|
Together with Thorsten Holz, I recently published a paper on fast flux botnet behaviors, “As the Net Churns: Fast-Flux Botnet Observations,” based on data we gathered in our ATLAS platform. Fast flux service networks utilize botnets to distribute the web servers to the infected PCs. The zombies in the network are advertised in DNS records managed by the botnet and act as web proxies, handling the inbound request from a victim and relaying the data from a central machine, often dubbed the mothership. The botnet will advertise some small fraction of the bot population in this DNS map and use it to lure in new victims. One of the most well known fast flux botnets has been the Storm Worm botnet, which uses the zombies to spam, send out new enticements to infect users, and to host the malicious website which delivers the malcode. Fast flux hosting techniques are used by botnet operators to thwart takedown of their key infrastructure and deny the chance for analysts to inspect the central malicious content server. These sort of hosting schemes are often resold as bulletproof hosting schemes for a variety of illegal activities.
ATLAS is our data repository and we added fast flux botnet tracking to it earlier this year and one of its main focuses is on botnet activity tracking. The system gathers data by actively polling DNS servers with fast flux domain name queries, recording the answers. Briefly, we watch domain names spammed in email messages and used by malcode and screen them for fast flux characteristics: a very short time to live (TTL), a wide dispersal of hosts that constantly change, and other factors that are consistent with past fast flux botnet behaviors. Once they pass the screening process, ATLAS will enter them into a polling loop to gather as many results for the queries over time. ATLAS will stop tracking the domain name only after it fails to resolve or stops changing, suggesting that its been disabled. This list of IP addresses associated with domain names over time are members of the botnet.
For our study we used 6 months of data gathered by ATLAS representing nearly 1000 unique domain names and 15 million unique IP address and domain name pairs. Using this data set we found the following:
We also anticipate that this dormant period between the domain names registration and activation can be used to identify domain names that are similar to other active fast flux names and proactively disable them.
We have taken the analysis we performed in the paper and have expanded it into our ATLAS system. These reports show distinct botnets group by domain names, infected hosts around the world, newly discovered domains and the longest lived domains. Our results are further strengthened with the increased visibility we have obtained in the months since the research was first conducted. We have now begun to work with the registrar community to get fast flux domain names deactivated and continue to reach out to new registrars to combat this problem.
Sponsored byDNIB.com
Sponsored byCSC
Sponsored byIPv4.Global
Sponsored byVerisign
Sponsored byWhoisXML API
Sponsored byRadix
Sponsored byVerisign