxx [CNT Autonomous System] NEW

divewithsharks.hk. 1238 IN NS ns1.world-wr.com.
divewithsharks.hk. 1238 IN NS ns2.world-wr.com.

ns1.world-wr.com.  83446 IN A 66.232.119.xxx [HVC-AS - HIVELOCITY VENTURES CORP]
ns2.world-wr.com.  81189 IN A 209.88.199.xxx [vpdn-dsl209-88-199-xxx.alami.net]

Now, we observe four new IP addresses and one IP address that we saw in the first query. This demonstrates the round-robin address response mechanism used in fast-flux networks. As we have seen in this example, the A records for the domain are constantly changing. Each one of these systems represents a compromised host acting as a redirector, a redirector that eventually points to the money mule web site. A significant response issue is that the incident responders do not know the ultimate destination of the money mule site unless they have access to one of the redirector nodes. This creates a far more dynamic and robust environment for the criminals. Next we will consider double-flux networks, where criminals add an additional layer of complexity to improve their security.

Double-Flux: MySpace
Double-flux is where both the NS records (authoritative name server for the domain) and A records (web serving host or hosts for the target) are regularly changed, making the fast-flux service network much more dynamic. For double-flux techniques to work, the domain registrar has to allow the domain administrator the ability to frequently change the NS information, which is not something that usually occurs in normal domain management.

In the example below, we observe a phishing attack directed against the popular social networking web site MySpace. The attacker has created a bogus website called login.mylspacee.com. This fake website appears visually to be the real MySpace web site, but instead harvests MySpace user authentication credentials from anyone who is tricked into logging in to the fake site. To make it harder for security professionals to shut down the fake site, both the NS and A DNS records are constantly changing. Observing DNS activity in such incidents, it is very common to detect a consistent pattern of between five to ten A record in a set of round-robin responses, in addition to a five NS record round-robin response set for any double-flux domain. This signature is becoming the hallmark for identifying double-flux domains. In the table below, observe that these DNS records are constantly changing:

 ;; WHEN: Wed Apr 4 18:47:50 2007
login.mylspacee.com. 177 IN A 66.229.133.xxx [c-66-229-133-xxx.hsd1.fl.comcast.net]
login.mylspacee.com. 177 IN A 67.10.117.xxx [cpe-67-10-117-xxx.gt.res.rr.com]
login.mylspacee.com. 177 IN A 70.244.2.xxx [adsl-70-244-2-xxx.dsl.hrlntx.swbell.net]
login.mylspacee.com. 177 IN A 74.67.113.xxx [cpe-74-67-113-xxx.stny.res.rr.com]
login.mylspacee.com. 177 IN A 74.137.49.xxx [74-137-49-xxx.dhcp.insightbb.com]

mylspacee.com. 108877 IN NS ns3.myheroisyourslove.hk.
mylspacee.com. 108877 IN NS ns4.myheroisyourslove.hk.
mylspacee.com. 108877 IN NS ns5.myheroisyourslove.hk.
mylspacee.com. 108877 IN NS ns1.myheroisyourslove.hk.
mylspacee.com. 108877 IN NS ns2.myheroisyourslove.hk.

ns1.myheroisyourslove.hk.854 IN A 70.227.218.xxx [ppp-70-227-218-xxx.dsl.sfldmi.ameritech.net]
ns2.myheroisyourslove.hk.854 IN A 70.136.16.xxx [adsl-70-136-16-xxx.dsl.bumttx.sbcglobal.net]
ns3.myheroisyourslove.hk. 854 IN A 68.59.76.xxx [c-68-59-76-xxx.hsd1.al.comcast.net]
ns4.myheroisyourslove.hk. 854 IN A 70.126.19.xxx [xxx-19.126-70.tampabay.res.rr.com]
ns5.myheroisyourslove.hk. 854 IN A 70.121.157.xxx [xxx.157.121.70.cfl.res.rr.com]

About 4 minutes later, for the same domain, only the A records have changed. Notice that the NS records have remained the same.

  ;; WHEN: Wed Apr 4 18:51:56 2007 (~4 minutes/186 seconds later)
login.mylspacee.com. 161 IN A 74.131.218.xxx [74-131-218-xxx.dhcp.insightbb.com] NEW
login.mylspacee.com. 161 IN A 24.174.195.xxx [cpe-24-174-195-xxx.elp.res.rr.com] NEW
login.mylspacee.com. 161 IN A 65.65.182.xxx [adsl-65-65-182-xxx.dsl.hstntx.swbell.net] NEW
login.mylspacee.com. 161 IN A 69.215.174.xxx [ppp-69-215-174-xxx.dsl.ipltin.ameritech.net] NEW
login.mylspacee.com. 161 IN A 71.135.180.xxx [adsl-71-135-180-xxx.dsl.pltn13.pacbell.net] NEW

mylspacee.com. 108642 IN NS ns3.myheroisyourslove.hk.
mylspacee.com. 108642 IN NS ns4.myheroisyourslove.hk.
mylspacee.com. 108642 IN NS ns5.myheroisyourslove.hk.
mylspacee.com. 108642 IN NS ns1.myheroisyourslove.hk.
mylspacee.com. 108642 IN NS ns2.myheroisyourslove.hk.

ns1.myheroisyourslove.hk. 608 IN A 70.227.218.xxx [ppp-70-227-218-xxx.dsl.sfldmi.ameritech.net]
ns2.myheroisyourslove.hk. 608 IN A 70.136.16.xxx [adsl-70-136-16-xxx.dsl.bumttx.sbcglobal.net]
ns3.myheroisyourslove.hk. 608 IN A 68.59.76.xxx [c-68-59-76-xxx.hsd1.al.comcast.net]
ns4.myheroisyourslove.hk. 608 IN A 70.126.19.xxx [xxx-19.126-70.tampabay.res.rr.com]
ns5.myheroisyourslove.hk. 608 IN A 70.121.157.xxx [xxx.157.121.70.cfl.res.rr.com]

Checking again one and a half hours later, the NS records for this domain have migrated and five new NS records appear. Similar to the previous example, we see that the A and NS record are hosted at dial-up or broadband providers, indicating that these are compromised hosts used by an attacker for nefarious purposes:

 ;; WHEN: Wed Apr 4 21:13:14 2007 (~90 minutes/4878 seconds later)
ns1.myheroisyourslove.hk. 3596 IN A 75.67.15.xxx [c-75-67-15-xxx.hsd1.ma.comcast.net] NEW
ns2.myheroisyourslove.hk. 3596 IN A 75.22.239.xxx [adsl-75-22-239-xxx.dsl.chcgil.sbcglobal.net] NEW
ns3.myheroisyourslove.hk. 3596 IN A 75.33.248.xxx [adsl-75-33-248-xxx.dsl.chcgil.sbcglobal.net] NEW
ns4.myheroisyourslove.hk. 180 IN A 69.238.210.xxx [ppp-69-238-210-xxx.dsl.irvnca.pacbell.net] NEW
ns5.myheroisyourslove.hk. 3596 IN A 70.64.222.xxx [xxx.mj.shawcable.net] NEW